The American Recovery and Reinvestment Act of 2009 Increases Requirements under the Health Insurance Portability and Accountability Act (HIPAA)

March 3rd, 2009

The American Recovery and Reinvestment Act of 2009 (ARRA) approved by Congress on February 13, 2009 and signed into law by the President on February, 2009, makes a number of modifications to the Health Insurance Portability and Accountability Act (HIPAA).  Title XIII of ARRA is entitled the Health Information Technology for Economic and Clinical Health Act (HITECH) and contains both the HIPAA provisions and provisions providing appropriations for health information technology (HIT) and requirements for the government and businesses that have government contracts.

The legislative changes that affect HIPAA create many new requirements, enforcement provisions and penalties for covered entities, business associates, vendors and others.  Many changes are focused on HIPAA’s privacy and security requirements and will require businesses to change the way they currently do business.  There are significant changes to all Covered Entities (defined under HIPAA as health care providers that conduct certain electronic transactions, health care clearinghouses, and health plans), but are most challenging for Business Associates (individuals or corporate persons that perform ANY function or activity involving the use of Protected Health Information (PHI), who now face a host of new requirements.

Business Associates Required to Comply with HIPAA Privacy and Security Rules

Under HIPAA, Business Associates were not directly regulated and were not subject to HIPAA’s penalty provisions.  Because HIPAA only required a contract between the Business Associate and the HIPAA-covered entity, the only sanctions Business Associates faced for failure to protect health information was a breach of contract claim.  However, ARRA makes significant changes to the way Business Associates are treated under HIPAA.

ARRA specifies that any entity that engages in health information exchanges or provides data transmission of PHI (including Personal Health Record (PHR) vendors and health information exchanges) is considered a Business Associate.  As such, these entities must enter into a business associate contract with the covered entity and will be subject to ARRA’s civil and criminal penalty provisions.

Additionally, ARRA requires that the administrative, physical and technical safeguards and the policy, procedure and documentation requirements of HIPAA’s security rule apply to Business Associates of a covered entity in the same manner as they apply to the covered entity.  These additional requirements must be incorporated into Business Associate contracts and agreements and include notification provisions for a breach and the application of ARRA’s criminal and civil penalties.   With regard to HIPAA’s privacy rules, Business Associates are prohibited from using or disclosing any PHI in a manner which is not in compliance with the Business Associate contract or agreement required terms under HIPAA.  These changes become effective February 17, 2010 (one year after the enactment of ARRA).

Notice to Individuals of Privacy and Security Breaches

ARRA also imposes certain notification requirements on covered entities and Business Associates in the event of a breach of “unsecured protected health information.”  A breach is defined as “the unauthorized acquisition, access, use, or disclosure of protected health information which comprises the security or privacy of such information, except where an authorized person to whom such information is disclosed would not reasonably have been able to retain such information”.  Unsecured protected health information is defined as protected health information that the covered entity or Business Associate has not secured via standards approved by the Secretary of Health and Human Services (Secretary). 

Generally, the notification of a breach must be provided “without unreasonable delay”, but in no case later than 60 days after the discovery of the breach or when the breach should reasonably have been discovered.  Since the 60 days is the outer limit for notification, if the full 60 day window is used, the covered entity or Business Associate involved in the breach must be prepared to justify their reasons for not providing notification of the breach sooner.  However, notice of a breach may be delayed provided that notification would hinder a criminal investigation and/or injure national security (as determined by a law enforcement official).

For Business Associates that discover a breach, the Business Associate must notify the covered entity of the breach or potential breach and the identify of all individuals affected or potentially affected.  For covered entities, notification must be made to individuals whose unsecured protected health information has been accessed, acquired or disclosed or is reasonably believed to have been accessed, acquired or disclosed as a result of a security or privacy breach.  In general, notification to affected individuals must be sent via first class mail.  However, where a breach involves 10 or more individuals whose contact information is out-of-date or deficient, notification must be posted to the covered entity’s website or published in major print or broadcast media. For a breach that involves 500 or more individuals, the covered entity involved in the breach must also give notice to prominent media outlets in the applicable jurisdiction or state.

Notice of all breaches must be provided to the Secretary.  If the breach affects 500 or more individuals, the covered entity involved in the breach must immediately notify the Secretary.  For breaches that affect less than 500 individuals, the covered entity involved in the breach may notify the Secretary of any breaches on an annual basis.

To the extent possible, all notices must contain:

A brief description of what happened, including the date of the breach and the date of the discovery of the breach (if known);

  • A description of the types of unsecured protected health information involved in the breach (e.g., social security number, date of birth);
  •  The steps individuals should take to protect themselves from potential harm as a result of the breach;
  •  A brief description of what the entity involved is doing to investigate the breach, to mitigate losses and to protect against further breaches; and
  •  Contact procedures for individuals to ask questions or receive additional information, including a toll-free telephone number and an e-mail address, web site or postal address.

