HIPAA Compliance Complications Multiplied By The Economic Stimulus Law (ARRA)

Contained within the American Recovery and Reinvestment Act (ARRA) are provisions that modify the Health Insurance Portability and Accountability Act’s (HIPAA) Privacy and Security Rules.  The changes are significant to all covered entities, but are most challenging for business associates, who now face a host of new requirements.  In a recent AHI web conference, attorney John Barlament of Michael Best & Friedrich LLP (Milwaukee, WI) examined how ARRA has altered HIPAA’s Security and Privacy Rules.

Security Rules Now Apply Directly To Business Associates

Prior to ARRA, HIPAA’s Security Rules only directly applied to covered entities.  The term “covered entities,” said Barlament, is “fairly narrowly defined.”  Since business associates did not fall under that definition, they were only indirectly required to follow the Security Rule thorough business associate agreements with covered entities. 

“ARRA now directly applies most HIPAA Security Rules, and some Privacy Rules, directly to business associates,” Barlament stated, adding, “This is a very significant change.  There will definitely be an increase in the number of entities covered by these rules.”    


The Security Rules that now apply directly to business associates are those pertaining to:

  1. Administrative safeguards (45 CFR Section 164.308).  Basically, said Barlament, this boils down to conducting a risk analysis.  The question you need to ask, he said, is: What electronic protected health information (ePHI) vulnerabilities do we have? 

  2. Physical safeguards (45 CFR Section 164.310).  Here the question that needs to be asked, said Barlament, is: How do we keep ePHI secure?  

  3. Technical safeguards (45 CFR Section 164.312).  Here you want to ask the same question that you do for physical safeguards, but you want to answer it in terms of technology, such an encrypting e-mail. 

  4. Policies, procedures, and documentation (45 CFR Section 164.316).  “This is basically the old Army slogan — if it wasn’t documented, it wasn’t done,” commented Barlament.  “That’s definitely what HIPAA security is all about.  You need to have paper proof that you walked through each of the implementation specifications, you documented them, and you can show compliance with them.”

Failure to adhere to these Security Rules will, for the first time, subject a business associate to civil and criminal penalties for violations.

Privacy Rules Apply Directly To Business Associates, Too

The application of HIPAA’s Privacy Rules to business associates is not as clear cut as the application of the Security Rules.  Said Barlament: “Most of the Security Rules are incorporated and now apply to business associates.  They didn’t do Privacy Rules in exactly the same manner.”  Questions, therefore, abound.


He clarified, however, that if a business associate receives protected health information (PHI) pursuant to a business associate agreement, it can use and disclose the PHI only if the use or disclosure complies with each applicable requirement of 45 CFR Section 164.504(e).  Section 164.504(e) discusses typical business associate contract provisions and includes references to many other sections of HIPAA (e.g., Section 164.524 for making PHI available; Section 164.526 for amending PHI).


“The question then, I think, is when they incorporated 504(e), did they implicitly incorporate it and, thus, make business associates comply directly with each of the subsection 504(e) references, or instead were they simply talking about requiring business associates to have a written business associate agreement?  At this point, it’s a bit unclear,” said Barlament.


In spite of this lack of clarity, Barlament encouraged business associates to identify who their covered clients are and to have business agreements in place.  His message to business associates: “It wasn’t your problem, it wasn’t your fault.  Now, it would be your problem, it would be your fault.”  


Important: ARRA goes beyond imposing privacy and security standards on covered entities and business associates.  The new rules also cover any “vendor” of “personal health records.”  Congress has instructed the Federal Trade Commission and the Secretary of the HHS to study the privacy and security requirements for so-called non-covered HIPAA entities. 


Barlament stressed that the new privacy provisions of ARRA, such as the breach notification rules, also apply to business associates and must be included in business associate agreements.  “If you are a covered entity, you probably have a bunch of business associate agreements out there that you haven’t modified in several years.  Now, you are going to have to go back and modify all of those agreements.”


New Breach Notification Rules

Pre-ARRA, covered entities and business associates were not required to take significant action following a breach of the privacy or security of PHI.  Now, Barlament pointed out, if a covered entity or business associate accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses, or discloses “unsecured PHI” and there is a “breach” of such information and the breach is “discovered” by the covered entity, the notification rules apply.


