Economic Stimulus Package Ratchets up Privacy and Security for Health Information

The new economic stimulus package provides over $19 billion to support and promote the adoption of electronic health records (EHRs) for all Americans by 2014. With this added momentum comes concerns about the privacy and security of EHRs, particularly in the hands of health record exchanges, which are not directly regulated under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The new legislation is loaded with requirements, new enforcement provisions and penalties for covered entities, business associates, vendors and others.

Congress passed the American Recovery and Reinvestment Act of 2009 (the Act) on Friday, Feb. 13, 2009, with almost unprecedented speed, and the President signed it into law on Feb. 17. The Act has grabbed the attention of the country - from inside the beltway to Main Street America. Title XIII of the Act is artfully entitled the Health Information Technology for Economic and Clinical Health (also referred to as HITECH) Act.

Most of the Act's provisions will take effect one year after enactment of the law (Feb. 17, 2010), although increased penalty provisions go into effect immediately. Other provisions require implementing regulations and will take two years or longer to take effect.

Privacy and security breach notices to individuals

Almost all states have passed laws requiring businesses to notify consumers of breaches of the security of their personal information in electronic databases. HIPAA, however, has no strict notification requirement. The Act changes this by requiring covered entities to notify individuals whose unsecured protected health information has been or is reasonably believed to have been accessed, acquired or disclosed as a result of a privacy or security breach. If the breach is discovered by a business associate, rather than a covered entity, then the business associate is required to notify the covered entity of the breach, including the identification of each individual who has been or is reasonably believed to have been affected by the breach.

The notification provisions will provide new challenges to covered entities and their business associates. Almost all states have adopted their own notification provisions that have different triggers, notification timelines, notice procedures and content requirements. The new federal requirements do not preempt the more restrictive state notification requirements, and covered entities likely will have to comply with both. It will not be, however, necessarily intuitive how to combine more stringent notification timelines imposed by state law with more specific notification content under federal law.

The Act generally requires that the breach notices be sent without unreasonable delay and in no case later than 60 calendar days after discovery. Unlike many state notification laws, the new federal law is not limited to breaches of the security of online information, nor is it restricted to financially sensitive information, such as social security number, bank account information or the like.

Within 60 days after the Act's passing, the Secretary of the Department of Health and Human Services (the Secretary) is directed to issue guidance on what constitutes “unsecured protected health information,” the disclosure of which triggers notification duties. If the Secretary does not issue timely guidance, the Act provides a default definition of unsecured protected health information, which includes all protected health information that is not secured by an encryption standard endorsed by the National Institute of Standards and Technology. In addition, the Secretary will issue and annually update guidance specifying the technologies and methodologies that effectively secure health information.

For purposes of notification, a breach is “discovered” on the first day on which such breach is known to the covered entity or business associate, or reasonably should have been known. The clock starts running as soon as anyone in the organization knows or should have known about the breach.

Notice may be delayed if a law enforcement official determines that it would impede a criminal investigation or damage national security. Entities providing notification have the burden of demonstrating that notifications were made under the Act, including demonstrating the necessity of any delay. Accordingly, both covered entities and business associates must take care to document their process and rationale for providing notification under the Act. Although 60 days is the outside time limit, under the language of the Act, covered entities and business associates must be able to justify their rationale for utilizing the entire 60 days.

Notices to affected individuals generally must be sent by first class mail. They may be sent by electronic mail if the individual has expressed a preference for it or, in an emergency, by telephone (although this does not obviate the need for written notice). Further, if 10 or more individuals require notification for which there is insufficient or out-of-date contact information, a covered entity is required to place a conspicuous posting for a period determined by the Secretary on its website homepage or place a notice in major print or broadcast media, including major media in geographic areas where the individuals affected by the breach likely reside.

All notices must contain:

• A brief description of what happened, including the date of the breach and the date of the discovery of the breach, if known.
  
  
• A description of the types of unsecured protected health information involved in the breach.
  
  
• The steps individuals should take to protect themselves from potential harm resulting from the breach.
  
  
• A brief description of what the covered entity involved is doing to investigate the breach, to mitigate losses and to protect against any further breaches.
  
