Business Associates, Be Hip to HIPAA: How Recent Changes in Law Will Affect Your Company for Years to Come

Corporate & Finance Alert

May 5, 2009
Included as part of the federal stimulus bill known as the American Recovery and Reinvestment Act of 2009 (“ARRA”) is Title XIII, the “Health Information Technology for Economic and Clinical Health Act” or the “HITECH Act.” The HITECH Act contains a sweeping expansion of the Health Insurance Portability and Accountability Act (“HIPAA”) privacy and security regulations (the “Privacy Rule” and “Security Rule”). These changes will affect more businesses in more ways than ever before. Especially affected by the changes will be “business associates” - entities that use or have access to protected health information (“PHI”) when providing services on behalf of health plans, health care providers, and health care clearinghouses, defined as “covered entities” under HIPAA.

In many respects, the HITECH Act makes business associates de facto covered entities. They will now have to comply with many provisions in the Privacy and Security Rules that previously were only the concern of covered entities. This article summarizes the recent changes and how they may affect companies in their roles as business associates. The article describes the current law under the Privacy and Security Rules, the changes made by the HITECH Act, and the effect and brief course of action business associates should consider as part of their compliance plan. Unless otherwise noted, the compliance deadline for the new HIPAA requirements is February 17, 2010 (one year following ARRA’s enactment into law).

Business associates that have not been subject to HIPAA before must become familiar with the new changes in the HITECH Act or risk becoming inadvertently non-compliant and subject to stiff penalties. Companies should review and amend their existing policies and procedures, train staff members regarding the new changes, evaluate IT and encryption capabilities, and hire qualified legal counsel experienced with HIPAA.

Application of the Security Rule and Penalties to Business Associates

Current Law: The Security Rule includes three sets of safeguards that covered entities are required to implement: administrative, physical, and technical. Administrative safeguards include functions such as assigning security responsibilities to employees, maintaining security policies and procedures, and training staff. Physical safeguards are intended to protect electronic systems and data from physical threats, environmental hazards, and unauthorized access. Technical safeguards are primarily IT functions used to protect and control access to data, such as the use of passwords and having computers automatically log-off users after a certain length of inactivity. HIPAA permits business associates to create, receive, maintain or transmit electronic PHI on behalf of a covered entity, provided that the parties executed a business associate agreement, which states that the business associate will implement protections that reasonably and appropriately safeguard PHI. Violations cannot be enforced directly against business associates.

Change under the HITECH Act: The HITECH Act now obligates business associates to comply with the Security Rule’s administrative, physical, and technical safeguard requirements. Civil and criminal penalties for violating those standards now directly apply to business associates. Civil penalties for HIPAA violations have increased to a range of $100 to $50,000 per violation, with maximum penalties for additional violations in any one year ranging from $25,000 to $1,500,000. Also, the U.S. Department of Health and Human Services (“HHS”) is required to distribute portions of collected civil monetary penalties to the persons whose information was improperly disclosed or used, which could create a financial incentive for individuals to report suspected HIPAA violations.

The Effect on Business Associates: Business associates must comply with the Security Rule, including developing and implementing written security policies and procedures with respect to the electronic PHI they handle. Failure to abide by the Security Rule requirements subjects a business associate to severe fines. Note that the Security Rule includes “implementation specifications” and they are either “required” or “addressable.” Required implementation specifications must be implemented as set forth in the Security Rule and no variation is permitted. “Addressable” does not mean optional, but allows entities the flexibility to use alternative means when complying with the goal of the regulation.

Notification in the Case of a Breach

Current Law: HIPAA does not require covered entities or business associates to notify HHS or individuals of a privacy or security breach.

Change under the HITECH Act: Upon discovery of a breach of unsecured PHI under its control, a business associate is required to notify the covered entity, which then must notify the impacted individual. Notice of the breach must be provided to HHS and prominent media outlets serving a particular area if more than 500 individuals in that area are impacted. If the breach impacts fewer than 500 individuals, the covered entity involved would have to maintain a log of such breaches and submit it to HHS annually. Within 180 days of ARRA’s enactment, HHS is required to issue interim final regulations to implement this section. The provisions in the section would apply to breaches discovered at least 30 days after the regulations are published.

The Effect on Business Associates: Business associates should ensure that the electronic PHI they transmit is encrypted. Business associates should consider adopting internal procedures for reporting breaches and mitigating potential damages therefrom. Final regulations on how to implement this section are forthcoming from HHS.

Education of Health Information Privacy

Current Law: The Privacy Rule requires each covered entity to designate a privacy official for the development and implementation of its privacy policies and procedures.

