SC Lawyer, March 2010, #4. The New HIPAA Privacy and Security Rules are Here: What Do Your Clients Need to Know?.

• Author: By Kelly M. Jolley and Kathleen G. Chewning

South Carolina Lawyer

2010.

SC Lawyer, March 2010, #4.

The New HIPAA Privacy and Security Rules are Here: What Do Your Clients Need to Know?

South Carolina LawyerMarch 2010The New HIPAA Privacy and Security Rules are Here: What Do Your Clients Need to Know?By Kelly M. Jolley and Kathleen G. ChewningBeware of government programs bearing gifts, because with greater rewards comes greater responsibility. That might be the lesson for health care providers and their suppliers and vendors from the most recent phase of the federal government's alphabet soup of privacy provisions. Along with the tax cuts and credits, various incentives to adopt health information technology (HIT) and health information exchange, bailout fund requirements, and restrictions on executive pay packages, the American Recovery and Reinvestment Act of 2009 (ARRA)-which President Obama signed into law on February 17, 2009-also included another effort by the federal government to narrow the permissible uses of personal health information by entities engaged in the health care industry. Title XIII of ARRA, also known as the Health Information Technology for Economic and Clinical Health Act (HITECH), authorizes around $36 billion in investment to "advance the use of health information technology" in large part so the United States will be able to move to electronic health records (EHRs) by President Obama's 2014 deadline. However, with the large monetary "gift" from the government comes a second lesson-more is not always better. Along with the money also comes more enforcement of and bigger penalties for statutory violations. HITECH also expands the reach of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Pub. L. No. 104-191 (codified at 42 U.S.C. § 1320d et seq. (1996)), enhances both the federal and state governments' enforcement mechanisms for HIPAA infractions, and introduces the first federally mandated data breach notification requirement.

All businesses, particularly those involving health care or with clients operating in the health care sector, need to reassess their ongoing use and storage of personal information in light of this most recent evolution of the regulatory landscape regarding the use and disclosure of personal and health-related information. This article will discuss the core privacy and security provisions found in the economic stimulus legislation, specifically in the area of enforcement, breach notification and business associate agreements. HITECH implements the biggest change to the health care privacy and security environment since the original HIPAA Privacy Rule. While HITECH is not a wholesale change to HIPAA's privacy provisions, it does make several changes to the HIPAA privacy rules that will encourage companies, and not just health care companies, to re-evaluate how they use and disclose personal health information.

Expanded enforcement of HIPAA violations

Most health lawyers expected that the Obama administration would enforce the HIPAA Privacy Rules more aggressively than did the Bush administration. CVS Caremark's agreement with the FTC to pay $2.25 million to settle federal charges alleging its employees threw personal information about patients into garbage bins was seen as evidence that the expected shift in enforcement by the federal government had begun. However, HITECH's broad changes in this area indicate that this new enforcement could be substantially different than what was expected. HITECH provides federal and state governments with tools for more enforcement with higher penalties against more people.

HITECH imposes a substantial expansion of civil penalties, explicitly authorizes enforcement by state attorneys general and clarifies when criminal penalties apply under HIPAA.

Expanded civil penalties and enforcement

A recurring criticism of HIPAA was that the civil penalties that could be imposed for violating the Act were too low to be a real deterrent. Under pre-HITECH HIPAA, civil monetary penalties ranged from $100 to $25,000 and were available only for knowing violations of the administrative simplification provisions (Part C). Under the HITECH amendments, the secretary of the U.S. Department of Health and Human Services (HHS) may assess civil monetary penalties for violations caused by conduct ranging from an unknown violation to one of willful neglect. HITECH, § 13410(a)(1)(A)-(C), adding SSA § 1176(c) (codifiedat 42 U.S.C. § 1320d-5(c)).

HITECH also provides a tiered penalty structure based on the nature of the HIPAA violation. An interim rule issued by HHS on October 30, 2009, significantly increases the civil monetary penalties that the secretary may apply to covered entities' HIPAA violations. The rule also allows the secretary to consider new evidence regarding the nature and extent of any harm resulting from a violation in the penalty determination. The rule took effect on November 30, 2009, and applies to any violation occurring on or after February 18, 2009. Moreover, effective February 17, 2011, if a preliminary investigation of a HIPAA complaint alleging willful neglect indicates that a possible violation has occurred, the secretary must formally investigate the complaint. HITECH, § 13410(a)(1)(B), adding SSA § 1176(c)(2) (codified at 42 U.S.C. § 1320d-5(c)(2)).