Expansion of Accounting of Disclosures

ARRA changes the existing limitations on accounting for disclosures of health information to individuals who request the disclosure.  If a covered entity uses or maintains an Electronic Health Record (EHR), then individuals will be allowed to receive an accounting of the disclosures of PHI for treatment, payment and health care operations made from the EHR.  The period of mandated disclosure is limited to the 3 year period prior to the individual’s request.  A reasonable fee may be charged to the requesting individual, provided the fee is not greater than the labor costs involved in complying with the request.

The Secretary is required to adopted regulations that specify the information to be contained in the accountings within 6 months of ARRA’s enactment.  Covered entities that began using EHR prior to January 1, 2009 will be required to provide the accounting upon request effective January 1, 2014.  Covered entities that begin using EHR after January 1, 2009 will be required to provide the accounting upon request effective January 1, 2011.

Clarification of and Limits on Marketing and Fundraising

ARRA clarifies that marketing communications are not health care operations unless the communications:

  • Describes a health-related product or service that is provided by, or included in a plan of benefits of, the communicating covered entity;
  •  Is made for the treatment of the individual; or
  •  Is made for case management or care coordination for the individual, or to direct or recommend alternative treatments, therapies, health care providers or settings of care to the individual.

ARRA also limits the ability of a covered entity to receive remuneration for making non-marketing communications except for communications describing only a drug or biologic that is currently being prescribed for the individual receiving the communication, and any payment received by the covered entity in exchange for making the communication is reasonable (as defined by the Secretary), provided that:

  • The communication is made by the covered entity and the covered entity has a valid authorization from the individual receiving the communication, or
  • The communication is made by a Business Associate on behalf of the covered entity and the communication is consistent with the Business Associate contract or agreement between the covered entity and the Business Associate.

Individuals must be allowed to elect not to receive any fundraising communications, and must be allowed to “opt out” of having their information used by a covered entity for the purpose of fundraising.

Sale of Protected Health Information

Under ARRA, a covered entity or Business Associate is prohibited from directly or indirectly receiving payment in exchange for any protected health information unless the covered entity or Business Associate acquired a valid authorization from the individual.  The authorization must include the specification that the PHI may be sold or exchanged for remuneration.  Exceptions to this provision are made for:

  • Public health activities;
  • Research activities (provided the price reflects the reasonable costs related to the preparation and transmittal of data for such purposes);
  • Treatment of an individual;
  • The sale, transfer, merger or consolidation of a covered entity;
  • Certain Business Associate agreements where a covered entity provides remuneration to a Business Associate;
  • A request by an individual for a copy of that individual’s PHI; and
  • As otherwise allowed by the Secretary.

The Secretary must issue final regulations within 18 months of ARRA’s final enactment date and the prohibitions are effective 6 months after the issuance of the final regulations.

Notification Provisions Apply to Other Personal Health Record Vendors

ARRA extends its notification provisions to vendors of PHRs and their service providers should the vendor or service provider experience a breach of security or privacy, regardless of whether the vendor or service provider is considered a covered entity.  In the instance of a breach of privacy or security of PHI, PHR vendors and their service providers are required to notify each affected individual who is a U.S. Citizen or resident of the U.S. as well as the Federal Trade Commission.  Failure to provide the required notice will be deemed as an unfair and deceptive trade practice or act under the Federal Trade Commissions Act.

Because PHR vendors are not covered by HIPAA, ARRA requires that the Federal Trade Commission issue interim final regulations which will provide guidance for PHR vendors on the requirements for breaches of PHI.

Mandatory Restrictions on Disclosure of PHI when Requested by Individuals

Under ARRA, individuals are given the right to restrict the disclosure of PHI related to treatment, payment and health care operations provided:

  • The restriction relates to disclosure for purposes of payment or health care operations;
  • The restriction does not relate to disclosure for purposes of treatment; and
  •  The PHI relates only to an item or service for which the provider has already received payment in full.

Right of Individuals to Receive Electronic Records

If a covered entity maintains EHRs that contain PHI, ARRA provides individuals with the right to obtain a copy of their records in an electronic format or to request that the record be transmitted to a third party.  The covered entity may not charge the individual requesting the copies more than the total cost of labor incurred by the entity in transmitting the copies.

Clarification of the Minimum Necessary Standard

Pending additional guidance from the Secretary, a covered entity will be considered to be in compliance with the minimum necessary standard if, to the extent possible, the covered entity limits the disclosure to a limited data set or to the minimum data necessary to accomplish the intended purpose of the disclosure or use of the information.  The Secretary is required to issue guidance within 18 months of ARRA’s enactment.

Increase Use of De-Identifed Information

ARRA requires the Secretary to issue guidance on how covered entities can comply with requirements related to the use of de-identified PHI.  Such guidance must be issued within 1 year of ARRA’s enactment.

Enforcement and Penalties

ARRA authorizes the Secretary to conduct periodic audits of covered entities and Business Associates to ensure compliance with HIPAA and ARRA requirement.  The Secretary is also authorized to utilize civil enforcement provisions even if the action in question violated the criminal provisions, provided no criminal conviction is associated with the conduct.

The Secretary is required to impose civil penalties if a violation is due to willful neglect and to formally investigate any complaint if a preliminary investigation indicates the potential of violation due to willful neglect.  For cases involving violations where the individual did not know of the violation or where the individual would not have known of the violation by exercising reasonable diligence, corrective action rather than penalty may still be used.