Unsecured PHI is defined to mean that the information was not secured or encrypted by a reliable method that would make the information unreadable.


A breach is generally defined as an unauthorized acquisition, access, use, or disclosure of PHI that compromises the security or privacy of PHI, except where the unauthorized person would not reasonably have been able to “retain” the PHI.


Discovered is broadly defined as the first day on which a breach is known, or should reasonably have been known, by a covered entity or business associate, including any person, other than the individual committing the breach, that is an employee, officer, or other agent of a covered entity or business associate.


“Many of the terms are defined, but many are not and will require additional definition from the HHS ,” noted Barlament.  For example, Barlament posed the question: In the definition of a breach, does “retain” refer to physically retaining the information, or just mentally retaining it?  That’s something the HHS will have to answer.


Timing of notice.  Notification of a breach must occur without unreasonable delay and in all cases no later than 60 calendar days after the discovery of the breach.  Notify each individual whose unsecured PHI has been, or is reasonably believed to have been, accessed, acquired, or disclosed as a result of the breach.  “You need to be careful because ‘discovery’ is fairly broadly defined,” warned Barlament. 


Method of notice.  Generally, according to Barlament, written notice by first class mail to the individual (or, if deceased, next of kin) is an acceptable method of notice.  E-mail can be an acceptable method of delivery if specified as a preference by the individual. 


If insufficient or out-of-date contact information precludes direct notice of 10 or more affected individuals, the covered entity may be required to post notice of the breach on its website or in a major print or broadcast medium, which must include a toll-free phone number so individuals can learn if unsecured PHI is possibly included in the breach.  “This can certainly be a burden, since a lot of health plans don’t have toll-free numbers.”


Content of notice.  Regardless of the method by which notice is provided to individuals, the notice itself should, to the extent possible, include the following.

  • A brief description of what happened, including the date of the breach and the date of the discovery of the breach, if known.

  • A description of the types of unsecured PHI that were involved in the breach (e.g., full name, Social Security number, date of birth, home address, account number, or disability code).

  • The steps individuals should take to protect themselves from potential harm resulting from the breach.

  • A brief description of what the covered entity involved is doing to investigate the breach, to mitigate losses, and to protect against any further breaches.

  • Contact procedures for individuals to ask questions or learn additional information.

Important: Be advised that for all breaches, the HHS must be notified.  If the breach affects at least 500 individuals in a particular area, the HHS must be immediately notified and a prominent media outlet must also be notified.  If the breach affects fewer than 500 individuals, the covered entity can maintain a log of any such breaches and annually submit the log to the HHS.


HHS Breach Notification Guidance

On April 17, HHS issued guidance specifying the technologies and methodologies that render PHI unusable, unreadable, or indecipherable to unauthorized individuals, as required by ARRA.  This guidance relates to two forthcoming breach notification regulations — one to be issued by the HHS for covered entities and their business associates under HIPAA and one to be issued by the Federal Trade Commission for vendors of personal health records and other non-HIPAA covered entities.


While covered entities and business associates are not required to follow the guidance, the specified technologies and methodologies, if used, create the functional equivalent of a safe harbor, and, thus, result in covered entities and business associates not being required to provide notification of a breach if one or more of the identified methods is used. 


The HHS has identified two methods for rendering PHI unusable, unreadable, or indecipherable to unauthorized individuals.

  1. Encryption.  Encrypt electronic PHI as specified in the HIPAA Security Rule by using “an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key” and ensuring that such confidential process or key that might enable decryption has not been breached.

  2. Destruction.  Destroy the media on which PHI is stored or recorded by:
  • Shredding or destroying paper, film, or other hard copy media such that the PHI cannot be read or otherwise cannot be reconstructed.

  • Clearing, purging, or destroying electronic media consistent with National Institute of Standards and Technology Special Publication 800-88, Guidelines for Media Sanitization, such that the PHI cannot be retrieved.