The interim rule's amendment of 45 C.F.R. § 160.400 et seq. strengthens the secretary's authority to award civil monetary penalties for HIPAA violations. The previous penalties were based solely on the existence of a violation and factors to be considered in determining their amount. Under the interim rule, the penalties range from $100 per violation to $1,500,000 for identical violations in a calendar year. Furthermore, the penalty amount correlates to the new tiered culpability range as follows:

In the event of a violation for which it is established that the violation:

Penalty per violation

Penalty for violations of an identical provision in a calendar year

1. Was not known and through reasonable diligence could not have been known by the person in violation

   $100-$50,000

   $25,000-$1,500,000

2. Was due to reasonable cause and not to willful neglect

   $1,000-$50,000

   $100,000-$1,500,000

3. Was due to willful neglect:

   i. If the violation is corrected in 30 days

   i. $10,000-$50,000

   i. $250,000

   ii. If the violation is not corrected in 30 days

   ii. $50,000

   ii. $1,500,000

   Prior to the interim rule, covered entities found in violation of HIPAA could plead two affirmative defenses that are now unavailable. Previously, a covered entity could claim either that it did not have knowledge of the violation and through reasonable diligence could not have known that the violation occurred or that the violation was due to reasonable cause, not willful neglect, and was corrected within 30 days or within such additional period as the secretary deemed appropriate. The interim rule disallows the affirmative defense based on the covered entity's claim that it did not know or could not reasonably have known of the violation and strictly limits the period of correction required by the second affirmative defense to 30 days.

   Enforcement incentives for the Office of Civil Rights and state attorneys general

   HITECH provides new enforcement incentives to the Department of Health and Human Services' Office of Civil Rights (OCR). Civil penalties collected for privacy or security violations under HIPAA must be turned over to OCR to fund even greater enforcement efforts. HITECH, § 13410, 45 C.F.R., Part 164, Subparts C and E comprise 45 C.F.R. § 164.302 et seq. (Security), § 164.500 et seq. (Privacy). While some portion of the collected penalties will be paid to individuals harmed by HIPAA offenses, the available return on enforcement investment may result in OCR adopting HHS's Fraud and Abuse Control Program's more aggressive enforcement strategy in place of its current complaint-driven investigatory model. The comptroller general is required to submit a report to the secretary making recommendations for a methodology of payments to individuals harmed by HIPAA violations no later than August 17, 2011. The secretary is required to establish a methodology for payment of a percentage of any civil monetary penalty or settlement by regulation no later than February 17, 2012.

   HITECH also grants state attorneys general explicit authority to enforce HIPAA privacy and security rules by bringing an action to enjoin further violations and to obtain statutory damages. State attorneys general may only seek $100 per violation with a $25,000 yearly damages cap on an individual who violates HIPAA. However, attorney fees are available to the state. Some state attorneys general sought to enforce HIPAA prior to HITECH, and it is arguable that implicit authority for such actions already existed under HIPAA. Nevertheless, under HITECH, state attorneys general may pose a significant risk for health care providers who previously spent little time worrying about revealing potential HIPAA violations in routine medical records audits.

   Breach notification requirements for covered entities and business associates

   For the first time, HITECH applies mandatory breach notification obligations to HIPAA-covered entities and business associates. These new obligations apply to breaches discovered on or after October 30, 2009. When an individual's unsecured PHI is actually or believed to be disclosed because of a breach, HITECH §§ 13402(a)-(b) (codified at 42 U.S.C. §§ 17932(a)-(b)), requires a covered entity to notify individuals and a business associate to report to its covered entity. The important lessons from this section are the definitions of "unsecured" and "breach." According to annual guidelines set by the secretary, PHI is unsecured if it is not secured through an encryption or destruction technology specified by the National Institute of Standards and Technology (NIST) standards. These specified security methodologies render the PHI unusable, unreadable or indecipherable to those unauthorized to receive the information. Therefore, the most logical way for an entity or associate to avoid the obligations of breach notification is to secure its PHI by meetings these guidelines. However, this may be more difficult in practice than in principle because new guidelines are released annually and may change significantly each year. These new guidelines are intended to address the recent problems caused by lost or stolen laptops and other information storage devices. A "breach" of HITECH privacy provisions is the unauthorized disclosure, access or use of PHI that compromises its security. However, a breach will not be found (1) when an unintentional disclosure is made by an employee or agent of the entity or business and the information is never used or disclosed without authorization, or (2) if the unauthorized person who receives the PHI would not reasonably have been able to get the information.

