THE HITECH ACT:

IMPORTANT HIPAA INFORMATION FOR BUSINESS ASSOCIATES

May 2009

HITECH Act Expands HIPAA Privacy and Security Rules: On February 17^th, President Obama signed the American Recovery and Reinvestment Act of 2009 (the stimulus bill). A portion of the bill created the Technology for Economic and Clinical Health Act (HITECH). HITECH substantially expands the HIPAA Privacy and Security Rules and increases the penalties for violations of HIPAA. This document discusses new requirements that:

• Apply the HIPAA privacy and security requirements directly to business associates;
• Establish mandatory federal breach reporting requirements for HIPAA covered entities and their business associates;
• Create new privacy requirements for HIPAA covered entities and their business associates, including new accounting requirements for electronic health records, restrictions on marketing and fundraising, and other developments; and
• Establish new criminal and civil penalties for noncompliance and new enforcement responsibilities.

PRIVACY AND SECURITY REQUIREMENTS

FOR BUSINESS ASSOCIATES

The HITECH Act applies the HIPAA Privacy and Security Rules—and their penalties—to HIPAA business associates.

Security Requirements. HITECH substantially expands the scope of the HIPAA Privacy and Security Rule by applying most of the rules’ provisions to business associates. Section 13401 of the Act (42 U.S.C. § 17931) requires individuals and entities acting as “business associates” of HIPAA covered entities to comply with the HIPAA Security Rule provisions on:

• Administrative safeguards (45 C.F.R. § 164.308)
• Physical safeguards (45 C.F.R. § 164.310)
• Technical safeguards (45 C.F.R. § 164.312)
• Policies and documentation (45 C.F.R. § 164.316)
• The new breach reporting requirement (see below).

Business associates must continue to comply with their business associate contractual requirements to have adequate administrative, physical and technical safeguards in place to protect health information received from covered entities. Business associates must now comply with specific security requirements and have written policies and documentation of security safeguards in place. Except for the breach reporting requirements, business associates must comply with these provisions by February 17, 2010.

Privacy Requirements. Section 13404 of the Act (42 U.S.C. § 17934) requires HIPAA business associates to comply with 45 C.F.R. § 164.504(e) (which sets forth the privacy terms required in HIPAA business associate agreements). While these contract obligations have always been enforceable by covered entities through contract, these obligations will be enforceable by the government directly through HIPAA. Business associates also are required to comply with the additional privacy requirements imposed by the Act described below. Business associates must comply with these provisions by February 17, 2010, unless a later enforcement date is set for the specific provision.

Criminal and Civil Penalties. Section 13401 of the Act makes HIPAA’s criminal and civil penalties (42 U.S.C. § 1320d-5 and § 1320d-6) applicable to business associates.

BREACH REPORTING REQUIREMENTS

The HITECH Act creates a new breach reporting requirement for HIPAA covered entities

and their business associates.

Section 13402 of the Act (42 U.S.C. § 17932) creates a new federal breach reporting requirement for HIPAA covered entities and their business associates. This section requires a covered entity that “accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses, or discloses unsecured protected health information” to “notify each individual whose unsecured protected health information has been, or is reasonably believed by the covered entity to have been, accessed, acquired, or disclosed as a result of such breach.”

This new requirement hinges on two important definitions:

Unsecured protected health information: Section 13402(h) defines this term as PHI that is not secured through the use of a technology or methodology that renders PHI “unusable, unreadable, or indecipherable to unauthorized individuals.” The US Department of Health and Human Services (HHS) issued this guidance on April 17, 2009,[1] and is required to issue updated guidance on an annual basis. The HHS guidance applies both to electronic and paper PHI, and specifies two methods of securing information: encryption in compliance with the National Institute of Standards and Technology (NIST) standards and destruction. HHS explains:

a) Electronic PHI has been encrypted as specified in the HIPAA Security Rule by ‘the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key” and such confidential process or key that might enable decryption has not been breached. Encryption processes identified below have been tested by NIST standards and judged to meet this standard.