Change under the HITECH Act: Within six months of ARRA’s enactment, HHS will designate a privacy advisor in each HHS Regional Office. The privacy advisor will offer education and guidance to covered entities and business associates regarding privacy and security rights and responsibilities. Within 12 months of ARRA’s enactment, the HHS Office of Civil Rights (“OCR”) must develop and maintain a national education program to educate the public about privacy rights and the use of PHI.

The Effect on Business Associates: While there is nothing required of business associates under this section of the HITECH Act, companies should consider appointing someone as a privacy and security officer who will coordinate HIPAA compliance. Also, if business associates need to contact the HHS Regional Office, the contact information can be found here:

Application of Privacy Provisions and Penalties to Business Associates

Current Law: Under the Privacy Rule, a covered entity may disclose PHI to a business associate if the parties execute a business associate agreement requiring the business associate to appropriately safeguard PHI. Violations cannot be enforced directly against business associates.

Change under the HITECH Act: Business associates can incur civil and criminal penalties for violating the terms of business associate agreements.

The Effect on Business Associates: Business associates should ensure that they comply with their current and future business associate agreements and the privacy provisions therein. Business associates should review the terms of these agreements to confirm that they have taken all necessary steps to comply with them.

Accounting of Certain PHI Disclosures

Current Law: Individuals have the right to an accounting of PHI disclosures by a covered entity during the previous six years, with certain exceptions. For example, a covered entity is not required to account for disclosures that have been made to carry out treatment, payment, and health care operations.

Change under the HITECH Act: An individual now has the right to receive an accounting of PHI disclosures made by covered entities and business associates for treatment, payment, and health care operations during the previous three years, if the disclosures are made through an electronic health record. The effective dates for compliance vary depending upon when the covered entity or business associate receives the electronic health record.

The Effect on Business Associates: For each electronic health record, business associates will have to maintain information that could be used if an individual requests an accounting of disclosures. This means that business associates will need a system in place to record what is disclosed, when and to whom. The effective date of this requirement varies: (1) As for electronic health records acquired as of January 1, 2009, it must keep an accounting of disclosures made on or after January 1, 2014. (2) In the case of electronic health records acquired after January 1, 2009, it must keep an accounting of disclosures made on or after (a) January 1, 2011; or (b) the date that it acquires the electronic health record. HHS may postpone the effective dates to be no later than 2016 for (1) above and no later than 2013 for (2) above.

Improved Enforcement

Current Law: HIPAA authorizes HHS to impose civil monetary penalties for HIPAA non-compliance. The maximum civil fine is $100 per violation, up to $25,000 for all violations of an identical requirement or prohibition during a calendar year. Civil monetary penalties may not be imposed in certain instances, including when the violation is a criminal offense under HIPAA’s criminal penalty provisions. In cases of certain wrongful disclosures of PHI, the OCR may refer the case to the U.S. Department of Justice for criminal prosecution. HIPAA’s criminal penalties include fines of up to $250,000 and up to 10 years in prison for disclosing or obtaining PHI with the intent to sell, transfer or use it for commercial advantage, personal gain, or malicious harm.

Changes under the HITECH Act: HIPAA is amended to permit OCR to pursue an investigation and impose civil monetary penalties against any individual for an alleged criminal violation of the Privacy and Security Rules even if the Justice Department does not prosecute the individual. In addition, HIPAA is amended to require a formal investigation of complaints and the imposition of civil monetary penalties for violations due to willful neglect. HHS is required to issue regulations to implement these amendments within 18 months of ARRA’s enactment. Within three years of ARRA’s enactment, HHS is required to establish a methodology to distribute a percentage of collected penalties to harmed individuals. Finally, state Attorney Generals are now authorized to bring civil actions in federal district court against individuals who violate HIPAA in order to enjoin further violations. OCR may still use corrective action without a penalty in cases where the person did not know, and by exercising reasonable diligence would not have known, about the violation.

The Effect on Business Associates: Business associates are now on notice that state and federal authorities have greater authority to bring civil and criminal actions against all individuals who violate HIPAA’s requirements.

Compliance Audits

Current Law: HHS is authorized to conduct compliance reviews to determine whether covered entities are complying with HIPAA standards.

Changes under the HITECH Act: HHS is now required to perform periodic audits to ensure that covered entities and business associates are complying with HIPAA.

The Effect on Business Associates: Business associates are now on notice that HHS is not just authorized, but is required to conduct compliance audits of covered entities and business associates.

Business associates that previously were not subject to HIPAA must now be cognizant of the changes included in the HITECH Act. Impacted companies must develop a plan to comply with most of the new changes by February 17, 2010.

If you have questions about HIPAA, the HITECH Act and how they affect your company, please contact Kevin M. Kramer of our Corporate Department.