  
• Contact procedures for individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an e-mail address, website or postal address.

If the breach involves more than 500 residents of a state, a covered entity also must provide notice to prominent media outlets serving the state. Further, a covered entity must notify the Secretary immediately if the breach involves 500 or more individuals. The Secretary will post the names of all covered entities with reported breaches of more than 500 individuals on a Department of Health and Human Services website. A covered entity must notify the Secretary of any breach involving fewer than 500 individuals, but may maintain a log of such breaches and submit it to the Secretary annually.

Personal health record vendors: now covered

Notification provisions are extended to vendors of personal health records (PHRs), as well as businesses that offer products or services through the website of a PHR vendor or a covered entity that offers PHRs, and entities that access information in or send information to a PHR.

These businesses are required to notify the Federal Trade Commission and each affected individual who is a citizen or resident of the United States of a breach of the privacy or security of unsecured protected health information. If a PHR vendor utilizes the services of a third party service provider to carry out the PHR service, then the third party must notify the vendor of any breach upon its discovery. Upon receipt of notice, the Federal Trade Commission will notify the Secretary of the breach.

Violations of the notification requirements related to PHR identifiable health information will be treated as unfair and deceptive acts or practices under the Federal Trade Commission Act.

PHR vendors are not covered by HIPAA. Accordingly, the Act requires the Federal Trade Commission to promulgate interim final regulations within 180 days from the enactment of the Act, which will provide guidance on the requirements for breaches of PHR identifiable health information. The notification requirements will apply to breaches that are discovered on or after 30 days from the publication of the Federal Trade Commission's interim final regulations.

Increased duties for business associates

Business associate contracts have been viewed by critics as an ineffective way of protecting health information, particularly in the hands of large aggregators such as health information exchanges, which typically are the business associates of covered entities that participate in the exchange. The privacy and security requirements of a business associate contract are very general and do not require the business associate to implement the detailed requirements of the HIPAA privacy and security rules. In the event of a breach, the business associate has faced only a contract claim from the covered entity, and unless the covered entity sustained economic damages from the breach, there has been little incentive to bring such a claim. Also, a single covered entity participating in a health information exchange may have had little power to affect the exchange's privacy and security practices.

The Act patches these holes by applying some of the HIPAA standards directly to business associates and, as described above, by requiring business associates to report privacy and security breaches.

Business associates now will be subject to the administrative, physical and technical safeguard security requirements of the HIPAA security rule, as well as the requirements to maintain policies, procedures and documentation of security activities. The Act takes a slightly different approach to privacy: it does not apply specified HIPAA privacy standards to business associates, but it prohibits business associates from making any use or disclosure of protected health information that is not in compliance with each of the required terms of a HIPAA business associate contract.

The additional privacy and security requirements created for covered entities by the Act, which are described below, will apply to business associates and are incorporated into business associate contracts.

Business associates that violate the HIPAA security standards or the required terms of their business associate contracts now will be subject to the same civil and criminal penalties as covered entities.

The Act clarifies that health information exchanges and other organizations that provide data transmission of protected health information to a covered entity, and that require routine access to protected health information, are business associates and must enter into business associate contracts with the covered entity. The same applies to vendors that provide PHRs on behalf of covered entities. Organizations such as these typically would have been viewed as business associates under the existing HIPAA rules, but the Office for Civil Rights has said that Internet service providers and other such “conduits” that have only incidental access to protected health information are not business associates. The Act may be intending to distinguish health information exchanges and PHR contractors from these unregulated businesses.

Expanded accountings of disclosures

The Act expands the HIPAA right of individuals to receive an accounting of disclosures. Under current HIPAA regulations, covered entities are required to provide an accounting of certain disclosures of health information to individuals who request it. The accounting, however, need not include disclosures for treatment, payment or health care operations, which account for the great majority of uses and disclosures.

Under the Act, if a covered entity uses or maintains an EHR, then individuals will have a new right to receive an accounting of disclosures for treatment, payment and health care operations of their protected health information made from the EHR during the three-year period prior to the request.