i) Valid encryption processes for data at rest are consistent with NIST Special Publication 800-111, Guide to Storage Encryption Technologies for End User Devices.[2]

ii) Valid encryption processes for data in motion are those that comply with the requirements of Federal Information Processing Standards (FIPS) 140-2. These include, as appropriate, standards described in NIST Special Publications 800-52, Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations; 800-77, Guide to IPsec VPNs; or 800-113, Guide to SSL VPNs, and may include others which are FIPS 140-2 validated.[3]

b) The media on which the PHI is stored or recorded has been destroyed in one of the following ways:

i) Paper, film, or other hard copy media have been shredded or destroyed

such that the PHI cannot be read or otherwise cannot be reconstructed.

ii) Electronic media have been cleared, purged, or destroyed consistent with NIST Special Publication 800-88, Guidelines for Media Sanitization,[4] such that the PHI cannot be retrieved. If a covered entity or business associate encrypts or destroys its PHI consistent with this HHS guidance, then its information is “secure” and any breach would not be reportable.

HHS is required to update its guidance annually.

Breach: Section 13400 defines “breach” as follows:

(A) In general. The term “breach” means the unauthorized

acquisition, access, use, or disclosure of protected health information which compromises the security or privacy of such information, except where an unauthorized person to whom such information is disclosed would not reasonably have been able to retain such information.

(B) Exceptions. The term ``breach'' does not include:

(i) any unintentional acquisition, access, or use of protected health information by an employee or individual acting under the authority of a covered entity or business associate if:

(I) such acquisition, access, or use was made in good faith and within the course and scope of the employment or other professional relationship of such employee or individual, respectively, with the covered entity or business associate; and

(ii) any inadvertent disclosure from an individual who is otherwise authorized to access protected health information at a facility operated by a covered entity or business associate to another similarly situated individual at same facility;

and

(iii) any such information received as a result of such disclosure is not further acquired, accessed, used, or disclosed without authorization by any person.

This means that unintentional or inadvertent access to PHI by employees, agents or medical staff members is not a reportable breach unless that person further uses or discloses the PHI in an unauthorized manner. The provision also will not apply to disclosures to other unauthorized persons if they would not reasonably have been able to retain such information.

Notice Requirements. The Act contains rigorous notification requirements.

• Covered entities must notify “each individual whose unsecured protected health information has been, or is reasonably believed by the covered entity to have been, accessed, acquired, or disclosed as a result of such breach” without unreasonable delay and no later than 60 days of discovery of the breach by the covered entity or its business associate (unless there is a law enforcement request for delay).
• Notice must be made by first-class mail (or email if specified by an individual). If there is insufficient or out-of-date contact information, a covered entity must do a “substitute form of notice”; if there are more than 10 individuals affected, the entity must do a conspicuous Web site posting or notice in major print or broadcast media.
• If more than 500 residents of the State or jurisdiction are involved, the entity must provide notice to “prominent media outlets.”
• If more than 500 residents of the State or jurisdiction are involved, the entity must provide immediate notice to HHS. If fewer than 500 residents are involved, the entity must log the breach and disclose the breach to HHS in an annual report.
• The regulations require the notice to individuals to contain a description of what happened and the unsecured PHI involved, steps for individuals to protect themselves, a description of the covered entity efforts to investigate, mitigate and prevent further breaches, and contact information.

A business associate is not required to provide notice of breach to the individual, but instead must notify the covered entity of a breach, along with identification of each affected individual.

ADDITIONAL PRIVACY REQUIREMENTS

The HITECH Act creates new privacy requirements for HIPAA covered entities and their

business associates.

Request for Restrictions on Disclosures to Health Plans. The HIPAA Privacy Rule currently permits an individual to ask a covered entity to restrict the usual manner in which the covered entity makes disclosures for treatment, payment and health care operations. However, the covered entity is not required to agree to the request. Section 13405(a) of the HITECH Act (42 U.S.C. § 17935(a)) now requires a covered entity to grant an individual’s request not to disclose to a health plan PHI solely related to a health care item or service where the individual has paid in full out of pocket. This provision is effective one year from the date of the enactment of the Act, or February 17, 2010. This provision also applies to business associates.

Minimum Necessary. The HIPAA Privacy Rule currently requires a covered entity to restrict its use, disclosure or requests for PHI to the “minimum necessary” amount of information required for the particular purpose. The rule permits covered entities to rely on a request by other covered entities and its business associates as being the minimum necessary. Section 13405(b) of the new statute (42 U.S.C. § 17935(b)) makes two significant changes. First, the covered entity must limit PHI to a “Limited Data Set” (information that has been partially de-identified) if practicable, or if needed, to the minimum necessary to accomplish the intended use, disclosure or request. Second, a covered entity is required to make the determination of minimum necessary, rather than relying on others to make that decision. There is still an exception for treatment.

