News & Resources

Publications & Media

A Practical HIPAA Compliance “To Do” List: Covered Entities And Business Associates Have New Affirmative HIPAA Obligations Under President Obama’s Stimulus Package!

Health Law Update Sarah E. Coyne, Kerry L. Moskol

Are you a HIPAA-covered entity that has been resting comfortably in the knowledge that you are HIPAA-compliant? Are you a business associate relaxing in the knowledge that you are not directly within the grasp of the (increasing) governmental scrutiny of HIPAA compliance? Well, get off the proverbial couch and dust off your HIPAA compliance policies and systems (or, if you are a business associate, start developing them!). Covered entities and business associates have new affirmative obligations under the laws we lovingly nickname the "stimulus package."

To orient ourselves, as is the case with most health care laws, we need to sort out some alphabet soup. (If you master all of these acronyms, you will be a hit at your next cocktail party.) On February 17, 2009, President Obama signed into law the American Recovery and Reinvestment Act of 2009 ("ARRA"), which contained provisions comprising the Health Information Technology for Economic And Clinical Health Act ("HITECH"). HITECH makes sweeping changes to the privacy and security regulations promulgated under Health Insurance Portability and Accountability Act of 1996 ("HIPAA"). HITECH also imposes a schedule for additional regulation from the Secretary of the Department of Health and Human Services ("DHHS"), a position that itself has been newsworthy in this time of presidential transition.

While HITECH and ARRA have many provisions that could generate a very long action list, we have focused on the most essential HIPAA-related tasks in this alert.

So here is your HIPAA "to do" list as it now stands after HITECH, although the details will be fleshed out in subsequent regulation (and hopefully complete with catchy and party-worthy acronyms):

1. Develop a Security Breach Notification Process

Covered entities and business associates now have affirmative breach notification obligations. In addition to the "Red Flags" rules, which apply broadly to most health care entities and their business partners, many states have a security breach notification requirement for data theft of various types of personal data. Some state laws create an exception for HIPAA-covered entities, and until now HIPAA has not explicitly required breach notification. Now, HITECH will explicitly require both covered entities and business associates to develop a notification process with regard to breaches of unsecured protected health information ("PHI"). A breach requiring notification occurs when there are improper disclosures of unsecured PHI but also when there is improper internal acquisition, access or use, such as employees (or other workforce) snooping around in medical records. Upon learning of a breach, business associates must notify covered entities, and covered entities must notify both patients and the DHHS.

The notification obligation kicks in for breaches of "unsecured" PHI. The meaning of "unsecured" PHI will be defined by DHHS by April 18, 2009 . . . or not. Cognizant of the fact that DHHS has, on prior occasions, not met congressional HIPAA deadlines, HITECH provides a default definition of "unsecured" in the event the DHHS Secretary does not issue guidance by the promised date. In that case, "unsecured" PHI will mean PHI that is not secured by a properly accredited "technology standard." A technology standard passes regulatory muster (and thus avoids notice requirements) if (1) the standard renders the PHI unusable, unreadable or indecipherable to unauthorized individuals and (2) the standard is developed or endorsed by a standards developing organization accredited by the American National Standards Institute.

The security breach notice content is specified by law. When notifying an individual regarding an unauthorized access, acquisition or disclosure, the notice shall include:

  • A brief description of what happened, including the date of breach and the date of the discovery of the breach, if known.

  • A description of the types of unsecured PHI involved (e.g., full name, social security number, birthdate, home address, medical record number, disability code).
  • The steps individual patients should take to protect themselves from potential harm resulting from the breach.
  • A brief description of what the covered entity is doing to investigate the breach, to mitigate losses and to protect against further breaches.
  • Specified contact information for patients to follow up with questions, including a toll-free telephone number, an email address, a Web site or a postal address.

When the breach involves fewer than 500 individuals, notice must be provided as follows:

  • The covered entity must provide written notification by first-class mail or, if preferred by the individual, electronic mail to the last known address of the individual (or the next of kin if the individual is deceased). If there are ten (10) or more individuals with out-of-date information, the covered entity must conspicuously post the notice on its Web site or disseminate it via print or broadcast media.

  • The covered entity must notify the Secretary of the Department of Health and Human Services at the time of the breach, or the covered entity may maintain a log of the security breaches and submit the log to the Secretary on an annual basis.

There are heightened requirements for breaches affecting more than 500 patients. HITECH provides specific notification requirements for breaches involving more than 500 patients:

  • Notice shall be provided to prominent media outlets. If the disclosure involves more than 500 residents of a state or jurisdiction, notice must be provided to prominent media outlets serving the state or jurisdiction.

  • Notice shall be provided immediately to the Secretary. If the disclosure involves more than 500 individuals, notice must be provided to immediately to the Secretary of the DHHS. The Secretary shall then make available to the public, on the Web site of the DHHS, a list that indentifies the covered entities involved in the breach.