Covered entities may impose reasonable fees on an individual for the production of an accounting; however, the fees may not be greater than the covered entity's labor costs in responding to the request.

This new right is not immediate. Within six months, the Secretary is required to adopt standards that will detail what information must be included in such accountings. Those covered entities that have not yet acquired an EHR but who do so after Jan. 1, 2009, must provide accountings of disclosures upon request that detail disclosures made on or after the later of Jan. 1, 2011 and the date on which they implement their EHR. Covered entities that began using an EHR prior to Jan. 1, 2009 will enjoy a longer grace period and will not be required to provide such accountings until Jan. 1, 2014.

Obtaining electronic records

When a covered entity uses or maintains an EHR containing an individual's protected health information, the individual will have the right to obtain from the covered entity a copy of his or her record in an electronic format. In addition, the individual has a right to direct the covered entity to transmit a copy directly to another entity or person. The covered entity may not charge the individual any more than its labor costs to respond to a request for a copy of the record.

Individually directed privacy restrictions

The Act imposes a new requirement on covered entities to comply with requests from individuals to restrict the disclosure of their protected health information that relates to treatment, payment and health care operations. Currently under HIPAA, providers have the discretion to not agree to comply with such a request (but are bound by them if they do agree). Under the new provisions of the Act, compliance is mandatory (unless otherwise required by law) if:

• The restriction relates to disclosure to a health plan for purposes of carrying out payment or health care operations;
  
  
• The restriction does not relate to disclosure to a health plan for the purpose of carrying out treatment; and
  
  
• The protected health information pertains solely to a health care item or service for which the health care provider involved has already been paid out of pocket in full.

By making restrictions on disclosure of information mandatory, this provision will add to the administrative burdens of covered entities with integrated records used for treatment and billing purposes. Health care providers likely will have to section off health information sent to payors from the complete medical record available for treatment purposes. Although a patient may agree to pay out-of-pocket for the initial test or treatment, what happens if that patient later seeks care for the same or related conditions and requests that the subsequent treatments be billed to the patient's insurer, who may lack information to make a determination on medical necessity? In some states, health care providers who contract with HMOs are precluded from balance billing the patient when there is a denial.

New restrictions on marketing and fundraising

The Act clarifies that marketing communications are not health care operations, except those made (i) to describe a health-related product or service provided by, or included in a plan of benefits of, the covered entity making the communication, (ii) for treatment of the individual or (iii) for case management or care coordination for the individual, or to direct or recommend alternative treatments, therapies, health care providers or settings of care to the individual. This is consistent with the terms of the HIPAA privacy rule. The privacy rule, however, permits a covered entity to receive remuneration for making these non-marketing communications. The Act now prohibits this, except where—

• The communication describes only a drug or biologic that currently is being prescribed for the individual, and any payment received by the covered entity in exchange for making a communication is “reasonable in amount,” as defined by the Secretary in regulation;
  
  
• The communication is made by the covered entity pursuant to a valid authorization from the individual; or
  
  
• The communication is made by a business associate on behalf of the covered entity and the communication is consistent with the business associate contract between the business associate and covered entity.

Prior versions of the Act would have required the Secretary to exclude the activity of fundraising from the definition of “health care operations” – effectively prohibiting the use of protected health information for fundraising without authorization. Instead, the Act requires the Secretary to provide by rule that any written fundraising communication shall, in a clear and conspicuous manner, provide an opportunity for the recipient of the communications to elect not to receive any further such communication. This already is a requirement of the privacy rule. The Act, however, goes on to provide that when an individual elects not to receive any further fundraising communications, the election shall be treated as a revocation of authorization under the privacy rule. The effect of this is not clear – the privacy rule already requires a covered entity to make reasonable efforts not to send fundraising solicitations to an individual who has opted out. Perhaps reasonable efforts will no longer suffice.

The additional restrictions on marketing and fundraising apply to communications made after Feb. 17, 2010.

