Stimulus Update - HIPAA
This alert provides a brief overview of privacy and security provisions included within “The American Recovery and Reinvestment Act of 2009” (H.R.1, S.1) (the “Stimulus”). The Stimulus also includes funding for health information technology (“HIT”) and funding for comparative effectiveness research. These provisions will be the subject of future alerts. Future alerts will also provide analysis and risk management suggestions related to the changes outlined below. (HCLS-Client-Alert)
The Stimulus also expands enforcement and the scope of businesses covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security regulations. The expanded privacy and security provisions contained within the Stimulus are expected to have a “significant impact” on a wide range of organizations that deal with, retain, use, and/or create protected health information. The privacy and security provisions are outlined in Table 1.
Table 1 Subtitle D, Part I – Improved
Privacy Provisions and Security Provisions
|
Sec. 13400 –
Definitions |
Subtitle D – Privacy
|
|
Sec. 13401 –
Application of security provisions and penalties to business associates of
covered entities; annual guidance on security provision |
Part I – Improved Privacy Provisions and
Security Provision |
|
Sec. 13402 – Notification in the case of breach
|
|
Sec. 13403 -
Education on health information technology privacy |
|
Sec. 13404 –
Application of privacy provisions and penalties to business associates of
covered entities |
|
Sec. 13405 –
Restrictions on certain disclosures and sales of health information;
accounting of certain protected health information disclosures; access to
certain information in electronic format |
|
Sec. 13406 –
Conditions on certain contracts as part of health care operations |
|
Sec. 13407 –
Temporary breach notification requirement for vendors of personal health
records and other non-HIPPA covered entities |
|
Sec. 13408 –
Business associate contracts required for certain entities |
|
Sec. 13409 –
Clarification of application of wrongful disclosures criminal penalties |
|
Sec. 13410 –
Improved enforcement |
|
Section 13411
– Audit |
Expanded Definition of
Business Associate
The legislation extends the application of the main provisions of the HIPAA Security and Privacy regulations to business associates (Section 13401(a)), and
contains revised civil and criminal penalties for violation of the HIPAA Privacy and Security Regulations (Section 13401(b)). The legislation also requires the Secretary of HHS to conduct periodic compliance audits of business associates as well as covered entities (Section 13401(c)).
The legislation also expands the definition of business associates to include organizations that provide protected health information as a data transmission service and those that require access to protected health information on a routine basis, as well as vendors who contract with covered entities to offer personal health
records (PHR) to patients (Section 13408). The provisions of the Section 13408 became effective on enactment of the Stimulus. Vendors of personal health records (see e.g. http://www.google.com/intl/en-US/health/about/), entities that offer products or services through the website of a vendor of personal health records, entities that access or send information in a personal health record, and third party vendors of these entities must also comply with the HIPAA Privacy and Security Regulations (Section 13424(b)(1)(A)).
Security Breach
Notification Requirement
The Stimulus includes a requirement for security breach notifications similar in form and effect to laws passed by most states, including California. Section 13400 defines breach as “the unauthorized acquisition, access, use, or disclosure of protected health information which compromises the security or privacy of such information.” The definition of breach excludes situations where the-
- Unauthorized person to whom such information was disclosed would not reasonably have been able to retain such information; and
- Information received as a result of such disclosure is not further acquired, accessed, used, or disclosed without proper
authorization.
Absent an applicable state law, prior to this legislation, a covered entity was not required to notify individuals of privacy or security breaches unless the
covered entity determined that such notification was necessary to mitigate damage to the individual. However, the Stimulus will require covered entities and business associates to notify both individuals and the Secretary of the Department of Health and Human Services (HHS) of “unsecured protected health information” breaches. In the event that the breach affects more than 500 individuals, notification must be made to prominent media outlets serving
the state or jurisdiction in which the individuals reside. The Secretary is also required to post the notification on the HHS website.
“Unsecured protected health information” is defined, within section 13402(h)(1)(A), as protected health information (PHI) not secured through the use of a technology or methodology specified by the Secretary of HHS. The Secretary is required to issue and annually to update guidance specifying technologies and methodologies that render PHI “unusable, unreadable, or indecipherable to unauthorized
individuals” (Section 13402(h)(2)). If the Secretary fails to issue this guidance within 60 days of enactment, the technology standard applied will be developed
or endorsed by a standards developing organization accredited by the American National Standards Institute.
Secretary of Health and Human Services shall promulgate interim -final regulations within 180 days of the enactment of the Stimulus (enacted February 17, 2009). The new security breach notification requirements, within Section 13402, apply to breaches that are discovered 30 days after the date of publication of the interim-final regulations by the Secretary (Section 13402(j)). Similar security breach notification requirements, within Section 13407, become effective
to vendors of personal health records (PHRs) to breaches that are discovered 30 days after the date of publication of interim final regulations (Section
13407(g)(1).