The HHS is seeking public comment on the guidance as well as ARRA’s breach notification provision.  Comments can be submitted electronically at: http://www.regulations.gov, or mailed to: U.S. Department of Health and Human Services, Office for Civil Rights, Attention: HITECH Breach Notification, Hubert H. Humphrey Building, Room 509F, 200 Independence Avenue, S.W., Washington, D.C. 20201.  Comments must be submitted on or before May 21, 2009.


The guidance will apply to breaches 30 days after publication of the forthcoming interim final regulations.  If it’s determined that the guidance should be modified based on public comments, updated guidance will be issued prior to or concurrently with the regulations.


New Disclosure Rules 

Barlament explained that, prior to ARRA, if an employee told a covered entity not to disclose information to, say, a hospital because the employee didn’t like the hospital, the covered entity only had to listen to the request (which is commonly referred to as a restriction request), but it didn’t have to act on the request.  Now, a covered entity must comply with a restriction request if:

  1. the disclosure is to a health plan for purposes of carrying out payment or health care operations (but not treatment); and

  2. the PHI pertains solely to a health care item or service for which the health care provider has been paid out of pocket in full. 

ARRA also creates new disclosure accounting rules for “electronic health records” (EHRs).  Said Barlament: “This is a brand new term and is defined by statutes to mean an electronic health record that was created by a health care provider or staff.  It doesn’t seem to include an electronic health record created by a health plan.”  The question then becomes, he said, if a record is created by a health care provider and transferred to a plan, does it still retain its status as an electronic health record?  “If it does, then the disclosure accounting rules are going to be onerous.”


With the new term EHR comes new disclosure accounting requirements.  If the disclosure of an EHR is for treatment, payment, or health care operations, the covered entity must maintain an accounting of such a disclosure. 


Not only that, but if a covered entity uses or maintains an EHR with respect to PHI:

  • an individual has the right to receive an accounting of disclosures made by the covered entity during the prior three years;

  • an individual has the right to obtain a copy of such information in an electronic format, and if the individual chooses, to direct the covered entity to transmit the copy directly to a person or entity designated by the individual, provided that the choice is clear, conspicuous, and specific; and

  • a covered entity may impose a fee for providing an electronic copy of such information, so long as the fee is not greater than the entity’s labor costs for responding to the request.

Important: Under ARRA, covered entities and business associates are prohibited from directly or indirectly selling PHI, unless they first obtain a valid authorization from the individual whose information is being disclosed.


There is a delayed effective date for the provisions regarding EHRs, such that they will apply sometime between January 1, 2011, and January 1, 2014.


Increased Penalties And Enforcement

Pre-ARRA, the amount of a civil monetary penalty was generally $100 for each violation.  This $100 amount (capped at $25,000 for multiple violations) increases to $1,000 per violation for a violation due to “reasonable cause and not to willful neglect” (with a maximum penalty of $100,000); $10,000 for each violation that was due to willful neglect and is corrected (subject to a $250,000 maximum penalty); and $50,000 for each violation if the violation is not corrected properly (subject to a maximum penalty of $1,500,000 during a calendar year).


Important: Aside from the increased penalties, which were effective immediately following the enactment of ARRA, most of the changes made to HIPAA by ARRA have varying effective dates.  Be sure to consult with legal counsel.


“I think all covered entities should be very concerned about the increased penalties and should take a look at their policies and procedures,” he suggested.  “They should conduct a refresher training course to get people up to speed on what the new rules are and remind them of the old rules.”


In addition, state attorneys general can now bring a HIPAA enforcement action against a covered entity or business associate that violates the rules.  Further, the state attorney general can obtain attorneys’ fees under such an action (although the attorneys’ fees are discretionary and not mandatory).  Plus, HHS is now required to conduct “periodic audits” to ensure that both business associates and covered entities are compliant with the new rules. 


ARRA requires the HHS to establish a regulation, within the next three years, providing that individuals affected by a HIPAA violation will be able to receive a percentage of any civil monetary penalty or monetary settlement collected with respect to such offense.  Pre-ARRA, it was difficult, if not impossible, for individuals to receive such amounts.  “Going forward, all people who are adversely affected by a violation are likely to recover a monetary settlement,” predicted Barlament.