   Time is of the essence for the notification requirement. Notification of a breach must be made within 60 calendar days of its discovery-60 days after an employee or agent of the entity or associate, other than the person who caused the breach, knows of it. HITECH, §§ 13402(d)(2), 13402(c). The one exception to the notice requirement allows for delayed notice and compliance with 45 C.F.R. §164.528(a)(2), as opposed to the HITECH Act, states a law enforcement official determines when notice would obstruct a criminal investigation or be harmful to national security. Employees should be well trained to look for a breach and have a procedure on hand to promptly begin satisfying the notification requirements. Once it is determined that notification is required, an entity or associate must strictly follow the method required and the contents necessary for compliant notice. An entity must always notify individuals affected by a breach. If the breach affects more than 500 individuals, an entity must also immediately notify HHS and the media. A business associate must notify the covered entity of its breaches. Notice must be sent in writing by first class mail to the last known address of individuals whose PHI was breached. HITECH, § 13402(e)(1). However, various alternate modes of notification are allowed depending on the circumstances. HITECH, §§ 13402(e)(1)-(4). First, a conspicuous posting, specified by the secretary, such as on an entity's Web site, may be used if there are 10 or more individuals for whom there is insufficient information to send notice by mail. Second, if notice is urgent due to the possible misuse of the breached PHI, an entity may call individuals to inform them of the breach. Third, if the breach involved the wrongful disclosure of PHI for more than 500 residents of a state or jurisdiction, notification must be given through a prominent media outlet, in addition to a mailing. Fourth, and finally, an entity must notify HHS of an unsecured PHI breach of more than 500 individuals, but only when the PHI is acquired or disclosed, not when it is merely accessed. For a breach affecting less than 500 individuals, an entity is required to keep a log of the breaches and submit it annually to the secretary.

   The content of the notification is as important as the method through which it is communicated. A breach notice must include: (1) the dates of the breach and its discovery, and a description of what happened; (2) the types of PHI that were breached; for example, names, birth dates or account numbers; (3) instructions on how affected individuals may protect themselves from any harm likely to result from the breach; (4) what investigative and preventative measures the entity is taking; and (5) contact material that allows individuals to seek further information. HITECH, § 13402(f).

   Expanded impact on business associates

   HITECH applies HIPAA's Security Rule, including administrative, physical and technical safeguard requirements and the requirements to maintain policies, procedures and documentation of security activities directly to business associates in the same manner as covered entities. However, the Act did not include the "general rules" of the HIPAA Security Rule, which contain the main obligations of a covered entity to protect PHI and ensure HIPAA compliance by its employees, in the specific security standards for business associates. The HIPAA organizational requirements rule, including the specific provisions required for business associate agreements, were also not applied to business associates. Unfortunately, until HHS issues regulations regarding business associates' obligations under the Security Rules based on HITECH, the implications of these omissions will remain unclear. The "general rules" contained in the HIPAA Security Rule allow covered entities some flexibility in their approach to security compliance. It remains to be seen whether that flexibility will extend to business associates as well or if the omission of the "general rules" will be interpreted as a limitation.

   HITECH also expands the obligations of business associates to follow the Privacy Rule restrictions. However, instead of applying separate, specific HIPAA privacy standards to business associates, the Act requires a business associate to comply "with each applicable requirement of section 164.504(e)." Section 164.504(e) outlines the requirements that a business associate was contractually required to follow under HIPAA before HITECH so the specific provisions are not very different.

