ARRA modifications to HIPAA

Published August 2009

The American Recovery and Reinvestment Act of 2009 (ARRA) approved by Congress on February 13, 2009 and signed into law by the President on February 17, 2009, makes a number of modifications to the Health Insurance Portability and Accountability Act (HIPAA) regarding privacy and security rules.

The legislative changes that affect HIPAA create many new requirements, enforcement provisions and penalties for covered entities, business associates, vendors and others. Many changes are focused on HIPAA’s privacy and security requirements and will require businesses to change the way they currently do business. There are significant changes to all Covered Entities (defined under HIPAA as health care providers that conduct certain electronic transactions, health care clearinghouses, and health plans), but are most challenging for Business Associates (individuals or corporate persons that perform ANY function or activity involving the use of Protected Health Information (PHI), who now face a host of new requirements.

Free Webinar September 1st

Part of our HR Legislation webinar on September 1st will cover new HIPAA Privacy and Security Rules also referred to as HITECH.Visit our webinar webpage to sign up.


Business Associates Required to Comply with HIPAA Privacy and Security Rules

Under HIPAA, Business Associates have not been directly regulated and have not been subject to HIPAA’s penalty provisions. Because HIPAA only requires a contract between the Business Associate and the HIPAA-covered entity, the only sanctions Business Associates faced for failure to protect health information was a breach of contract claim. However, ARRA makes significant changes to the way Business Associates are treated under HIPAA.

ARRA specifies that any entity that engages in health information exchanges or provides data transmission of PHI (including Personal Health Record (PHR) vendors and health information exchanges) is considered a Business Associate. As such, these entities must enter into a business associate contract with the covered entity and will be subject to ARRA’s civil and criminal penalty provisions.

Additionally, ARRA requires that the administrative, physical and technical safeguards and the policy, procedure and documentation requirements of HIPAA’s security rule apply to Business Associates of a covered entity in the same manner as they apply to the covered entity. These additional requirements must be incorporated into Business Associate contracts and agreements and include notification provisions for a breach and the application of ARRA’s criminal and civil penalties. With regard to HIPAA’s privacy rules, Business Associates are prohibited from using or disclosing any PHI in a manner which is not in compliance with the Business Associate contract or agreement required terms under HIPAA. These changes become effective February 17, 2010 (one year after the enactment of ARRA).

Notice to Individuals of Privacy and Security Breaches

ARRA also imposes certain notification requirements on covered entities and Business Associates in the event of a breach of “unsecured protected health information.” A breach is defined as “the unauthorized acquisition, access, use, or disclosure of protected health information which comprises the security or privacy of such information, except where an authorized person to whom such information is disclosed would not reasonably have been able to retain such information”. Unsecured protected health information is defined as protected health information that the covered entity or Business Associate has not secured via standards approved by the Secretary of Health and Human Services (Secretary).

Generally, the notification of a breach must be provided “without unreasonable delay”, but in no case later than 60 days after the discovery of the breach or when the breach should reasonably have been discovered. Since the 60 days is the outer limit for notification, if the full 60 day window is used, the covered entity or Business Associate involved in the breach must be prepared to justify their reasons for not providing notification of the breach sooner. However, notice of a breach may be delayed provided that notification would hinder a criminal investigation and/or injure national security (as determined by a law enforcement official).

For Business Associates that discover a breach, the Business Associate must notify the covered entity of the breach or potential breach and identify individuals affected or potentially affected. For covered entities, notification must be made to individuals whose unsecured protected health information has been accessed, acquired or disclosed or is reasonably believed to have been accessed, acquired or disclosed as a result of a security or privacy breach. In general, notification to affected individuals must be sent via first class mail. However, where a breach involves 10 or more individuals whose contact information is out-of-date or deficient, notification must be posted to the covered entity’s website or published in major print or broadcast media. For a breach that involves 500 or more individuals, the covered entity involved in the breach must also give notice to prominent media outlets in the applicable jurisdiction or state.

Notice of all breaches must be provided to the Secretary. If the breach affects 500 or more individuals, the covered entity involved in the breach must immediately notify the Secretary. For breaches that affect less than 500 individuals, the covered entity involved in the breach may notify the Secretary of any breaches on an annual basis.

