United States: American Recovery & Reinvestment Act Significantly Impacts HIPAA
14 March 2009
Article by Debra Bogo-Ernst, Rebecca Eisner Jeffrey P. Taft, and A. John P. Mancini
Originally published March 12, 2009
Keywords: American Recovery & Reinvestment Act, ARRA, Health Insurance Portability and Accountability Act, HIPAA, HITECH Act, Covered Entities, Business Associates, direct liability
The American Recovery & Reinvestment Act of 2009 (ARRA), signed into law on February 17, 2009, includes significant changes to the Health Insurance Portability and Accountability Act of 1996 (HIPAA). More specifically, Title XIII of ARRA, known as the Health Information Technology for Economic and Clinical Health (HITECH) Act, greatly expands the HIPAA obligations of “Covered Entities” and “Business Associates.”
Direct Liability for Business Associates in Certain Circumstances
Previously, Business Associates — persons who perform any function or activity involving the use or disclosure of Protected Health Information on behalf of a Covered Entity — were not directly liable for HIPAA violations. Instead, Business Associates had the potential for contractual liability to Covered Entities through contracts known as Business Associate Agreements. The HITECH Act now imposes direct civil and criminal penalties on Business Associates for certain security and privacy violations under HIPAA.
Under the HITECH Act, the majority of the HIPAA Security Rule now directly applies to Business Associates in the same manner as it applies to Covered Entities. For example, Business Associates will now be required to implement and maintain certain security policies and procedures, appoint a security officer and provide related training.
In addition, the HITECH Act imposes new Privacy Rule-related obligations on Business Associates. More specifically, the HITECH Act provides that Business Associates may use and disclose Protected Health Information only to the extent that such use or disclosure complies with certain requirements in Business Associate Agreements. Effectively, by way of this statutory tie to certain contractual provisions, Business Associates must directly comply with aspects of the Privacy Rule.
The HITECH Act specifically requires that Business Associate Agreements be modified to incorporate the new Security Rule and Privacy Rule requirements.
New Notification Requirements
Covered Entities and Business Associates alike will be subject to new notification requirements. For example, within 60 calendar days of discovering a breach of “unsecured” Protected Health Information (including breaches that should reasonably have been known), Covered Entities must notify:
Individuals with respect to a breach of their information;
“Prominent media outlets serving a State or jurisdiction” if more than 500 residents of such State or jurisdiction are affected; and
The Secretary of the Department of Health and Human Services (Secretary).
The Secretary will post a list of each Covered Entity involved in a breach of “unsecured” Protected Health Information concerning more than 500 individuals on the Department of Health and Human Services’ web site.
Enforcement Expanded to State Attorneys General
The HITECH Act empowers state attorneys general to bring civil actions in federal court if they have “reason to believe” that “one or more of the residents of that State has been or is threatened or adversely affected” by a violator for injunctive relief or statutory damages as well as attorneys’ fees. Previously, the Secretary had the sole right to enforce HIPAA through her delegations to the Centers for Medicare & Medicaid Services (Security) and the Office of Civil Rights (Privacy).
Increased Penalties and Compensation for Harmed Individuals
The new legislation significantly increases the existing civil monetary penalties for each violation. Civil penalties now generally range from $100 to $50,000 per violation, with caps of $25,000 to $1.5 million for all violations of a single requirement in a calendar year. The severity of the penalties is based upon the violator’s knowledge: from no knowledge (and by exercising reasonable diligence would not have known) of violation, to reasonable cause for the violation, to willful neglect. The Secretary is required to impose penalties for “willful neglect” violations. Within three years of the HITECH Act, the Secretary must establish, via regulation, a methodology for providing a percentage of any civil monetary penalty or monetary settlement collected with respect to such offense to any harmed individual.
The effective dates for the HITECH Act changes to HIPAA vary. For example, the increased penalty provisions are effective immediately. In contrast, other provisions will be effective within a year of the legislation (i.e., February 2010) or after related regulations are published.
There are many other provisions of the HITECH Act that will affect the HIPAA obligations of Covered Entities and/or Business Associates
via United States, IT & Telecoms, American Recovery & Reinvestment Act Significantly Impacts HIPAA – Mayer Brown – 14/03/2009, Information Security & Risk Management, Information Technology Law, Data Protection, Pharmaceutical, Healthcare & Life Sciences, Healthcare.