The American Recovery and Reinvestment Act of 2009 (“ARRA”), signed into law by President Obama on February 17, 2009, significantly expands the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Privacy and Security requirements. The new requirements will generally be effective on February 17, 2010; however the increased penalty provisions are effective now. The new breach notification requirements will become effective 30 days after the Secretary of Health and Human Services (the “Secretary”) issues guidance, which must be within 180 days after the enactment of ARRA; therefore these provisions will become effective no later than September 15, 2009.

Expanded Enforcement and Increased Penalties

ARRA requires the Secretary to formally investigate any complaint of a HIPAA violation if a preliminary investigation of the facts indicates a possible violation due to willful neglect. Furthermore, penalties are now mandatory for cases involving willful neglect. ARRA establishes tiered civil monetary penalties for violations occurring after February 17, 2009, as follows:

• The minimum penalty for a violation where the person did not know and would not have known by exercising reasonable diligence is $100 per violation not to exceed $25,000 per calendar year.
• The minimum penalty for a violation due to reasonable cause is $1,000 per violation not to exceed $100,000 per calendar year.
• The minimum penalty for a violation due to willful neglect that is timely corrected is $10,000 per violation not to exceed $250,000 per calendar year.
• The minimum penalty for a violation due to willful neglect that is not corrected is $50,000 per violation not to exceed $1,500,000 per calendar year.

These penalties are substantially greater than those originally provided for by HIPAA.

A percentage of any civil monetary penalties collected as a result of such offense may be paid to an individual who is harmed. This percentage will be determined pursuant to regulations to be established by the Secretary no later than February 17, 2012.

In addition, State Attorneys General may now bring a civil action on behalf of the residents of their State who have been adversely affected by a HIPAA violation. If the action is successful, the court may award the costs of the action and reasonable attorney fees to the State.

Expansion of HIPAA Privacy and Security Requirements to Include Business Associates

The original HIPAA Privacy and Security Regulations apply directly to “covered entities” only. Covered entities include health plans, health care providers and health care clearing houses. Covered entities are required to enter into Business Associate Agreements with entities and individuals to whom they provide protected health information. ARRA modified the HIPAA Privacy and Security Regulations so that they now apply directly to business associates. Presumably the HIPAA requirements must now be incorporated into the covered entity’s Business Associate Agreements. In the event a business associate violates the HIPAA Privacy and/or Security requirements it will now be subject to the same civil and criminal penalties as a covered entity.

New Notification Requirements in the Event of a Breach

ARRA defines a breach as “the unauthorized acquisition, access, use, or disclosure of protected health information which compromises the security or privacy of such information, except where an unauthorized person to whom such information is disclosed would not reasonably have been able to retain such information.” In the event of a breach, ARRA requires a covered entity to notify each individual whose unsecured protected health information has been, or is reasonably believed by the covered entity to have been, accessed, acquired or disclosed as a result of a breach. If a business associate discovers a breach, the business associate must notify the covered entity. These notifications must be made “without unreasonable delay” but no later than 60 calendar days following the covered entity’s or business associate’s discovery of the breach.

ARRA defines “unsecured protected health information” as protected health information that is not secured through the use of a technology or methodology specified by the Secretary in guidance. On April 17, 2009, the Secretary issued guidance identifying two methods for rendering protected health information unusable, unreadable or indecipherable. The specified methods are encryption and destruction and, if they are used, they will provide safe-harbor protection from the notification requirements. This guidance is available on the HHS website.

If the breach affects more than 500 residents of a state then notice must also be provided to prominent media outlets. Covered entities must also give notice to the Secretary immediately if the breach of unsecured protected health information affects 500 or more individuals. This information will be posted on the Secretary’s web site. Covered entities must also maintain a log of any breaches that involve less than 500 individuals and must provide this log to the Secretary annually.

