South Carolina Lawyer
SC Lawyer, July 2009, #2.
The American Reinvestment and Recovery Act of 2009 and the Resulting Effects on the Law of the Workplace
South Carolina LawyerJuly 2009The American Reinvestment and Recovery Act of 2009 and the Resulting Effects on the Law of the WorkplaceBy Daniel T. Sulton & Lucas J. Asper President Barack Obama signed the American Recovery and Reinvestment Act of 2009(ARRA) into law on February 17, 2009. Pub. L. No. 111-5, 123 Stat. 115. The ARRA enacted considerable changes to multiple areas of employment and benefits law. This article will discuss several of these changes, including the following: (1) the creation of new HIPPA requirements and penalties; (2) the addition of new and expanded provisions regarding COBRA benefits; (3) the creation of additional whistleblower protections; and (4) the subsidization of and revisions to state unemployment compensation programs. This article will also briefly touch on several miscellaneous provisions that have had and will continue to have an impact on workplace laws. While this article is in no way a comprehensive analysis of all issues raised by the ARRA, it does address some of the more noteworthy portions of the Act of which practitioners should be aware.
HIPAA requirements and penalties
The ARRA includes substantial changes to the privacy and security rules of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). See id.§§ 13400-13411, 123Stat. at 258-76 (to be codified at 42 U.S.C. §§ 17921-17940). First, and perhaps most significantly, the ARRA makes existing HIPAA privacy and security rules applicable to the business associates of covered entities. Id. § 13401, 123 Stat. at 260 (to be codified at 42 U.S.C. § 17931). A HIPAA "business associate" is any person or entity who, on behalf of a covered entity, performs or helps perform a function or activity involving the use or disclosure of protected health information. 45 C.F.R. § 160.103. Currently, business associates are not directly subject to HIPAA but may be indirectly regulated by HIPAA through the business associate agreements they enter into with covered entities. However, effective 12 months after the enactment of the ARRA, the privacy and security rules under HIPAA, as well as its civil and criminal penalties, will apply to business associates in the same way they apply to covered entities. See ARRA, §§ 13400-13411, 123 Stat. at 258-76 (to be codified at 42 U.S.C. §§17921-17940).
In the event there is a breach of unsecured protected health information (PHI), the ARRA imposes certain notification requirements on covered entities and business associates. Id.§13402, 123 Stat. at 260-63 (to be codified at 42 U.S.C. § 17932). Unsecured PHI is defined as PHI that is not secured using standards that the Secretary of Health and Human Services has approved. Id. § 13402(h), 123 Stat. at 262-63. Covered entities and business associates must provide notification of a breach of unsecured PHI "without unreasonable delay" and in no case later than 60 days after discovery of the breach. Id. § 13402(d), 123 Stat. at 261. A business associate that discovers a breach must report it to the covered entity. Id.§ 13402(b), 123 Stat. at 260.
Once the covered entity discovers the breach-or if it discovers the breach itself-the covered entity must provide the notice directly to the impacted individuals or to prominent media outlets of a state or jurisdiction if 500 or more residents of that state or jurisdiction are impacted. Id.§ 13402 (a) & (d), 123 Stat. at 260-62. For any breach involving 500 or more individuals, the covered entity must also provide notice immediately to the Secretary of Health and Human Services. Id. For breaches involving less than 500 individuals, the covered entity may maintain a log of such breaches and provide the log annually to the Secretary. Id.
The notifications of breach that covered entities provide to individuals under the ARRA must include the following information, to the extent possible:
(1) A brief description of what happened, including the date of the breach and the date of the discovery of the breach, if known. (2) A description of the types of unsecured protected health information that were involved in the breach (such as full name, Social Security number, date of birth, home address, account number or disability code). (3) The steps individuals should take to protect themselves from potential harm resulting from the breach. (4) A brief description of what the covered entity involved is doing to investigate the breach, to mitigate losses and to protect against any further breaches. (5) Contact procedures for individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an e-mail address, Web site or postal address.Id. § 13402(f), 123 Stat. at 262. The Act directs the Secretary of Health and Human Services to promulgate interim final regulations with regard to the notification requirements no later than 180 days after the enactment date of the Act-by no later than August 16, 2009. Id. § 13402(j), 123 Stat. at 263. The above-described notification requirements will then apply to all breaches "that are discovered on or after the date that is 30 days after the...