Timeliness of notification: ASAP but no longer than 60 days. The breach is treated as "discovered" on the first day it is known (or should have been known) to the entity (including any person, other than the person committing the breach, that is an employee, officer or other agent of the entity). Notifications should be made without unreasonable delay and in no case later than 60 days after the discovery of the breach. The one exception is where law enforcement believes that notice would impede a criminal investigation or cause damage to national security.

Personal health record vendors also have notification obligations. Under HITECH, vendors of personal health records (i.e., medical records allowing patient input and management) must notify patients when the vendor discovers a breach of unsecured personal health record data. This notification requirement will be regulated by the Federal Trade Commission rather than DHHS. The FTC will theoretically develop additional guidance by August 17, 2009.

Effective date:
These notification laws will apply to security breaches discovered 30 days after DHHS (or, in the case of personal health care records, the FTC) promulgates interim final regulations on the subject. Those interim final regulations will be promulgated by August 17, 2009.

2. Reevaluate Which Relationships Require Business Associate Agreements

As anyone who has made it to this point in this client update already knows, a business associate is a person or organization who performs functions on behalf of a covered entity or provides a particular set of services to a covered entity where there is an exchange of PHI. HITECH explicitly requires a business associate agreement for entities that provide data transmission services (involving PHI) to a covered entity or that entity's business associates, where the service provider requires access to the PHI on a routine basis. Thus, organizations holding an electronic health record for a covered entity, or constituting an exchange gateway between covered entities or business associates, or providing an e-prescribing gateway, are all explicitly business associates. This may not be a significant change, as most covered entities would have anticipated such organizations would constitute business associates.

Effective date: February 17, 2010.

3. Re-Evaluate and Revise Your Business Associate Agreements to Explicitly Encompass the New HITECH Requirements and, if you are a Business Associate, Develop a Compliance Plan!

HITECH fundamentally changes HIPAA and its impact on the health care industry by extending the government's regulatory reach directly to business associates. Business associates were bound only by the contractual terms until this point. Now, business associates must affirmatively comply with various portions of the privacy and security rules. Business associate agreements must reflect these new requirements. Business associates must now ensure that they have a formal compliance program in place, in accordance with the requirements of the new law.

Many security rule provisions now apply directly to business associates. Under HITECH, business associates have affirmative obligations, including that they must:

  • Implement administrative, physical and technical safeguards in accordance with the requirements of the Security Rule - in the same manner that such requirements apply to covered entities.

  • Implement policies and procedures to comply with the standards, implementation specifications or other requirements of the HIPAA Security Rule and maintain proper documentation.

Effective date: February 17, 2010.

The privacy rule provisions now apply directly to business associates.
Under HITECH, Business associates must comply with the privacy rule requirements and ensure covered entities address material violations of the business associate arrangement.
Effective date: February 17, 2010.

4. Re-Evaluate your Policy on Restrictions on Disclosures of PHI at the Patient's Request.

Patients may now restrict non-treatment disclosures to a health plan if they have paid for the service themselves. Currently, HIPAA recognizes a patient's right to request covered entities to restrict the use or disclosure of that patient's PHI for treatment, payment or health care operations or certain other purposes. However, HIPAA has never required covered entities to agree to the request. Under HITECH, however, a covered entity must comply with a patient's request to restrict the disclosure of PHI (for payment or health care operations) to a health plan when the patient paid for the service or item in question out of pocket. In all other situations, the patient cannot force the covered entity to restrict the use or disclosure of PHI. For example, the patient has no such power with regard to disclosures for the purpose of treatment.

Effective date: February 17, 2010.

5. Re-Evaluate your Policy on the Minimum Necessary Standard

The general "minimum necessary" rule under HIPAA is that, if covered entities are using or disclosing PHI for any purpose other than treatment, the covered entity may request, use or disclose only the minimum necessary information to accomplish the purpose intended. That concept did not have much "shape" under HIPAA, and covered entities have had a fair amount of discretion in how to make the determination. Under HITECH, that analysis tightens up. Disclosures, uses and requests must be limited to a "limited data set," "to the extent practicable." A limited data set is a subset of information that has been largely (although not necessarily completely) de-identified. Limited data sets will not be a practical measure of the minimum necessary for many requests, uses or disclosures. However, HITECH requires incorporating this extra step into the process. In short, covered entities now have limited discretion with regard to how much PHI is too much PHI. As with so many other aspects of ARRA and HITECH, the DHHS Secretary will issue guidance on this issue, theoretically no later than August 17, 2010.

