The American Recovery And Reinvestment Act Of 2009: Health Information Privacy And Security Provisions - Here We Go Again
On February 17, 2009, President Obama signed into law The
American Recovery and Reinvestment Act of 2009 (the "Stimulus
Act" or the "Act"), which will address the
nation's economic uncertainties through various tax breaks and
infrastructure investment projects. The Act includes almost $20
billion for the development of a nationwide health information
technology ("HIT") infrastructure intended to, among
other things, advance the adoption of electronic medical records,
improve health care quality, reduce medical errors and improve care
coordination.
The Stimulus Act also includes numerous provisions which modify
and expand the privacy and security provisions of the Health
Insurance Portability and Accountability Act of 1996
("HIPAA"), including requiring HIPAA-covered entities,
business associates and other previously unregulated entities to
modify their health information privacy and security policies,
procedures and practices.
Health Information Technology for Economic and Clinical Health
Act
Title XIII of the Stimulus Act, also known as the "Health
Information Technology for Economic and Clinical Health Act"
or the "HITECH Act", addresses the promotion of HIT.
Subtitle D of the HITECH Act expands the HIPAA Privacy Rule and
Security Rule and includes other provisions which will require
attention by health care organizations and other entities not
previously impacted by HIPAA.
Highlights of the HITECH Act
Significant changes to be implemented by the Act include the
following:
Direct application of key Security Rule and Privacy Rule
obligations to business associates and an expanded definition of
persons and entities considered to be business associates
Requiring covered entities and personal health record
("PHR") vendors to notify affected individuals and
federal regulatory entities of security breaches involving an
individual's "unsecured" protected health information
("PHI") or PHR identifiable health information,
respectively
Modifying and expanding the scope of the Privacy Rule (e.g.,
narrowing the scope of permitted marketing activities without
individual authorization, modifying the minimum necessary rule,
requiring a covered entity to agree to disclosure restriction
requests, reviewing the definition of health care operation
activities, expanding the scope of accounting disclosure
obligations)
Restricting the sale of PHI by covered entities without
individual authorization
Expanding the scope of penalties for unlawfully using and
disclosing PHI, and the scope of individuals permitted to file
claims for HIPAA violations to include state attorneys general, and
also requiring the Secretary of Health and Human Services (the
"Secretary") to establish a methodology for sharing a
percentage of HIPAA civil monetary penalties and settlement amounts
with aggrieved individuals
Requiring the Secretary to conduct mandatory audits of covered
entities and business associates
Direct Application of HIPAA Security Rule and Privacy Rule
Provisions to Business Associates
Under current law, business associates are not directly
regulated by HIPAA or its implementing regulations. Lacking
statutory authority to directly regulate any person other than
"covered entities" (i.e., health care providers that
engage in a standard transaction, health plans and health
clearinghouses), the Secretary addressed the disclosure of PHI to
third-party vendors of covered entities by requiring the covered
entities to enter into HIPAA-compliant business associate contracts
with such persons and organizations. Thus, a business
associate's HIPAA obligations are by contract and not by
statute or law.
The Stimulus Act significantly changes that approach. HIPAA
business associates will now be subject directly to many of the
same Security Rule requirements as covered entities, meaning that
business associates will need to implement the administrative,
physical and technical safeguards required by 45 CFR Part 164,
Subpart C. Business associates will also need to implement the
requisite Security Rule policies and procedures required of covered
entities.
Business associates will also be bound by the Privacy Rule and
will be subject to the same civil monetary penalties and criminal
penalties that are applicable to covered entities for Privacy Rule
and Security Rule violations.
Effective as of February 17, 2009, the Act states specifically
that organizations such as health information exchange
organizations and regional health information exchange
organizations that provide data transmission of PHI on behalf of a
covered entity and that routinely require access to such
information are business associates of the participating covered
entities. Many such organizations had argued that they were mere
conduits of PHI and, therefore, were not business associates of any
covered entity participants or members.
Action Item: This is a significant expansion to the scope
of the Privacy Rule and Security Rule. Like covered entities,
business associates will need to implement a health information
security program that comports with the standards set forth in the
Security Rule. This will include a required risk analysis. Covered
entities will also need to ensure the implementation of these
obligations by their business associates, presumably through
appropriate representations and warranties, which may necessitate
the execution of business associate contract amendments or amended
and restated business associate agreements. Further, covered
entities that did not previously execute business associate
contracts with health information exchange organizations in which
they participate will need to execute such agreements.
Notification of Data Security Breach Required for Covered
Entities, PHR Vendors and Other Non-Covered Entities
The current version of the Security Rule does not require
covered entities to notify their patients, insureds or customers in
the event of a security breach involving PHI. (Many states would,
however, require such a notification depending upon the information
involved.) Per the Stimulus Act, no later than 60 days after
discovery of a breach or a suspected breach, covered entities would
be required to notify individuals whose "unsecured" PHI
has been or is reasonably believed by the covered entity to have
been accessed, acquired or disclosed. There is no materiality
standard regarding the type or scope of PHI involved.
"Unsecured PHI" is defined as PHI that is not secured
through the use of a technology or methodology to be defined by the
Secretary. Guidance from the Secretary on the matter is required
within 60 days of enactment of the Stimulus Act. Until such time,
PHI will be deemed secured if it is encrypted by a technology or
methodology developed or endorsed by an ANSI accredited
organization.
Business associates would also be required to notify covered
entities of a security breach. Written notice of a data security
breach to affected individuals would be required in all cases. The
Secretary would also need to be notified of all security breaches
(immediately in the case of a security breach involving 500 or more
persons or annually via a log-book submission if less than 500
persons were involved). In cases involving 500 or more persons in a
given state or media jurisdiction, notice to the media would also
be required.
The required content of the notice is similar to that currently
employed by many financial entities and organization alerting
customers to a possible security breach or identity theft event
(e.g., description of the event, types of unsecured PHI involved,
steps that the person should take to mitigate potential harm,
description of what actions the covered entity is taking to
investigate, mitigate losses and protect against further
breaches).
The Act also includes virtually identical data security breach
notification requirements for vendors of PHRs. Because PHR vendors
may not be HIPAA-covered entities, instead of notifying the
Secretary of a breach of...
To continue reading
Request your trial