Preference for limited data sets and de-identified information

In general, the Act favors efforts by covered entities to use, disclose and request protected health information in a limited data set format. A limited data set is almost de-identified, except that it can have dates more specific than year and locations down to zip code. The Act emphasizes that covered entities will be deemed to be in compliance with HIPAA when they limit the protected health information used, disclosed or requested to the “limited data set” as defined by the privacy rule or, and only if needed by the covered entity, to the “minimum necessary” to accomplish the intended purpose of the use, disclosure or request. Thus, “limited data set” disclosures are preferred to “minimum necessary” disclosures.

In a prior version of the Act that called for the Secretary's reevaluation of “health care operations,” the de-identification of data was promoted as an option on par with securing an individual's authorization. This section would have permitted the Secretary to require the de-identification of data for use in activities that were previously permitted under HIPAA. The removal of this section does not imply that Congress has deprioritized the use of de-identified information by covered entities. This is evident because the Act requires that, within a year after its passage, the Secretary will meet with stakeholders to issue new guidance related to how entities should comply with the requirements for de-identification of protected health information.

Limited data sets provide a clear outline of what information can be used or disclosed by a covered entity in situations not involving direct treatment or payment. While the concept of minimum necessary remains an alternative where there may be a demonstrated need for information that goes beyond what can be provided in a limited data set, the new law encourages reliance on the limited data set and a more simple and certain method of segregating out relevant portions of protected health information data.

Clarification of minimum necessary

No later than 18 months after the passage of the Act, the Secretary must issue guidance on what the term “minimum necessary” encompasses as it is used to modify the concepts of disclosure, use and request of protected health information under the HIPAA privacy rule. In issuing this guidance, the Secretary must take into consideration that “minimum necessary” should encompass that information necessary to improve patient outcomes and to detect, prevent and manage chronic disease.

The confusion regarding how to apply the minimum necessary standard has continued since the standard originally was introduced in the HIPAA privacy rule. Concern about the scope of requests by another covered entity providing treatment to the same patient in light of the minimum necessary standard has been one of the primary issues. In addition, sharing health information with disease management providers working in conjunction with beneficiaries designated by a payor has posed a challenge as well. Guidance on “minimum necessary” with an understanding of how an integrated approach to health care benefits the patient should be welcome by covered entities and business associates.

No sale of protected health information

Except in the area of marketing, the HIPAA privacy rule does not prohibit a covered entity from being paid for protected health information as long as the disclosure is otherwise permitted. The Act now generally will prohibit a covered entity or business associate from directly or indirectly receiving remuneration in exchange for any protected health information without a valid authorization from the individual that includes a specification of whether the protected health information may be sold by the entity receiving the protected health information.

This prohibition does not apply if the purpose of the exchange is:

• Public health activities.
  
  
• Research, and the price charged reflects the costs of preparation and transmittal of the data for such purpose.
  
  
• Treatment of the individual, subject to any regulation that the Secretary may promulgate to prevent protected health information from inappropriate access, use or disclosure.
  
  
• The sale, transfer, merger or consolidation of all or part of the covered entity with another covered entity, or an entity that following such activity will become a covered entity, and due diligence related to such activity.
  
  
• Remuneration that is provided by a covered entity to a business associate for activities involving the exchange of protected health information that the business associate undertakes on behalf of and at the specific request of the covered entity pursuant to a business associate agreement.
  
  
• To provide an individual with a copy of the individual's protected health information pursuant to a request by the individual.
  
  
• As otherwise determined by the Secretary through rulemaking to be similarly necessary and appropriate as the exceptions expressly provided for in the Act.

This prohibition applies to exchanges occurring six months or more after the Secretary promulgates final implementing regulations. Within 18 months after the date of enactment of the Act, the Secretary must promulgate regulations to carry out this restriction. In promulgating regulations, the Secretary must evaluate the impact of restricting the exception for research to require that the price charged for the exchange reflects the costs of the preparation and transmittal of the data for research or public health activities. The Secretary may further restrict the exception for public health activities to require that the price charged for the exchange reflects the costs of the preparation and transmittal of the data for such purpose, if the Secretary finds that such further restriction will not impede research or public health activities.

New enforcement approaches

Effective 24 months after enactment of the Act, violators of the Act are subject to the HIPAA criminal and civil provisions.