Table 2 (below) summarizes other key changes applicable to covered entities and now business associates in complying with the revised HIPAA Privacy regulations. The provisions of Subtitle D, Part I of the Stimulus Act, entitled “Improved Privacy Provisions and Security-Provisions”,
unless otherwise specified become effective 12 months after enactment (Section 13423).
Table 2 Modifications to the HIPAA Privacy Regulations
|
Requirement
|
Prior to
Stimulus |
After the Stimulus
|
Relevant
Cite |
|
Right of Individual to Limit Access to PHI
|
Prior to the
Stimulus, an individual had the right to request that the covered entity
restrict certain disclosures of PHI, but the covered entity was not required
to agree to the restriction. |
A covered
entity must comply with the individual’s request to limit access to his/her
PHI. This provision does not apply to
the disclosure of PHI to a health plan for payment or health care operations
where the health care provider has not been paid out of pocket in full. |
Section
13405(a) |
|
Minimum
Necessary Standard |
HIPAA
privacy rule required covered entities to apply a minimum necessary standard
to uses and disclosures of and requests for PHI. |
The Stimulus
requires the Secretary to issue guidance on what constitutes “minimum
necessary” within 18 months after enactment. Provisions of this section apply six months
after the date of the promulgation of final regulations. |
Section
13405(b) |
|
Accounting
Requirement |
The HIPAA
privacy rule’s accounting requirement did not include PHI disclosures for
treatment, payment and health care operations purposes. |
If a covered
entity uses or maintains an EHR, an individual will have the right to receive
an accounting of disclosures made during the three years prior to the date of
the request. A “reasonable
fee” not greater than the entity’s labor costs in responding to the
request may be collected from the requesting party. This requirement would be effective as of
January 1, 2014 for covered entities that have acquired an EHR prior to a
certain date. For covered entities
acquiring an EHR after that date, the requirement will be effective on the later
of January 1, 2011 or the date the EHR is acquired. |
Section 13405(c)
|
|
Individual
Access to PHI in Electronic Form |
Not
Applicable |
Requires
covered entities that use or maintain EHRs to provide access of PHI to
individuals in electronic format if requested. |
Section
13405(e)(1) |
Clarification of
Penalties under the HIPAA Privacy and Security Regulations
Section 13410 of the Stimulus provides for a tiered increase of Civil Monetary Penalties (CMP) up to a maximum of 1.5 million dollars depending on aggravating
factors. The Stimulus also provides for the enforcement of HIPAA by State Attorney Generals. Many of the key provisions take effect after the enactment of the Stimulus including tiered monetary penalties and expanded enforcement provisions.
A wrongful disclosure under HIPAA (as modified by the Stimulus) occurs when a person obtains or discloses PHI maintained by a covered entity and the disclosing party has not obtained an authorization for the disclosure (Section 13409). The Stimulus requires that any civil monetary penalty or settlement amount collected as a result of a privacy or security rule violation be transferred to the Office for Civil Rights to be used for enforcement of the HIPAA privacy and security rules and also in part to be distributed to those affected by the infraction (Section 13410(e)(1)).
Table 3 Tiered Civil Monetary Penalties
|
Standard of
Culpability |
Penalty
|
Maximum
Penalty |
|
Did not know
of the violation and by exercising reasonable diligence would not have known
of violation |
Corrective
action without penalty |
No penalty–however,
subject to discretion of Secretary. |
|
Unknowing
Violations |
At least $100 per violation
|
Not to exceed $25,000 in a calendar year
|
|
Violation
due to reasonable cause, not willful neglect |
At least
$1000 per violation |
Not to
exceed $100,000 in a calendar year |
|
Violation
due to willful neglect |
At least $10,000 per violation
|
Not to exceed $250,000 in a calendar year
|
|
Violation is
due to willful neglect and the violation is not corrected within 30 days of
the first date the person liable for the penalty knew or should have known
that the violation occurred. |
At least
$50,000 per violation |
Not to
exceed $1,500,000 |
Damages are calculated by multiplying the penalty by the number of violations in a calendar year for identical requirements or prohibitions. However, the total shall not exceed the amount of Maximum Penalty (Section 13410(d)(1)-(2)).
State attorney generals now have the authority to bring suit in federal district court against any person violating the rules on behalf of state residents to enjoin further violation or to obtain damages on behalf of such residents (Section 13410(e)). Statutory damages are limited to $100 per violation, not to exceed $25,000 in a calendar year for violations of identical requirements. (Section 13410(e)(1)). The court may award attorney fees to the state. The Secretary has the right to intervene in such actions.
Related posts:
- HHS Announces Proposed Rulemaking to modify the HIPAA privacy Rule to Comply with Section 105 of Title I of the Genetic Information Nondiscrimination Act of 2008 (GINA) On October 7, 2009 HHS announced proposed rulemaking to modify...
