ARRA Legislation Expands Businesses' Obligations Under HIPAA
Included in the economic stimulus legislation that was recently enacted as the American Recovery and Reinvestment Act of 2009 (“ARRA”) are a number of provisions that broaden businesses’ privacy and security obligations under the Health Insurance Portability and Accountability Act (“HIPAA”). Although these measures have not garnered the level of public attention given to many other provisions of ARRA, employers need to be aware of them, as these measures will almost certainly require employers to make important operational changes.
A number of the most significant HIPAA-related provisions included in ARRA are summarized below.
Expansion of “Business Associate” Requirements
Before the passage of ARRA, the HIPAA Privacy and Security Rules (the “HIPAA Rules”), which set forth numerous requirements relating to the handling of protected health information (“PHI”), applied only to “covered entities” such as health plans and health-care providers. Covered entities were required to ensure that outside “business associates” (such as accounting, consulting and data-management firms) that received access to PHI in the course of performing services for covered entities agreed to take appropriate steps to protect such information, but the business associates themselves were not directly subject to the HIPAA Rules.
Now, under ARRA, business associates of covered entities will likewise be covered by the HIPAA Rules. As a result, such businesses will be required to adopt privacy and security policies that are compliant with the statute.
Notably, while most of the amendments to HIPAA imposed by ARRA took effect immediately upon enactment of the legislation, the provisions extending coverage of the HIPAA Rules to business associates do not take effect until February 17, 2010.
Notifications of Security Breaches
Following in the paths of a number of states (including Massachusetts) that recently have enacted data-security laws, ARRA provides that HIPAA-covered entities must notify affected individuals in the event of any security breach with respect to unsecured PHI. In general, “unsecured” PHI refers to information that is not encrypted or otherwise secured in such a manner that an unauthorized person could not read it.
Affected individuals must be notified of such a security breach “without unreasonable delay” and, in any event, within 60 days after discovery of the breach. In addition, a covered entity is required to maintain a log of such breaches for annual submission to the U.S. Department of Health and Human Services (“HHS”). If, however, a breach involves data concerning more than 500 individuals, the covered entity must notify HHS – as well as “prominent media outlets” in the area – at the time the breach is discovered.
Pursuant to a directive set forth in ARRA, HHS is expected to issue regulations later this year implementing and clarifying these notification requirements.
ARRA also contains provisions expanding individuals’ rights with respect to PHI. In particular, where an individual has fully paid a health-care provider for services on an out-of-pocket basis, the individual is entitled to require that the health-care provider not share PHI concerning the individual with his or her health plan. Previously, while an individual was permitted to make such a request, a health-care provider was not obligated to comply with it.
The new legislation also specifies that individuals may ask to have access to their PHI in electronic form and may direct that it be sent to another person or entity. Further, ARRA provides that a HIPAA-covered entity or business associate may not sell PHI without the specific consent of the person to whom it relates.
Up to now, HHS has taken little action to enforce the civil-penalties provisions of HIPAA, instead focusing its efforts on achieving voluntary compliance with the statute. Under ARRA, however, HHS may begin pursuing such sanctions more aggressively. In particular, the statute provides that beginning two years following enactment of ARRA (i.e., February 17, 2011), HHS will be required to assess a civil penalty if a business is found to have willfully neglected its HIPAA obligations. Moreover, if a preliminary investigation gives HHS reason to believe that a violation may have occurred due to willful neglect, HHS will be obligated to conduct a formal investigation of the matter.
Additionally, ARRA specifically authorizes individual state attorneys general to bring civil actions in federal court to enforce the requirements of HIPAA.
Implications for Businesses
As a result of the amendments to HIPAA enacted through ARRA, covered entities will need to revise their HIPAA privacy and security policies and related documents to comply with the new provisions. In addition, covered entities will need to amend their business-associate agreements to take account of the fact that business associates will now be directly subject to the HIPAA Rules.
Similarly, business associates of covered entities will need to determine whether they are required to adopt new policies and related documents in light of these amendments to HIPAA.
Finally, both covered entities and business associates are advised to train all employees whose job duties involve contact with PHI as to the new requirements imposed by ARRA.
The Firm is available to assist employers in determining and complying with their obligations under HIPAA and the amendments made to it by ARRA. Please do not hesitate to contact us with any questions.