The Act requires the Secretary to impose a civil penalty for a violation due to willful neglect and to conduct a formal investigation of any complaint if a preliminary investigation indicates willful neglect. The Secretary is required to implement regulations implementing these provisions within 18 months of enactment of the Act. The Act does not prevent the Office for Civil Rights from continuing, in its discretion, to use corrective action without a penalty in cases where the person did not know (and by exercising reasonable diligence would not have known) of the violation involved.

There has been some debate about whether individuals who are not themselves covered entities can be convicted of criminal violations of HIPAA. The Act settles the debate by providing that, for purposes of the criminal provisions, a person (including an employee or other individual) will be considered to have obtained or disclosed individually identifiable health information in violation of HIPAA if the information is maintained by a covered entity, and the individual obtained or disclosed such information without authorization. Presumably, “authorization” means any proper authority, not necessarily a formal authorization from the individual.

Under the Act, any civil monetary penalty or monetary settlement collected with respect to a privacy or security-related HIPAA offense will be transferred to the Office for Civil Rights. The Office for Civil Rights will use these funds for enforcing the new provision of the Act and the HIPAA privacy and security rules.

Within 18 months after the date of the enactment of the Act, the Comptroller General is required to submit to the Secretary a report including recommendations for a methodology under which an individual who is harmed by an act that constitutes an offense under HIPAA or the Act may receive a percentage of any civil monetary penalty or monetary settlement collected with respect to the offense. Not later than three years after the date of the enactment of the Act, the Secretary must issue regulations based on these recommendations providing a methodology for sharing civil monetary penalties or monetary settlements with individuals harmed by violations.

The Act requires the Secretary to provide for periodic audits to ensure that covered entities and business associates that are subject to the requirements of HIPAA and the Act comply with such requirements.

The Act permits the states' attorneys general to bring a civil action in federal court on behalf of the residents of their states who have been (or are threatened to be) adversely affected by a violation of HIPAA or the Act to enjoin further such violation or to obtain statutory damages on behalf of the residents of the state. These provisions apply to violations occurring after the date of the enactment of this Act.

The amount of the damages in such an action will be calculated in an equivalent manner as Tier A money penalties under the Act (see below). The court also may award the costs of the action and reasonable attorney fees to the state. The state must serve notice on the Secretary prior to initiating suit under this provision and the Secretary has the right to intervene in the action. In addition, the states may not bring an action if the Secretary has already instituted one.

New penalties

The Act amends HIPAA to increase penalties for violations of HIPAA and the Act. These increased penalties for HIPAA violations go into effect immediately. In determining the amount of a penalty, the Secretary must base the determination on the nature and extent of the violation and the nature and extent of the harm resulting from the violation. Factors such as the violator's mental state (from knowing to willfully neglectful) and whether the violation has been corrected will come into play in determining the degree or “tier” of penalty applied. The Act defines the tiers of penalties as follows:

• Tier A (if the offender did not know, and by exercising reasonable diligence would not have known, that he or she violated the law): $100 for each violation, except that the total amount imposed on the person for all such violations of an identical requirement or prohibition during a calendar year may not exceed $25,000.
  
  
• Tier B (if the violation was due to reasonable cause and not willful neglect): $1,000 for each violation, except that the total amount imposed on the person for all such violations of an identical requirement or prohibition during a calendar year may not exceed $100,000.
  
  
• Tier C (if the violation was due to willful neglect but was corrected): $10,000 for each violation, except that the total amount imposed on the person for all such violations of an identical requirement or prohibition during a calendar year may not exceed $250,000.
  
  
• Tier D (if the violation was due to willful neglect and was not corrected): $50,000 for each violation, except that the total amount imposed on the person for all such violations of an identical requirement or prohibition during a calendar year may not exceed $1,500,000.

State law or federal law: the most restrictive continues to apply

Previously, HIPAA established a “floor” for privacy and security standards. This means that a covered entity also must comply with all applicable state laws that contained more restrictive provisions. The Act does not change state law preemption, and covered entities and business associates will continue to have to comply with federal privacy and security standards as well as more restrictive state law requirements, if doing business in the particular state.