   However, this is a big change. In the past, business associates have not been directly regulated by HIPAA. Instead, covered entities were required to enter into business associate contracts with their business associates. Business associate agreements were basically a way to apply some of the HIPAA requirements to additional entities via contracts rather than statute or regulation. Prior to HITECH, business associates were contractually required to implement appropriate administrative, technical and security measures that reasonably and appropriately protected the confidentiality of PHI. However, if a business associate failed to meet its contractual obligations, its liability was limited to a contractual breach of its business associate agreement with the covered entity. For example, if a business associate failed to keep PHI secure and the covered entity learned of the breach, then the covered entity would probably just terminate the contract if the breach was not remedied. The business associate did not really face any liability for risk outside of losing its relationship with the covered entity should the covered entity terminate its relationship over the breach. Now, however, the HITECH privacy provisions impose direct responsibility and liability on the business associate for any breach.

   HITECH not only imposes additional privacy and security rules directly on business associates, but also requires that these additional requirements "be incorporated into the business associate agreement between the business associate and the covered entity." HITECH, § 13401(a) (codified at 42 U.S.C. § 17931(a)); § 13404(a) (codified at 42 U.S.C. § 17934(a)). Unfortunately, the manner in which these new requirements should be incorporated is not clear. One interpretation proposes that these requirements become part of existing business associate agreements as a matter of law because the statutory language says that the requirements "shall be incorporated" rather than "covered entities shall amend their business associate agreements." However, as the statute does not say that these requirements are "deemed to be incorporated," a more conservative and, undoubtedly, safer approach is to interpret HITECH as requiring covered entities to amend existing agreements to include the additional security and privacy requirements and to ensure that all future business associate agreements include these as well.

   Additionally, HITECH clarifies that health information exchanges (HIEs), regional health information organizations, e-prescribing gateways and some vendors that contract with covered entities to offer a personal health record are business associates. This is not a surprise, but it does ensure that these organizations and participants in health information exchanges like South Carolina's SCHIEx are statutorily required to have business associate agreements in place.

   Finally, but perhaps most importantly, business associates who violate their privacy and security rule responsibilities under HITECH or violate the terms of their respective business associate agreements are now subject to the same civil and criminal penalties as covered entities, described above.

   New privacy requirements for covered entities and business associates

   HITECH imposes several new, significant privacy requirements on covered entities and business associates. On February 17, 2010, the following requirements became effective as to covered entities and business associates: (1) they must now grant an individual's request not to disclose PHI to a health plan for a health care item or service where the individual has paid in full out of pocket, HITECH, § 13405(a); (2) they must make the determination as to the minimum necessary PHI that must be disclosed, rather than relying on the requestor's information request, or use the "Limited Data Set" provided by the Act which always meets the standard, HITECH, § 13405(b); (3) they must maintain PHIs in EHRs to provide an individual access to his or her PHI in electronic format, HITECH, § 13405(e); (4) they may not receive any direct or indirect payment for any marketing communication of an individual's PHI without authorization, HITECH, § 13406(a); and (5) they must treat an individual's decision to opt out of fundraising communication as a revocation of authorization.

   Additionally, there are new accounting requirements for EHRs. Section 13405(c) of HITECH mandates that disclosures made through an EHR for treatment, payment and health care operations purposes must be included in the accounting, but only the last three years of disclosure information (rather than six) need be provided. Covered entities may choose to provide information about electronic disclosures by their business associates, or to provide a list of their business associates, who are required to provide the accounting directly to individuals. HHS must issue regulations on the new accounting requirements within six months. If a covered entity acquired an EHR before January 1, 2009, the regulations will be effective for disclosures made from the EHR starting on January 1, 2014. However, if a covered entity acquires an EHR after January 1, 2009, the regulations will apply to disclosures starting on January 1, 2011. HHS may provide an additional two years for compliance of its regulations.

   Conclusion

   Whether you represent health care clients or their business associates, the greatest difficulty you will face in the post-HITECH environment will be staying up-to-date with the law, the yet-to-be-released regulations, the technology and the acronyms. HIPAA is no longer a toothless lion. Security and privacy breaches bring greater consequences and risk than ever before while compliance remains even more difficult to define. HITECH provides many health care providers with financial incentives to join the new age of health information technology. However, clients need to be aware that it imposes significant and additional duties and risks.

   Kelly Jolley is an attorney with the McNair Law Firm and practices out of the Columbia and Hilton Head Island offices. Kathleen Chewning is a student at the Charleston School of Law and will graduate in May 2010.