6. Re-Evaluate your Policy on Accounting for Disclosures of PHI if you Have (Or Intend to Have) an Electronic Health Record

Currently, covered entities are not required to render an accounting of uses and disclosures made for treatment, payment or health care operation purposes. Under the new accounting standards, however, if a covered entity uses or maintains an electronic health record, an individual will have the right to receive an accounting of any disclosures of PHI (including those for treatment, payment or health care operations) made during the three years prior to the date of the request. The covered entity may charge the individual a reasonable fee (an amount not greater than the labor cost in responding to the request) on an individual when responding to the individual's request.

Effective date: This requirement will be effective as of January 1, 2014 for covered entities that have acquired an electronic health record as of January 1, 2009. For covered entities who acquire an electronic health record after January 1, 2009, the requirement would be effective on the latter of January 1, 2011 or the date the electronic health record is acquired.

7. Re-Evaluate your Policy on Marketing Using PHI

Communications for the purpose of "marketing" require an authorization under HIPAA. HITECH reinforces that a communication by a covered entity or business associate, which is about a product or service and encourages the recipients of the communication to purchase or use the product or services, does not fall under the definition of health care operations (and will be considered marketing and therefore require authorization) unless the communication pertains to (1) a health related product or service, (2) treatment of the individual or (4) case management or case coordination. Moreover, even if the communication fits within one of these exceptions, in most circumstances (but not all) the communication will fall outside of the definition of health care operations if the communication is made in exchange for direct or indirect payment.

HITECH further clarifies that, even if payment is involved, the communication may not be "marketing" where:

  • Such communications describe only a health care item or service that has previously been prescribed for, or administered to, the recipient of the communication or a family member of such recipient.

  • The communication is made by the covered entity, and the covered entity making such communication obtains a valid waiver from the recipient of the communication.
  • The communication is made on behalf of the covered entity; the communication is consistent with the written contract between such business associates and the covered entity; and the business associates making such communication, or the covered entity on behalf of which the communication is made, obtains a valid waiver from the recipient of the communication.

Effective date: February 17, 2010.

8. Evaluate your Business Operations to Determine That you are Not Selling PHI or Electronic PHI

No selling PHI or EPHI.
While the HIPAA statute has penalties for criminal fraudulent sale of PHI, HIPAA has not explicitly prohibited all sales of PHI or electronic PHI. HITECH prohibits a covered entity and business associate from selling PHI unless they receive a valid authorization and a statement from the subject of the PHI, stating whether the PHI can be further exchanged or sold by the entity that receives it. The prohibition does not apply if the purpose of the exchange is for:

  • Research or public health activities.

  • Treatment of the individual.
  • Health care operations related to the sale, merger or consolidation of a covered entity.
  • Payment by a covered entity to a business associate for activities covered by the business associate agreement.
  • Providing the individual with a copy of his/her PHI.
  • Other reasons determined necessary and appropriate by the Secretary.

The Secretary is required to promulgate regulations no later than August 17, 2010. The effective date will apply to exchanges occurring on or after the date that is six (6) months after the date of the promulgation of final regulations.

9. Understand the Ramped-Up Enforcement Program

DHHS audits. HIPAA has been a complaint-driven law. In recent times, there have been some audits by various regulators, but the vast bulk of the compliance has consisted of attempts to reach compliance via collaboration with the covered entity in order to resolve a complaint. Under the heading "Improved Enforcement," HITECH requires the Secretary to periodically audit covered entities and business associates for compliance with HIPAA. It is a matter of opinion or perspective whether such proactive enforcement is an "improvement."

There are increased penalties and extension of liability to business associates. HIPAA currently provides for civil monetary penalties ("CMP"); however, under the new law , HIPAA violations will be subject to broader and more severe penalties. One of the most significant changes is that both civil and criminal liability for HIPAA violations are extended to business associates.

There are a number of additional penalty-related provisions. Among other things, HITECH accomplishes all of the following with regard to penalties:

  • Clarifies that employees and other individuals affiliated with the covered entity are subject to criminal penalties.

  • Requires the Secretary to formally investigate any complaints and impose civil penalties for HIPAA violations that are due to willful neglect.
  • Requires that any civil monetary penalty (or settlement amount) collected will benefit the Office for Civil Rights in HIPAA enforcement efforts.
  • Requires the DHHS Secretary to establish a methodology to distribute a percentage of the civil monetary penalties collected to the patients who were harmed by the violation.
  • Establishes a tiered system of penalties ranging from $100 (per violation) for unknowing violations to $50,000 (per violation) due to willful neglect.
  • Authorizes state attorneys general to bring civil actions in federal district courts against individuals who violate HIPAA.

* * *

There are other aspects of ARRA not detailed here, such as the grant money available for "meaningful use" of electronic health records and the rejuvenation of the Office of the National Coordinator For Health Information Technology (ONCHIT). For more details on these or any health care topic, or if you have any questions, please contact Sarah Coyne at 608-283-2435 /, Kerry Moskol at 608-283-2609 / or your Quarles and Brady LLP attorney.