Under ARRA, criminal enforcement for certain HIPAA violations is not limited to covered entities.  For purposes of criminal enforcement provisions, ARRA provides that “a person (including an employee or other individual)” is considered to have obtained or disclosed individually identifiable health information in violation of HIPAA if such information is maintained by a covered entity and the individual obtained or disclosed such information without authorization.

The Office for Civil Rights will receive any civil monetary penalties (CMPs) or settlements related to HIPAA security-related offenses.  Such funds will be used to fund the further enforcement of ARRA and HIPAA rules and requirements.

States’ Attorney General may bring a civil action under ARRA on behalf of state residents who have been or are threatened to be harmed by a violation to obtain injunctive relief or damages, as well as attorney fees.  Notice must be given to the Secretary and the Secretary is permitted to intervene.  The States’ Attorney General may not bring an action if a federal action by the Secretary is already pending.  These provisions only apply to violations that occur after February 17, 2009 (the date of enactment).

The Comptroller General must submit a report to the Secretary within 18 months of ARRA’s enactment that provides recommendations for determining a reasonable methodology for calculating an appropriate percentage of CMPs or settlements for individuals who have been harmed by a violation of HIPAA or ARRA.  The Secretary is required to issue regulations based on the Comptroller General’s recommendations within 3 years of ARRA’s enactment.

ARRA expands existing civil penalties into tiers and provides that the determination of the penalty amount must be based on the nature and extent of the violation and the harm caused by the violation:

  • Tier 1 applies where the violator did not know of the violation, and would not have known even with reasonable diligence of the violation. In such circumstances, the penalty is $100 per violation, not to exceed $25,000 for all such violations of identical requirement during the calendar year.
  • Tier 2 applies where the violation was due to reasonable cause rather than willful neglect. In such circumstances, the penalty is $1,000 per violation, not to exceed $100,000 for all such violations of identical requirement during the calendar year.
  • Tier 3 applies where the violation was due to willful neglect but the violation was corrected within 30 days of the violation. The penalty is $10,000 per violation, not to exceed $250,000 for all such violations of identical requirement during the calendar year.
  • Tier 4 applies where the violation was due to willful neglect and the violation was not corrected within 30 days of the violation. The penalty is $50,000 per violation, not to exceed $1,500,000 for all such violations of identical requirement during the calendar year.

Additional Guidance and Technical Standards

Within 60 days of the enactment of ARRA, the Secretary is required to issue guidance on what constitutes “unsecured” PHI and which specifies the technologies and methodologies that will render PHI unusable, unreadable or indecipherable to unauthorized individuals.  Guidance on such technologies and methodologies will be updated annually by the Secretary.

Within 180 days of enactment, the Secretary is required to issue interim final regulations which govern ARRA’s notification provisions and must designate an individual in each of the Department’s regional offices who will offer guidance and education on rights and responsibilities of covered entities, Business Associates and individuals with regard to PHI.

Effective Date of Changes

Unless otherwise specified in ARRA, the general effective date for the changes under ARRA is February 17, 2010, one year after the enactment of the law.  While the increased penalty provisions take effect immediately, many of the provisions have other effective dates and some do not have a clear date specified.  Additionally, some provisions will require regulations to be implemented, so these provisions may take two years or longer to take effect.

6 Responses to “The American Recovery and Reinvestment Act of 2009 Increases Requirements under the Health Insurance Portability and Accountability Act (HIPAA)”

  1. Roberiscoon 22 Mar 2009 at 4:48 pm

    Every time i come here I am not dissapointed, nice post

  2. Cecil Bullockon 13 Dec 2011 at 4:49 am

    There are several interesting factors over time in this article however I don’t know basically see all of them center to heart. There is some validity but I shall just take keep viewpoint till I look into this further. Good post, thanks and we want much more! Added to FeedBurner aswell

  3. Paris Rumpcaon 19 Apr 2013 at 1:46 pm

    Place on with this create-up, I truly believe this web web page demands way more consideration. I’ll most probable be once again to go through quite much more, thanks for that info.

  4. Delilah Ahrendeson 14 Nov 2013 at 7:12 am

    You will find certainly plenty of particulars like that to acquire into consideration. That may very well be a nice stage to supply up. I offer the thoughts over as elementary inspiration but plainly you’ll find questions such as the one particular you carry up the place the most significant point may very well be working in honest beneficial faith. I don?t know if very best practices have emerged around details like that, even so I’m sure that the employment is clearly recognized as a good activity. Just about every boys and girls feel the effect of only a second’s satisfaction, for the remainder of their life.

  5. DigZonon 08 Jun 2014 at 2:02 am

    Hello, you used to write excellent, but the last few posts have been kinda boring? I miss your tremendous writings. Past few posts are just a bit out of track! come on!

  6. sdorttuii plmnron 10 Aug 2015 at 2:15 am

    Great web site. A lot of useful information here. I’m sending it to a few friends ans also sharing in delicious. And naturally, thanks to your effort!

Trackback URI | Comments RSS

Leave a Reply