By Lora Bentley
IT Business Edge
Posted April 3, 2009.
Among tax cuts and credits, more bailout fund requirements, and restrictions on executive pay packages, the American Recovery and Reinvestment Act of 2009 (ARRA) also includes a section that expands the reach of the Health Insurance Portability and Accountability Act (HIPAA) and introduces the first federally mandated data breach notification requirement.
Title XIII of ARRA, also known as the Health Information Technology for Economic and Clinical Health Act (HITECH Act), reserves $22 billion to “advance the use of health information technology” — in large part so the U.S. will be able to move to e-health records by President Obama’s 2014 deadline.
It also expands the reach of HIPAA data privacy and security requirements to include the “business associates” of those entities (health care providers, pharmacies, and the like) that are subject to HIPAA. Business associates, according to Goodwin Procter attorney Jacqueline Klosek, are companies like accounting firms, billing agencies, law firms or others that provide services to the entities covered under HIPAA.
Under the HITECH Act, those companies are now directly subject to HIPAA security and privacy requirements, as well as to the same civil and criminal penalties that hospitals, pharmacies and other HIPAA-covered entities face for violations. Before HITECH came into force, Klosek explains, business associates that failed to properly protect patient information were liable to the covered entities via their service contracts, but they did not face governmental penalties.
Kelly Hagan, a shareholder in the law firm of Schwabe, Williamson and Wyatt, says the most significant (and least publicized, in his opinion) changes in the HITECH Act are those that strengthen HIPAA enforcement measures. In particular, Hagan points to subsection 13410(c), which requires civil penalties that are collected under the HITECH Act to be funneled back into the Department of Health and Human Services’ Office of Civil Rights enforcement budget.
He says the situation now is reminiscent of the creation of the Fraud and Abuse Control Account: “It was remarkable when they put the Fraud and Abuse Control Account in place and started funneling the monetary penalties back into the enforcement agency’s budget how quickly that became a priority. If history repeats itself, what that suggests is that the OCR’s traditional approach to enforcement, which has been complaint-driven and compliance-oriented, is going to … become more proactive, more punitive.”
Moreover, monetary penalties are mandatory for violations involving “willful neglect” as of Feb. 17, 2011. At that point, “all of a sudden HIPAA compliance becomes a fact of life instead of a paper tiger,” Hagan says.
If that’s not enough, Proskauer Rose associate Sara Krauss observes yet another enhancement: The HITECH Act provides for the Department of Justice to pursue criminal penalties for a violation that rises to the level of criminal activity. However, in the event that DOJ declines to act on a violation, the HITECH Act allows OCR to pursue civil penalties for that same violation.
The expanded opportunity for state attorneys general to get involved in enforcement under the HITECH Act will create more complexity for those subject to HIPAA — especially those who do business in more than one state, according to Klosek.
“Those companies won’t be able to just say, ‘OK, this is how the federal authorities are interpreting it and enforcing it.’ They’ll also have to say, ‘This is how state authorities are interpreting it and enforcing it,'” she says. “And it may be different from state to state. The base law will be the same, but there’s certainly some flexibility in how it’s interpreted.”
The HITECH Act’s data breach notification requirements for protected health information add another level of complexity. Though several states have data breach notification laws covering information that could be used in identity theft (Social Security Numbers, credit card numbers, banking information, and the like), only a few have extended such notification laws to health information. And the federal government has never addressed the issue. Until now.
The HITECH Act requires HIPAA-covered entities to notify the Secretary of Health and Human Services and affected individuals when their protected information has been compromised. Notice must be given to the individuals whose data is affected “without unreasonable delay,” and no later than 60 days after the breach occurs. Similarly, business associates that experience a breach are required to notify the covered entities with which they have contracted, and the covered entities will then notify the affected individuals. If the breach involves 500 people or more, the covered entity will also be required to notify major media outlets.
The fact that Congress chose to limit the requirements to health information complicates matters further for companies that operate in several states. They are already subject to the various state data breach notification requirements, which can be different and at times inconsistent. And those will still apply to information other than in the health arena. So those companies can’t simply come up with a form letter that will work for every breach.
Proskauer Rose partner Tanya Forsheit says, “If they have a situation, they really need to understand what the various laws require them to do, and if they are also now subject to the new HIPAA provisions, it’s going to be that much more complex, frankly.”
To prepare for these new requirements, the experts suggest covered entities and business associates alike should, at a minimum, review their current security programs and processes to make sure they are in compliance. At a minimum, HIPAA.com contributor Ed Jones suggests, “Covered entities should notify their business associates of the…changes in ARRA, and begin working on a plan to revise their business associate contracts to reflect the changes.”
HIPAA.com also provides a “to-do list” to help business associates prepare. The list includes such tasks as appointing a security official and developing written policies and procedures that include both physical safeguards (locking computers) and technical safeguards (encrypting e-mail). Training employees on how to protect electronic health information is also important.
“The requirements are tremendous,” Klosek says. “Fully complying with the HIPAA privacy and security rules requires a whole bunch of policies, procedures, training… For those companies that haven’t had that in place and now have a year, or less, to get it all in order, it’s really a tremendous undertaking.”