[Note: The text of this portion of the compliance guidance was provided by Jennifer Gimler Brady, Esquire of the law firm of Potter Anderson & Corroon, LLP.]
In February of 2009, Congress passed the Health Information Technology for Economic and Clinical Health (HITECH) Act as part of the American Recovery and Reinvestment Act of 2009. The HITECH Act enhances enforcement of HIPAA’s privacy and security requirements, and creates new obligations for breach notification, information sharing, and business associate relationships. Most significant, however, are the drastic changes to the HIPAA enforcement structure, including increased sanctions for violations and explicit authority for state attorneys general to pursue private claims on behalf of individuals. Covered entities, including long-term care facilities, need to take steps now to ensure compliance with the new requirements and minimize liability exposure.
Notification Requirements
New notification requirements greatly increase a covered entity’s obligation to contact individuals affected by an information breach. Prior to the HITECH Act, covered entities were required only to report information breaches that carried a risk of causing actual harm to the individual whose information was disclosed. Under the newly amended HIPAA rules, any breach of unsecured protected health information must be reported to the individual whose health information has been, or is reasonably believed to have been, accessed, acquired or disclosed. Notification must be made within 60 days of the discovery of the breach. Notice of the breach must include as much of the following information as possible: a brief description of what happened, including the dates of the breach and discovery; a brief description of the types of information involved; steps that the individual should take to protect against improper use of the disclosed information; a brief description of the actions taken by the covered entity in response to the breach; and contact procedures for the individual to request more information. Compliance with the new notification requirements will require a careful assessment and revision of covered entities’ breach notification policies to ensure they are adequate under the updated rules.
An updated notification policy should incorporate the methods of notice required under the new HIPAA rules. Notice to individuals is required to be provided by first class mail to the last known address of the individual, unless that individual has specified that they prefer to be contacted through electronic mail. If this information is out of date or unavailable, the covered entity must use a substitute form of notice. Where contact information is unavailable for ten or more individuals, this substitute form of notice must include either a posting on the home page of the covered entity’s website or a notice in major print or broadcast media, including a toll-free number where individuals can learn whether their information has been breached. Required notification is not limited to individuals. All information breaches must be documented in a log and submitted annually to the Secretary of Health and Human Services. In instances where a breach potentially implicates the protected information of 500 or more individuals, the Secretary must be notified immediately. If 500 or more individuals from the same state or jurisdiction are implicated in a breach, covered entities also must provide notice to major media outlets serving that state or jurisdiction. Covered entities should include these contingencies in their notification policies.
These notification requirements apply only to unsecured protected health information. Secured health information – information that is encrypted so that it is unusable, unreadable, or indecipherable to unauthorized individuals – is not subject to these expanded notification requirements and remains subject to the pre-existing HIPAA rules. The encryption software or technology used to secure the health information must be developed or endorsed by a standards developing organization that is accredited by the American National Standards Institute. Because of the drastic difference in notification requirements between unsecured and secured protected health information, covered entities should consider switching to an encrypted electronic storage system, if they have not already done so. Long-term care facilities may want to adopt a long-term strategy for moving to an encrypted electronic format for their data storage, if making such a change immediately is not currently practicable.
The Secretary of Health and Human Services issued interim final regulations for this section on August 19, 2009, and these regulations are effective 30 days after publication in the Federal Register, and include a 60-day public comment period.
Business Associates
The revised HIPAA rules carry new obligations for business associates and alter their relationships with covered entities. Under pre-existing HIPAA rules, covered entities often extended some HIPAA obligations to their business associates through explicit provisions in their contracts. Now, under the amended rules, all privacy requirements that apply to covered entities also apply -- by law -- to any business associates that obtain or create protected health information pursuant to a written contract or agreement. Furthermore, these requirements must be incorporated into all business associate contracts between associates and covered entities. Business associates who violate these provisions will be subject to stiff civil and criminal penalties under the Social Security Act. These provisions go into effect one year after the date of enactment, or on February 17, 2010. Business associates also have a separate obligation to notify the corresponding covered entity of information breaches within 60 days of discovering the breach, effectively requiring business associates to assist the covered entity in the notification process. Long-term care facilities and other covered entities should immediately begin to develop a strategy for updating their business associate contracts to reflect these new obligations, especially given the challenges many entities encountered in implementing the original business associate requirements.
Restrictions on Data Use
The amended HIPAA rules provide a host of new restrictions on how a covered entity may use, share, or disclose data. In order to ensure compliance when the HITECH provisions on data sharing take effect in 2010, covered entities need to be aware of the following new rules:
- If an individual pays out of pocket for a health care item or service, that individual has the right to request that the covered entity not disclose any information relating to that item or service to any health plan.
- To the extent practicable, any disclosure of protected health information should be provided as a limited data set, i.e., with minimal identifying information; when this is not possible, the data disclosed should be limited to the minimum necessary to accomplish the intended purpose.
- If a covered entity keeps electronic health records, it must keep track of every disclosure of those health records; individuals shall have the right to request an accounting of all such disclosures up to three years prior to the date of request.
- Authorization is required for any use of information for which the covered entity receives direct or indirect payment, such as for marketing purposes.
Penalties
Potential liability under the revised HIPAA rules has been increased substantially. The new four-tiered liability system strongly suggests more aggressive and severe enforcement of HIPAA rules than in the past. The penalties range from $100-$50,000 for an inadvertent violation up to a $50,000 minimum for each case of willful neglect that goes uncorrected, with an annual cap per entity of $1.5 million. Also, state attorneys general will now have the ability to bring civil actions on behalf of residents of their respective states who have been adversely affected by any HIPAA violation, and may seek injunctive relief and damages of $100 per violation, up to $25,000 annually for violations of identical requirement or prohibition, plus attorney fees. These liability changes are now in effect. This threat of increased liability underscores the importance of promptly taking all steps necessary to ensure compliance with HIPAA and the new provisions of the HITECH Act.