- Key Issues in Privacy and Security for 2010 Next year should be interesting. From Red Flag compliance, federal...
- Excellent Article from American Health Lawyers Association’s Healthcare Liability & Litigation Health Briefs, on 9/9/09. by Kristen McDonald. (Republished with permission from the author.) What happens if the offices of a covered entity are...
- Business Associate and Covered Entity HIPAA Compliance — Auditing Questions and NIST 800-53 Security Controls. This article discusses techniques for implementing the updated requirements of...
American Recovery and Reinvestment Act: Overview of Modifications to the HIPAA Privacy and Security Regulations
Stimulus Update - HIPAA
This alert provides a brief overview of privacy and security provisions included within “The American Recovery and Reinvestment Act of 2009” (H.R.1, S.1) (the “Stimulus”). The Stimulus also includes funding for health information technology (“HIT”) and funding for comparative effectiveness research. These provisions will be the subject of future alerts. Future alerts will also provide analysis and risk management suggestions related to the changes outlined below. (HCLS-Client-Alert)
The Stimulus also expands enforcement and the scope of businesses covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security regulations. The expanded privacy and security provisions contained within the Stimulus are expected to have a “significant impact” on a wide range of organizations that deal with, retain, use, and/or create protected health information. The privacy and security provisions are outlined in Table 1.
Table 1 Subtitle D, Part I – Improved
Privacy Provisions and Security Provisions
Sec. 13400 –
Definitions
Subtitle D – Privacy
Sec. 13401 –
Application of security provisions and penalties to business associates of
covered entities; annual guidance on security provision
Part I – Improved Privacy Provisions and
Security Provision
Sec. 13402 – Notification in the case of breach
Sec. 13403 -
Education on health information technology privacy
Sec. 13404 –
Application of privacy provisions and penalties to business associates of
covered entities
Sec. 13405 –
Restrictions on certain disclosures and sales of health information;
accounting of certain protected health information disclosures; access to
certain information in electronic format
Sec. 13406 –
Conditions on certain contracts as part of health care operations
Sec. 13407 –
Temporary breach notification requirement for vendors of personal health
records and other non-HIPPA covered entities
Sec. 13408 –
Business associate contracts required for certain entities
Sec. 13409 –
Clarification of application of wrongful disclosures criminal penalties
Sec. 13410 –
Improved enforcement
Section 13411
– Audit
Expanded Definition of
Business Associate
The legislation extends the application of the main provisions of the HIPAA Security and Privacy regulations to business associates (Section 13401(a)), and
contains revised civil and criminal penalties for violation of the HIPAA Privacy and Security Regulations (Section 13401(b)). The legislation also requires the Secretary of HHS to conduct periodic compliance audits of business associates as well as covered entities (Section 13401(c)).
The legislation also expands the definition of business associates to include organizations that provide protected health information as a data transmission service and those that require access to protected health information on a routine basis, as well as vendors who contract with covered entities to offer personal health
records (PHR) to patients (Section 13408). The provisions of the Section 13408 became effective on enactment of the Stimulus. Vendors of personal health records (see e.g. http://www.google.com/intl/en-US/health/about/), entities that offer products or services through the website of a vendor of personal health records, entities that access or send information in a personal health record, and third party vendors of these entities must also comply with the HIPAA Privacy and Security Regulations (Section 13424(b)(1)(A)).
Security Breach
Notification Requirement
The Stimulus includes a requirement for security breach notifications similar in form and effect to laws passed by most states, including California. Section 13400 defines breach as “the unauthorized acquisition, access, use, or disclosure of protected health information which compromises the security or privacy of such information.” The definition of breach excludes situations where the-
authorization.
Absent an applicable state law, prior to this legislation, a covered entity was not required to notify individuals of privacy or security breaches unless the
covered entity determined that such notification was necessary to mitigate damage to the individual. However, the Stimulus will require covered entities and business associates to notify both individuals and the Secretary of the Department of Health and Human Services (HHS) of “unsecured protected health information” breaches. In the event that the breach affects more than 500 individuals, notification must be made to prominent media outlets serving
the state or jurisdiction in which the individuals reside. The Secretary is also required to post the notification on the HHS website.
“Unsecured protected health information” is defined, within section 13402(h)(1)(A), as protected health information (PHI) not secured through the use of a technology or methodology specified by the Secretary of HHS. The Secretary is required to issue and annually to update guidance specifying technologies and methodologies that render PHI “unusable, unreadable, or indecipherable to unauthorized
individuals” (Section 13402(h)(2)). If the Secretary fails to issue this guidance within 60 days of enactment, the technology standard applied will be developed
or endorsed by a standards developing organization accredited by the American National Standards Institute.
