United States: Stimulus Bill Expands The Reach Of HIPAA

The federal stimulus package, officially known as the American Recovery and Reinvestment Act of 2009, has been widely discussed for its provisions relating to the promotion of health information technology. What has been less widely reported, however, is that the bill's Health Information Technology for Economic and Clinical Health Act (HITECH Act) also contains provisions that would significantly expand the reach of the Health Information Portability and Accountability Act of 1996 (HIPAA). These provisions will have significant impact on the policies and procedures used by healthcare providers, health plans and their business associates that create or receive Protected Health Information (PHI). While the final language of the bill has not yet been made available, congressional leaders reportedly are planning to vote on the legislation on Friday so it can be sent to President Obama for his signature by President's Day, Monday, Feb. 16, 2009.

Some of the substantial changes to HIPAA under the HITECH Act contained in the versions passed by the House of Representatives and the Senate include:

• Heightened Enforcement and Increased Penalties. Under the proposed law, failure to comply with HIPAA due to willful neglect will result in mandatory penalties. A tiered system would additionally provide for varying increased civil monetary penalties, based on whether the violation was made without knowledge, due to reasonable cause, or due to willful neglect. Penalties for violations based on a lack of knowledge (only where a person exercising reasonable diligence would not have known of the violation) will start at $100 per violation; penalties for violations due to reasonable cause will start at $1,000 per violation; and penalties for violations due to willful neglect will start at $10,000 per violation (for violations that are corrected) or $50,000 (for violations that are not corrected).

The proposed law would also create a private cause-of-action for non-compliance, which could be brought by state attorneys general on behalf of affected patients. Courts would gain the ability to award costs and attorneys fees in successfully prosecuted cases. These expanded enforcement provisions would apply to all violations occurring after the law's date of enactment.

• Extension of Security Provisions to Business Associates. Under the proposed law, business associates would be required to implement policies that establish administrative safeguards (such as security policies and training), physical safeguards (such as locks and building security systems), and technical safeguards (such as computer encryption, log-in IDs, and auto-log off). Business associates will additionally be subject to direct penalties for violations of the security provisions.

The bill also requires that its new provisions relating to security be incorporated in existing business agreements. The Secretary of Health and Human Services will issue guidance on the appropriate safeguards annually.

• New Security Breach Notification Requirements. The bill expands federal security breach law to mirror protections that many states have passed in recent years. The bill requires the notification of patients of any unauthorized access, acquisition, or disclosure of their "Unsecured PHI" that compromises not only the patient's privacy and security, but also the integrity of the information. The act specifies both acceptable methods of notice and information that must appear in the notification to the patient. The Secretary of Health and Human Services will define "Unsecured PHI" within 60 days of the law's enactment; if such guidance is not provided, the default definition of "protected health information that is not secured by a technology standard that renders protected health information unusable, unreadable, or indecipherable to unauthorized individuals and is developed or endorsed by a standards developing organization that is accredited by the American National Standards Institute" will apply.

If a breach affects 500 patients or more, it must be reported to the Secretary of Health and Human Services, who, in turn, will post the name of the provider or insurer on its public website. Finally, the law would require that breaches affecting 500 patients or more who reside in the same area be reported to local media.

Business associates would be required to provide notice of a breach to the provider or health plan with whom they are associated, including the identity of the patient whose PHI was accessed, acquired or disclosed.

Additionally, vendors that provide or maintain "Personal Health Records" ("electronic records of individually identifiable health information on an individual that can be drawn from multiple sources and that is managed, shared, and controlled by or for the individual") would be required to notify both the affected patients and the Federal Trade Commission of any breach arising from their products or services.

Notification requirements under the new provision will be triggered not only by actual knowledge of a breach, but also by the reasonable belief that a breach has occurred. The notification laws will apply to security breaches discovered 30 days after the Secretary of Health and Human Services promulgates interim final regulations on the subject. Those interim final regulations will be promulgated within 180 days of the law's enactment.

• HIPAA Pre-emption Would Apply to New Provisions. Both the House and Senate bills specify that the preemption statute that currently applies to HIPAA will extend to the new privacy provisions, as well. Under the current preemption standard, HIPAA acts as a floor, preempting only those state laws that require less strenuous privacy protections. As a result, providers and health plans would still need to comply with state security breach laws to the extent that they exceed the new security breach notification provisions of the bill.

• Sale of Electronic PHI Prohibited. With limited exceptions, the House and Senate bills prohibit the receipt of direct or indirect remuneration (anything of value) in exchange for all PHI, including that within electronic health records, unless the patient has authorized the sale.

Because the patient must specifically authorize each sale of the PHI and each resale by an authorized purchaser, obtaining and maintaining the required authorization will be difficult.

• Patient's Right to Restrict Access to PHI. The law will require the restriction of access to a patient's PHI upon that patient's request, as long as certain requirements are met. Under the current version of HIPAA, patients are entitled to request such restriction of records, but compliance with the patient's request is not required.

Implementation of this change will certainly be difficult, due to the complex administrative task of monitoring such requests.

• Patient's Right to Accounting by Entities Utilizing Electronic Health Records. Under the proposed law, patients would have the right to receive an accounting of disclosures of their PHI dating back three years from the request, if an entity uses electronic health records. This would include disclosures made for the purpose of carrying out treatment, payment, and healthcare operations. Currently, HIPAA grants a patient the right to receive an accounting of PHI disclosures made only within the six years preceding the request, but excludes from such requirement all disclosures made for the purpose of carrying out treatment, payment, and healthcare operations.

The House bill would make this provision effective for disclosures made on or after Jan. 1, 2014, by entities that currently have an EHR system in place. The effective date for entities that do not currently have an EHR system in place is Jan. 1, 2011. The Senate bill would allow extension of those effective dates, if necessary.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.