2009 Economic Stimulus Act: HIPAA Privacy and Security Requirements
March 18, 2009
On February 17, 2009, President Obama signed into law the “American Recovery and Reinvestment Act of 2009.” Among other things, this new legislation amends the Health Insurance Portability and Accountability Act (HIPAA) by imposing new and more stringent requirements that broaden and enhance the impact of the HIPAA security and privacy rules on health care providers, business associates, and other entities that provide services in connection with the covered entities. Generally, the effective date of the Act is February 17, 2010, but some provisions have a different effective date which is still unknown (i.e., 30 days after further regulatory action is taken by the Secretary of Health and Human Services). The most noteworthy amendments include the following:
- Improved Enforcement – The enforcement of the HIPAA rules has been strengthened on several fronts. The Act grants state Attorneys General the authority to bring civil actions on behalf of individuals who have been affected by violations to stop such violations and/or obtain statutory damages. Also, the provisions on civil penalties have been distinguished by type of violation and the dollar amount applicable to it. Finally, the Secretary of Health and Human Services will have the authority to bring criminal actions along with the Department of Justice.
- Business Associates – The Act applies HIPAA standards and rules directly to business associates who are now also required to report breaches of a privacy or security nature. Also, it broadens the definition of business associates to include organizations providing data transmission of protected health information to covered entities and organizations that access protected health information (PHI) on a routine basis (e.g., health information exchange organizations, personal health record vendors, E-Prescribing Gateways, etc.). The direct application of HIPAA requirements to business associates makes them subject to civil and criminal penalties for violation of the rules.
- Personal Health Record Vendors – The Act provides that in the event of any breach of the privacy or security of “unsecured” personal health records, the vendor maintaining such personal health records (including businesses operating through the Web site of a personal health record vendor), must notify the Federal Trade Commission and any affected individual of the occurrence of the breach.
- All Covered Entities – The Act increases the requirements for covered entities by expanding an individual’s right to receive an account of disclosures, as discussed below in Section V. Additionally, covered entities are affected by the following changes introduced by the Act:
- Marketing and Fundraising Communications. The Act further restricts the use of PHI for marketing purposes. The Act clarifies which types of communications are not health care operations and therefore, require authorization from individuals. Additionally, communications for purposes of fundraising must provide, in a “conspicuous and clear” manner, an opportunity for the recipient to elect not to receive any further fundraising related communications.
- Limited Data Sets. The Act encourages covered entities to constrain themselves to handling PHI in a limited data set format whenever possible.
- Sale of Protected Health Information. The Act prohibits the exchange of any PHI for remuneration, without the authorization of the individuals affected. However, the Act includes certain exceptions to this prohibition when, for example, the exchange is linked to public health activities, sale, transfer, merger or consolidation of the covered entity with another cover entity, for purposes of research and the amount charged is related to the cost of preparation and transmittal of the data for such purpose.
- Penalties. The Act increases the civil penalties applicable under HIPAA and the Act.
- Individuals – The protection of an individual’s health information is more palpable now, pursuant to new individual rights introduced by the Act. Individuals are given a more active role in ensuring the privacy and security of their PHI.
- Breach Notices. Covered entities and business associates must notify individuals affected by a specific security breach. Generally, individuals must be notified via first class mail (or by telephone in urgent situations). In addition, where lack of contact information precludes direct contact, other postings or media notices may be required.
- Expanded Accounting & Disclosure. The Act now provides that if a covered entity maintains an electronic health record, individuals may request an accounting of disclosures for treatment, payment and health care operations (which were previously not required). The report must include disclosures of electronic health records for those purposes that were made during the 3-year period ending on the request date. Additional guidance on the requirements of the accounting is expected. Two different effective dates apply to this provision: for electronic health records that existed as of January 1, 2009, the effective date is January 1, 2014 and for electronic health records acquired after January 1, 2009, the effective date is January 1, 2011.
- Access to Electronic PHI. Individuals are entitled to obtain their PHI in electronic format and to request the covered entity to transmit a copy of the electronic record to an entity or person.