As many of you are aware, the American Recovery and Relief Act of 2009, better known as the “Bailout Bill”, did much more than funnel government spending in an effort to boost the economy. Within the Bailout Bill package, Congress enacted a separate act known as the Health Information Technology for Economic and Clinical Health Act, known as the HITECH Act. HITECH included several important changes to substantive law, and mandated the Department of Health and Human Services (HHS) to promulgate new regulations under HIPAA. On August 24, 2009, HHS issued interim final regulations, effective September 23, 2009, implementing several of the changes mandated by HITECH. Other changes will not take effect until February 2010. Health Care providers and their Business Associates subject to HIPAA requirements should be aware of several fundamental reforms contained within the law.
HITECH requires any Covered Entity (such as a health plan, health care clearinghouse, or health care provider) holding or using “unsecured” protected health information to notify the affected individuals in the even there is a breach of that individual’s protected health information (“Breach Notification”). Any breach must also be reported to HHS and, under some circumstances, to the local media as well. Essentially, covered entities and business associates are now required to act as their own whistleblowers. This Breach Notification requirement was promulgated in an interim final rule on August 24, 2009 and takes effect September 23, 2009.
The Breach Notification rule requires that Covered Entities must notify affected individuals “without unreasonable delay” and in no case more than 60 days after the breach is “discovered”. A breach is treated as discovered when it is known to the entity, employee, or agent of the entity. An unknown breach will be treated as discovered if it would have been known had the entity exercised “reasonable diligence”. This highlights the importance of having internal policies in place to ensure that any breach will be promptly discovered, reported, and dealt with.
As mentioned above, Covered Entities are also required to provide notice to the Secretary of HHS and, in some cases, local media outlets. If the breach affects more than 500 residents of a state or jurisdiction, the entity must notify “prominent media outlets” “without unreasonable delay” and in no case more than 60 days after discovery of the breach. In the case of such a large breach, the entity must notify HHS contemporaneously with the sending of individual notices, according to the procedure on the department’s website. If the breach affects less than 500 residents, there is no requirement to notify the local media. There is also no immediate requirement to notify HHS. Instead, the entity is required to maintain a log of all breaches and notify HHS within 60 days of the end of the calendar year of all breaches during the prior year according to the procedure outlined on HHS’s website.
The new regulations list specific guidance regarding the content of the required notice. The notice must be in writing and sent via first-class mail, unless the individual has otherwise agreed to electronic notification. Five topics are required to be addressed within the contents, all written in “plain language”.
Business Associates of Covered Entities (anyone handling protected health information on behalf of a Covered Entity) are required to notify the covered entity for which they are providing services of any breach discovered by the Business Associate. Again, this notice must be given without unreasonable delay and in no case more than 60 days after the discovery of the breach. Rules similar to those imposed on covered entities for the determination of when a breach is “discovered” also apply to Business Associates.
Only those covered entities or business associates dealing in “unsecured” protected health information are subject to the Breach Notification requirements. To avoid being deemed to be operating “unsecured”, the Covered Entity or Business Associate may conform to the guidance for technologies and methodologies issued by HHS on April 27 in order to qualify for a safe harbor from the definition of using “unsecured” protected health information. To the extent feasible, Covered Entities and Business Associates should comply with this guidance to avoid being subject to the embarrassing requirements of the Breach Notification rule.
Expansion of HIPAA Coverage
In addition to the Breach Notification rule, HITECH imposes both the HIPAA Security Rule and the HIPAA Privacy Rule directly on Business Associates of Covered Entities. Prior to this change, Business Associates were not directly subject to the security and privacy requirements of HIPAA. Instead, Covered Entities were required to obtain “satisfactory assurance” that their Business Associates would safeguard protected health information. These assurances are typically exchanged through a written Business Associate Agreement. Only Covered Entities were subject to the civil and criminal penalties of HIPAA should there be a violation of the security or privacy rules, even if such breach was committed by the Business Associate. The Covered Entity’s recourse against the Business Associate was limited to initiating a lawsuit based on a breach of the Business Associate Agreement. HITECH changes all this.
Under HITECH, the security and privacy rules of HIPAA are made directly applicable to Business Associates effective February 17, 2010. Business Associates will thereafter be subject to direct HIPAA enforcement, including the imposition of civil and criminal penalties, for a breach of either rule. HITECH still contemplates the use of Business Associate Agreements and requires that they be updated to reflect the Breach Notification rule outlined above.
Several significant changes to HIPAA and its implementing regulations were made by the Bailout Bill. Health care providers which are Covered Entities under HIPAA and their Business Associates should be prepared to meet the new legal and administrative requirements of such changes. If you would like to discuss the matters discussed in this article, or any other matter regarding your health care practice, feel free to contact Vandenack Weaver LLC at your convenience.