ARRA requires that the breach notification contain the following information:

• A brief description of what happened, including the date of the breach and the date of discovery of the breach (if known).
• A description of the types of unsecured protected health information involved.
• Steps the individuals should take to protect themselves from potential harm.
• A brief description of what the covered entity is doing to investigate the breach, to mitigate losses and to protect against further breaches.
• A toll-free phone number, email address, web site or mailing address for individuals to contact the covered entity.

Individual Right to Request Restrictions of Certain Disclosures

Prior to ARRA an individual could request restrictions on the use or disclosure of their protected health information, but a covered entity did not have to comply with their request. ARRA provides that a covered entity must comply with an individual’s requested restriction if the disclosure is to a health plan for payment or health care operations purposes (but not treatment purposes) and the protected health information pertains to an item or service for which the provider has been paid in full by the individual.

Disclosures Must be Limited to a Limited Data Set or the Minimum Necessary

The original HIPAA Privacy Regulations require that only the minimum necessary protected health information be used or disclosed to accomplish the intended purpose of the use or disclosure. ARRA requires covered entities to determine whether a limited data set (as defined in the HIPAA Privacy Regulations) will suffice for the use or disclosure of protected health information and, if so, limit the use or disclosure to the limited data set. If a limited data set does not provide the necessary information, then only the minimum protected health information necessary to accomplish the intended purpose of the use or disclosure may be used or disclosed. In the case of a disclosure of protected health information, the covered entity or business associate making the disclosure will determine what constitutes the minimum necessary. Furthermore, ARRA directs the Secretary to issue guidance as to what constitutes the “minimum necessary” not later than 18 months after the enactment of ARRA (August 17, 2010).

Accounting of Disclosures When Covered Entity Uses Electronic Health Records

The HIPAA Privacy Regulations permit individuals to periodically request an accounting of disclosures of their protected health information but they do not require an accounting of disclosures made for purposes of treatment, payment or health care operations. ARRA contains new disclosure requirements for entities that use electronic health records. When an electronic health record is involved, an individual will be entitled to an accounting of all disclosures made, including those for treatment, payment and health care operations, during the three years prior to the request for an accounting.

Prohibition on Sale of Electronic Health Records or Protected Health Information and Marketing Restrictions

ARRA generally prohibits a covered entity or business associate from directly or indirectly receiving remuneration in exchange for an individual’s protected health information unless the covered entity obtains a valid HIPAA authorization from the individual that specifically permits such disclosure and also specifies whether the entity receiving the protected health information can further exchange it for remuneration.

ARRA also provides that the definition of health care operations does not include a communication by a covered entity or business associate about a product or service that encourages recipients to purchase or use the product or service unless it meets the definition of marketing found in the existing HIPAA Privacy Regulations. Even if the communication does meet this definition of marketing, it shall not be considered health care operations if the covered entity receives remuneration directly or indirectly in exchange for making the communication. There is an exception to this rule if the communication only describes a drug that is currently prescribed for the recipient and any payment received by the covered entity for making the communication is a reasonable amount. In this case, the following requirements apply. Either:

• the covered entity makes the communication and the covered entity receives a valid HIPAA authorization with respect to the communication from the recipient of the communication; or
• a business associate of the covered entity makes the communication and the communication is consistent with the written contract between the business associate and the covered entity.

Implications for Covered Entities

Covered entities, including employer group health plans, should begin reviewing their existing HIPAA Privacy and Security Policies and Procedures to determine where revisions will be necessary. In particular, they should identify areas where breaches of information have occurred in the past or are likely to occur, and determine what steps should be taken to reduce the risk of a breach. The covered entity’s HIPAA Notice of Privacy Practices will also need to be reviewed and most likely revised. In addition, all Business Associate Agreements should be revised to incorporate the new requirements established by ARRA. Hopefully, further guidance will be issued with respect to specific provisions that should be incorporated into the Business Associate Agreements. Please contact us if you need assistance in complying with these new HIPAA requirements.