SC Lawyer, March 2010, #4. The New HIPAA Privacy and Security Rules are Here: What Do Your Clients Need to Know?.

• Author: By Kelly M. Jolley and Kathleen G. Chewning

South Carolina Lawyer

2010.

SC Lawyer, March 2010, #4.

The New HIPAA Privacy and Security Rules are Here: What Do Your Clients Need to Know?

South Carolina LawyerMarch 2010The New HIPAA Privacy and Security Rules are Here: What Do Your Clients Need to Know?By Kelly M. Jolley and Kathleen G. ChewningBeware of government programs bearing gifts, because with greater rewards comes greater responsibility. That might be the lesson for health care providers and their suppliers and vendors from the most recent phase of the federal government's alphabet soup of privacy provisions. Along with the tax cuts and credits, various incentives to adopt health information technology (HIT) and health information exchange, bailout fund requirements, and restrictions on executive pay packages, the American Recovery and Reinvestment Act of 2009 (ARRA)-which President Obama signed into law on February 17, 2009-also included another effort by the federal government to narrow the permissible uses of personal health information by entities engaged in the health care industry. Title XIII of ARRA, also known as the Health Information Technology for Economic and Clinical Health Act (HITECH), authorizes around $36 billion in investment to "advance the use of health information technology" in large part so the United States will be able to move to electronic health records (EHRs) by President Obama's 2014 deadline. However, with the large monetary "gift" from the government comes a second lesson-more is not always better. Along with the money also comes more enforcement of and bigger penalties for statutory violations. HITECH also expands the reach of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Pub. L. No. 104-191 (codified at 42 U.S.C. § 1320d et seq. (1996)), enhances both the federal and state governments' enforcement mechanisms for HIPAA infractions, and introduces the first federally mandated data breach notification requirement.

All businesses, particularly those involving health care or with clients operating in the health care sector, need to reassess their ongoing use and storage of personal information in light of this most recent evolution of the regulatory landscape regarding the use and disclosure of personal and health-related information. This article will discuss the core privacy and security provisions found in the economic stimulus legislation, specifically in the area of enforcement, breach notification and business associate agreements. HITECH implements the biggest change to the health care privacy and security environment since the original HIPAA Privacy Rule. While HITECH is not a wholesale change to HIPAA's privacy provisions, it does make several changes to the HIPAA privacy rules that will encourage companies, and not just health care companies, to re-evaluate how they use and disclose personal health information.

Expanded enforcement of HIPAA violations

Most health lawyers expected that the Obama administration would enforce the HIPAA Privacy Rules more aggressively than did the Bush administration. CVS Caremark's agreement with the FTC to pay $2.25 million to settle federal charges alleging its employees threw personal information about patients into garbage bins was seen as evidence that the expected shift in enforcement by the federal government had begun. However, HITECH's broad changes in this area indicate that this new enforcement could be substantially different than what was expected. HITECH provides federal and state governments with tools for more enforcement with higher penalties against more people.

HITECH imposes a substantial expansion of civil penalties, explicitly authorizes enforcement by state attorneys general and clarifies when criminal penalties apply under HIPAA.

Expanded civil penalties and enforcement

A recurring criticism of HIPAA was that the civil penalties that could be imposed for violating the Act were too low to be a real deterrent. Under pre-HITECH HIPAA, civil monetary penalties ranged from $100 to $25,000 and were available only for knowing violations of the administrative simplification provisions (Part C). Under the HITECH amendments, the secretary of the U.S. Department of Health and Human Services (HHS) may assess civil monetary penalties for violations caused by conduct ranging from an unknown violation to one of willful neglect. HITECH, § 13410(a)(1)(A)-(C), adding SSA § 1176(c) (codifiedat 42 U.S.C. § 1320d-5(c)).

HITECH also provides a tiered penalty structure based on the nature of the HIPAA violation. An interim rule issued by HHS on October 30, 2009, significantly increases the civil monetary penalties that the secretary may apply to covered entities' HIPAA violations. The rule also allows the secretary to consider new evidence regarding the nature and extent of any harm resulting from a violation in the penalty determination. The rule took effect on November 30, 2009, and applies to any violation occurring on or after February 18, 2009...