This provision is effective one year from the date of the enactment of the Act, or February 17, 2010. This provision is applicable to business associates. HHS is instructed to issue guidance on what constitutes “minimum necessary” within 18 months, at which point this statutory provision sunsets, and the HHS guidance will control.

New Electronic Health Record Provisions for Accounting for Disclosures of PHI for Treatment, Payment and Health Care Operations. The HIPAA Privacy Rule currently requires covered entities to provide an “accounting” of disclosures of PHI to individuals at their request, with various exceptions, including disclosures that are made for treatment, payment and health care operations. Section 13405(c) of the Act (42 U.S.C. § 17935(c)) provides that disclosures made through an EHR for treatment, payment and health care operations purposes must be included in the accounting, but information is limited to three years of disclosure information (rather than six). Covered entities will have the choice of including information about electronic disclosures by their business associates or providing a list of their business associates, which then would be required to provide the accounting directly to individuals. HHS is required to issue a variety of standards for development and adoption of electronic health records, including accounting requirements, by December 31, 2009 (HITECH Act, Section 13101). HHS then is required to issue regulations on the new accounting requirements within 6 months of these HHS standards, or by June 30, 2010. In writing these regulations, the statute instructs HHS to require only information that takes into account the interests of individuals in learning the circumstances under which their PHI is disclosed and to consider the administrative burden in complying with these requirements. If a covered entity acquired an EHR before January 1, 2009, the HHS regulations will be effective for disclosures made from the EHR starting on January 1, 2014. If a covered entity acquires an EHR after January 1, 2009, the regulations will apply to disclosures starting on January 1, 2011. In the regulations, HHS is permitted to provide an additional two years for compliance.

No Payment for PHI. The HIPAA Privacy Standards currently permit a covered entity to receive payment for a disclosure of PHI where that disclosure is permitted by the regulations (such as for the entity’s health care operations, for research, and other activities). Section 13405(d) of the new statute (42 U.S.C. § 17935(d)) prohibits indirect and direct remuneration for a disclosure of PHI without the individual’s authorization. The authorization document must explain whether PHI can be further exchanged for remuneration by the downstream entity receiving the PHI. The statute contains several exceptions where a covered entity is still permitted to receive remuneration for disclosures:

• For public health activities,
• For research, where the price charged reflects the costs of preparation and transmittal of the data,
• For treatment,
• For the sale, merger or transfer of the covered entity (which is a health care operation),
• To a business associate to perform functions for the covered entity,
• To an individual who wants copies of his or her PHI, and
• That fall within any future regulatory exceptions.

HHS is required to issue regulations related to this requirement within 18 months, or by August 17, 2010. In developing these regulations, the statute charges HHS with evaluating the cap on prices charged for data in research and with examining public health disclosures. The statutory requirements apply six months after HHS issues final regulations. This restriction on disclosures applies to business associates.

Individual Access to PHI. The HIPAA Privacy Rule currently requires covered entities to provide access to individuals of PHI in a “designated record set” with some exceptions, in the “form or format requested by the individual, if it is readily producible in such form or format; or, if not, in a readable hard copy form or such other form or format as agreed to by the covered entity and the individual.” Section 13405(e) of the Act (42 U.S.C. § 17935(e)) requires covered entities that maintain PHI in EHRs to provide access to individuals in electronic format, and to transmit a copy of that PHI to an entity or person designated by the individual, such as another provider or a personal health record vendor. This provision applies in one year, on February 17, 2010. This applies to business associates.

Marketing. The HIPAA Privacy Rule requires an individual’s authorization to use PHI for “marketing” for most purposes. While marketing is defined as “a communication about a product or service that encourages recipients of the communication to purchase or use the product or service,” the definition of marketing excludes communications:

• To describe a health-related product or service (or payment for such product or service) that is provided by, or included in a plan of benefits of, the covered entity making the communication, including communications about: the entities participating in a health care provider network or health plan network; replacement of or enhancements to a health plan; and health-related products or services available only to a health plan enrollee that add value to, but are not part of, a plan of benefits;
• For treatment of the individual; or
• For case management or care coordination for the individual, or to direct or recommend alternative treatments, therapies, health care providers, or settings of care to the individual.