To the extent possible, all notices must contain:

1. A brief description of what happened, including the date of the breach and the date of the discovery of the breach (if known);

2. A description of the types of unsecured protected health information involved in the breach (e.g., social security number, date of birth);

3. The steps individuals should take to protect themselves from potential harm as a result of the breach;

4. A brief description of what the entity involved is doing to investigate the breach, to mitigate losses and to protect against further breaches; and

5. Contact procedures for individuals to ask questions or receive additional information, including a toll-free telephone number and an e-mail address, web site or postal address.

Expansion of Accounting of Disclosures

ARRA changes the existing limitations on accounting for disclosures of health information to individuals who request the disclosure. If a covered entity uses or maintains an Electronic Health Record (EHR), then individuals will be allowed to receive an accounting of the disclosures of PHI for treatment, payment and health care operations made from the EHR. The period of mandated disclosure is limited to the 3 year period prior to the individual’s request. A reasonable fee may be charged to the requesting individual, provided the fee is not greater than the labor costs involved in complying with the request.

The Secretary is required to adopted regulations that specify the information to be contained in the accountings within 6 months of ARRA’s enactment. Covered entities that began using EHR prior to January 1, 2009 will be required to provide the accounting upon request effective January 1, 2014. Covered entities that begin using EHR after January 1, 2009 will be required to provide the accounting upon request effective January 1, 2011.

Mandatory Restrictions on Disclosure of PHI when Requested by Individuals

Under ARRA, individuals are given the right to restrict the disclosure of PHI related to treatment, payment and health care operations provided:

1. The restriction relates to disclosure for purposes of payment or health care operations;

2. The restriction does not relate to disclosure for purposes of treatment; and

3. The PHI relates only to an item or service for which the provider has already received payment in full.

Right of Individuals to Receive Electronic Records

If a covered entity maintains EHRs that contain PHI, ARRA provides individuals with the right to obtain a copy of their records in an electronic format or to request that the record be transmitted to a third party. The covered entity may not charge the individual requesting the copies more than the total cost of labor incurred by the entity in transmitting the copies.

Clarification of the Minimum Necessary Standard

Pending additional guidance from the Secretary, a covered entity will be considered to be in compliance with the minimum necessary standard if, to the extent possible, the covered entity limits the disclosure to a limited data set or to the minimum data necessary to accomplish the intended purpose of the disclosure or use of the information. The Secretary is required to issue guidance within 18 months of ARRA’s enactment.

Increase Use of De-Identifed Information

ARRA requires the Secretary to issue guidance on how covered entities can comply with requirements related to the use of de-identified PHI. Such guidance must be issued within 1 year of ARRA’s enactment.

Enforcement and Penalties

ARRA authorizes the Secretary to conduct periodic audits of covered entities and Business Associates to ensure compliance with HIPAA and ARRA requirement. The Secretary is also authorized to utilize civil enforcement provisions even if the action in question violated the criminal provisions, provided no criminal conviction is associated with the conduct.

The Secretary is required to impose civil penalties if a violation is due to willful neglect and to formally investigate any complaint if a preliminary investigation indicates the potential of violation due to willful neglect. For cases involving violations where the individual did not know of the violation or where the individual would not have known of the violation by exercising reasonable diligence, corrective action rather than penalty may still be used.

Under ARRA, criminal enforcement for certain HIPAA violations is not limited to covered entities. For purposes of criminal enforcement provisions, ARRA provides that “a person (including an employee or other individual)” is considered to have obtained or disclosed individually identifiable health information in violation of HIPAA if such information is maintained by a covered entity and the individual obtained or disclosed such information without authorization.

The Office for Civil Rights will receive any civil monetary penalties (CMPs) or settlements related to HIPAA security-related offenses. Such funds will be used to fund the further enforcement of ARRA and HIPAA rules and requirements.

States’ Attorney General may bring a civil action under ARRA on behalf of state residents who have been or are threatened to be harmed by a violation to obtain injunctive relief or damages, as well as attorney fees. Notice must be given to the Secretary and the Secretary is permitted to intervene. The States’ Attorney General may not bring an action if a federal action by the Secretary is already pending. These provisions only apply to violations that occur after February 17, 2009 (the date of enactment).

The Comptroller General must submit a report to the Secretary within 18 months of ARRA’s enactment that provides recommendations for determining a reasonable methodology for calculating an appropriate percentage of CMPs or settlements for individuals who have been harmed by a violation of HIPAA or ARRA. The Secretary is required to issue regulations based on the Comptroller General’s recommendations within 3 years of ARRA’s enactment.