Secretary of Health and Human Services shall promulgate interim -final regulations within 180 days of the enactment of the Stimulus (enacted February 17, 2009). The new security breach notification requirements, within Section 13402, apply to breaches that are discovered 30 days after the date of publication of the interim-final regulations by the Secretary (Section 13402(j)). Similar security breach notification requirements, within Section 13407, become effective
to vendors of personal health records (PHRs) to breaches that are discovered 30 days after the date of publication of interim final regulations (Section
13407(g)(1).
Table 2 (below) summarizes other key changes applicable to covered entities and now business associates in complying with the revised HIPAA Privacy regulations. The provisions of Subtitle D, Part I of the Stimulus Act, entitled “Improved Privacy Provisions and Security-Provisions”,
unless otherwise specified become effective 12 months after enactment (Section 13423).
Table 2 Modifications to the HIPAA Privacy Regulations
Requirement
Prior to
Stimulus
After the Stimulus
Relevant
Cite
Right of Individual to Limit Access to PHI
Prior to the
Stimulus, an individual had the right to request that the covered entity
restrict certain disclosures of PHI, but the covered entity was not required
to agree to the restriction.
A covered
entity must comply with the individual’s request to limit access to his/her
PHI. This provision does not apply to
the disclosure of PHI to a health plan for payment or health care operations
where the health care provider has not been paid out of pocket in full.
Section
13405(a)
Minimum
Necessary Standard
HIPAA
privacy rule required covered entities to apply a minimum necessary standard
to uses and disclosures of and requests for PHI.
The Stimulus
requires the Secretary to issue guidance on what constitutes “minimum
necessary” within 18 months after enactment. Provisions of this section apply six months
after the date of the promulgation of final regulations.
Section
13405(b)
Accounting
Requirement
The HIPAA
privacy rule’s accounting requirement did not include PHI disclosures for
treatment, payment and health care operations purposes.
If a covered
entity uses or maintains an EHR, an individual will have the right to receive
an accounting of disclosures made during the three years prior to the date of
the request. A “reasonable
fee” not greater than the entity’s labor costs in responding to the
request may be collected from the requesting party. This requirement would be effective as of
January 1, 2014 for covered entities that have acquired an EHR prior to a
certain date. For covered entities
acquiring an EHR after that date, the requirement will be effective on the later
of January 1, 2011 or the date the EHR is acquired.
Section 13405(c)
Individual
Access to PHI in Electronic Form
Not
Applicable
Requires
covered entities that use or maintain EHRs to provide access of PHI to
individuals in electronic format if requested.
Section
13405(e)(1)
Clarification of
Penalties under the HIPAA Privacy and Security Regulations
Section 13410 of the Stimulus provides for a tiered increase of Civil Monetary Penalties (CMP) up to a maximum of 1.5 million dollars depending on aggravating
factors. The Stimulus also provides for the enforcement of HIPAA by State Attorney Generals. Many of the key provisions take effect after the enactment of the Stimulus including tiered monetary penalties and expanded enforcement provisions.
A wrongful disclosure under HIPAA (as modified by the Stimulus) occurs when a person obtains or discloses PHI maintained by a covered entity and the disclosing party has not obtained an authorization for the disclosure (Section 13409). The Stimulus requires that any civil monetary penalty or settlement amount collected as a result of a privacy or security rule violation be transferred to the Office for Civil Rights to be used for enforcement of the HIPAA privacy and security rules and also in part to be distributed to those affected by the infraction (Section 13410(e)(1)).
Table 3 Tiered Civil Monetary Penalties
Standard of
Culpability
Penalty
Maximum
Penalty
Did not know
of the violation and by exercising reasonable diligence would not have known
of violation
Corrective
action without penalty
No penalty–however,
subject to discretion of Secretary.
Unknowing
Violations
At least $100 per violation
Not to exceed $25,000 in a calendar year
Violation
due to reasonable cause, not willful neglect
At least
$1000 per violation
Not to
exceed $100,000 in a calendar year
Violation
due to willful neglect
At least $10,000 per violation
Not to exceed $250,000 in a calendar year
Violation is
due to willful neglect and the violation is not corrected within 30 days of
the first date the person liable for the penalty knew or should have known
that the violation occurred.
At least
$50,000 per violation
Not to
exceed $1,500,000
Damages are calculated by multiplying the penalty by the number of violations in a calendar year for identical requirements or prohibitions. However, the total shall not exceed the amount of Maximum Penalty (Section 13410(d)(1)-(2)).
State attorney generals now have the authority to bring suit in federal district court against any person violating the rules on behalf of state residents to enjoin further violation or to obtain damages on behalf of such residents (Section 13410(e)). Statutory damages are limited to $100 per violation, not to exceed $25,000 in a calendar year for violations of identical requirements. (Section 13410(e)(1)). The court may award attorney fees to the state. The Secretary has the right to intervene in such actions.
Related posts: