Client Alert

The American Recovery and Reinvestment Act of 2009 (“ARRA”) made significant changes to the privacy and security rules under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) through incorporation of the Health Information Technology for Economic and Clinical Health Act (“HITECH Act”). The changes to HIPAA impact both covered entities and business associates. Among these changes, covered entities and business associates are now required to provide notification if unsecured protected health information (“PHI”) has been breached. Most provisions of the HITECH Act will be effective one year after the date of ARRA's enactment (February 17, 2010), however, the Department of Health and Human Services (“HHS”) has issued interim final rules on HIPAA’s new security breach notification requirement. These rules were published on August 24, 2009, and thus are effective September 23, 2009, 30 days after the date of publication in the federal register.

SUMMARY OF HITECH ACT CHANGES

The HIPAA privacy rules generally prohibit the disclosure of individually identifiable PHI by a covered entity (i.e., health plans, health care providers and health care clearinghouses) unless authorized by the individual or to the minimum extent necessary for treatment, payment or health care operations. Entities which are not covered entities but which provide services to covered entities, such as legal, financial, accounting, and IT services, are considered to be business associates, and have not been directly subject to HIPAA's privacy and security provisions. However, they have been required to sign business associate agreements in which they contractually agree to maintain the privacy and security of PHI.

Business Associates Subject to Security and Privacy Requirements. Changes made by the HITECH Act expand the scope and application of HIPAA. Effective February 17, 2010, the privacy and security requirements will apply directly to business associates. For example, to comply with the privacy rule, business associates will have to develop written policies and procedures and train their workforce on how to protect PHI. Compliance with the HIPAA security requirements will require appointment of a security officer and adoption of security policies and procedures. Covered entities and business associates are also required to update their business associate agreements as needed to comply with the provisions of the ARRA. In addition, the definition of business associates is expanded to include organizations that provide data transmission of PHI to covered entities and vendors that contract with covered entities to offer a personal health record to patients.

Breach Notification Requirement. Covered entities and business associates are required to notify affected individuals if there is an unauthorized disclosure of unsecured PHI. PHI is considered “unsecured” unless it is encrypted or destroyed through the use of methodologies specifically approved by HHS. In addition to the notification of affected individuals of the unauthorized disclosure of PHI, the covered entity must maintain a log of the disclosures which is submitted annually to HHS. If the disclosure involves 500 or more individuals, HHS must be notified immediately, and notice must be provided to prominent media outlets in the area (in the form of a press release). Media notification may also be required if the covered entity does not have current contact information for ten or more individuals affected by the disclosure. The notification requirement is effective September 23, 2009, but HHS has stated that it will not impose sanctions for failing to provide the required notification for breaches discovered before February 22, 2010.

Changes to “Minimum Necessary” Requirement. Current rules allow disclosure of PHI for treatment, payment or health care operations only to the minimum extent necessary to accomplish the intended purpose. The HHS is expected to issue regulations by August 17, 2010, to define what is considered “minimum necessary.” Interim rules have been issued which specify certain information that may not be disclosed under the “minimum necessary” standard, including name, address and Social Security Number.

Expanded Privacy Rights for Individuals. The HITECH Act expanded the privacy rights of individuals with respect to their own PHI, including the following:

• Restrictions on disclosure – Covered entities must agree to an individual’s request not to disclose PHI to a health plan for payment or health care operations if the individual has paid out of pocket for the service.
• Access to electronic health records – An individual may obtain access to their PHI contained in an electronic health record, and to direct the covered entity to send a copy of their electronic health record to a third party.
• Accounting of electronic health records – Covered entities that use or maintain an electronic health record must provide an accounting of disclosures of electronic health records for treatment, payment and health care operations during the three-year period preceding the request of an individual.

For electronic health records acquired as of January 1, 2009, these expanded privacy rights are effective January 1, 2014. For electronic health records acquired after January 1, 2009, the rights are effective January 1, 2011. 

Prohibition on Sale of PHI. The HITECH Act prohibits a covered entity or business associate from receiving direct or indirect payment in exchange for the PHI of any individual without a valid authorization from the individual, subject to certain exceptions (e.g., public health activities, research, treatment of the individual, etc.).

New Enforcement Provisions. The HITECH Act significantly increases the penalties for failure to comply with the privacy and security rules, creating a tiered penalty system ranging from $100 per violation to $50,000 per violation, depending upon the nature and extent of the violation. A state attorney general may take action in federal district court to enjoin a violation and obtain damages. Penalties may be shared with those individuals who are harmed by a violation.

COMPLIANCE WITH THE HITECH ACT CHANGES In order to comply with the provisions of the HITECH Act you should take the following actions:

• Amend business associate agreements to address the new privacy and security obligations.
• Determine if your group health plan utilizes organizations that provide data transmission of PHI or vendors who allow the health plan to offer personal health records and enter into business associate agreements with such parties.
• Secure PHI in accordance with HHS guidelines so that the breach notification requirements will not apply.
• Amend HIPAA policies and procedures to address how to secure PHI and handle breaches of unsecured PHI, the new minimum necessary requirements, changes to individual privacy rights, the general prohibition on sale of PHI and restrictions on marketing and fundraising activities, and new enforcement provisions.
• Revise the plan’s privacy notice to explain the new policies and procedures.
• Revise forms utilized by individuals to exercise their privacy rights, to address restrictions on certain disclosures, to access electronic health records, and to request an accounting of disclosures through electronic health records.
• Amend your group health plan to address the changes required by the HITECH Act.
• Train staff on new HITECH requirements.

COMPLIANCE ASSISTANCE

We have prepared HIPAA Policies and Procedures, a sample Business Associate Agreement, and other documents that reflect the changes made by the ARRA with respect to the expanded privacy rights and the new notification requirements when a security breach affects PHI. We have developed these documents to assist you in complying with the new HIPAA and HITECH Act requirements.

If you have questions regarding these recent developments, please contact Elisa A. Cawood or James E. Daniel, the principal authors of the alert. You may also contact the Womble Carlyle attorney with whom you usually work, or one of our Employee Benefits attorneys.

Womble Carlyle Sandridge & Rice Employee Benefits Lawyers