Section 13406(a) of the Act (42 U.S.C. § 17936(a)) prohibits a covered entity from obtaining direct or indirect payment for these types of communications without an authorization, except where payment is:

• For treatment;
• Regarding a drug currently prescribed for the recipient and such payment is “reasonable”;
• Pursuant to a valid authorization; or
• Made by a business associate on behalf of a covered entity, and is consistent with the business associate agreement.

This provision applies in one year, on February 17, 2010, and applies to business associates.

Fundraising. The HIPAA Privacy Rule currently permits covered entities to use limited PHI about individuals (demographic information and dates of service)—such as patient lists—to do fundraising. The Rule requires a covered entity to include in all fundraising materials a description of how the individual may opt out of receiving any further fundraising communications, and to make reasonable efforts to ensure that individuals who decide to opt out of receiving future fundraising communications are not sent such communications. Section 13406(b) of the new law (42 U.S.C. § 17936(b)) mirrors the existing opt-out requirement, but makes an opt-out the equivalent of an authorization revocation. The practical effect of this change is to increase the importance of ensuring an individual’s opt-out is honored. This provision applies in one year, on February 17, 2010. This applies to business associates.

PENALTIES AND ENFORCEMENT

The HITECH Act increases the penalties for HIPAA covered entities and business associates that violate HIPAA, and adds criminal penalties for others.

Criminal Penalties. Section 13409 of the Act provides that the HIPAA criminal penalties apply to individuals who without authorization, obtains or discloses individually identifiable health information that is maintained by a HIPAA covered entity. This provision clarifies that an individual does not need to be a HIPAA covered entity to be subject to the criminal penalties in 42 U.S.C. § 1320d-6(a). This provision applies in one year, on February 17, 2010.

Civil Penalties. Section 13410 (42 U.S.C. § 17939) makes a variety of changes to the civil penalty provisions. First, the Act adds that noncompliance for willful neglect requires HHS to formally investigate a complaint and to impose a civil penalty. HHS is required to implement regulations within 18 months, or by August 17, 2010, and the statutory amendments will be effective six months later. The section also requires civil penalties collected for privacy or security violations to go to the HHS Office for Civil Rights to fund enforcement. The Government Accountability Office is directed to issue a report on sharing a percentage of these penalties with individuals who are harmed, and HHS is directed to issue regulations on this issue within three years. The Act also increases the amount of civil penalties from the present $100 per violation (up to $25,000 per year for all violations of an identical requirement), to the following tiered civil penalties:

· If the person did not know (and by exercising reasonable diligence would not have known) that such person violated a provision, the civil penalty is between $100 - $50,000 for each violation, up to a total of $25,000-$1,500,000 per year for all violations of an identical requirement;

· If the violation was due to reasonable cause and not to willful neglect, the civil penalty is between $1,000 - $50,000 for each violation, up to a total of $100,000-$1,500,000 per year for all violations of an identical requirement;

· If the violation was due to willful neglect, the civil penalty is between $10,000 - $50,000 for each violation, up to a total of $250,000-$1,500,000 per year for all violations of an identical requirement if the violation was corrected during the 30 day period beginning on the first date the person liable for the penalty knew, or by exercising reasonable diligence would have known, that the failure to comply occurred. If the violation is not corrected within 30 days, the penalties increase to $50,000 for each violation, up to a total of $1,500,000 per year for all violations of an identical requirement.

These new enforcement penalties are applicable immediately.

Enforcement Authority to State Attorneys General. Section 13410(e) gives enforcement authority to State Attorneys General to enforce the HIPAA Privacy and Security Rules, where an Attorney General has “reason to believe that an interest of one or more of the residents of that State has been or is threatened or adversely affected by any person who violates a provision of this part.” State Attorneys General are authorized to bring a civil action to enjoin a violation or to obtain statutory damages on behalf of those residents. These statutory damages are calculated by multiplying the number of violations by $100, up to $25,000 for violations of each identical requirement. The Act also permits states to seek the award of attorneys’ fees.

These new enforcement penalties are applicable immediately.

Audits. Finally, the Act requires HHS to do periodic audits to ensure that covered entities and their business associates are complying with the HIPAA regulations.