themselves, and steps the Covered Entity is taking to mitigate the harm and protect against future breaches.
In addition, if a Business Associate detects a breach or is involved in making a breach, it is now required to report the breach to the Covered Entity, including the identity of each individual involved, within the 60 days of discovering the breach.
This provision is effective 30 days after the Duty to Notify Regulations are issued which are required within 180 days of enactment or September 15, 2009 (i.e. October 15, 2009).
Expanded Accounting for Treatment, Payment, and Health Care Operations
HIPAA provided individuals with a right to request an accounting of most disclosures of their PHI for the previous six (6) years. Excluded from this requirement are routine disclosures for purposes of treatment, payment or health care operations (“TPO”). Rather, HIPAA required Covered Entities to detail disclosures of TPO in their Notice of Privacy Practices, which explains the types of disclosures made for these more routine purposes.
ARRA requires Covered Entities that maintain “electronic health records” (i.e. an electronic record of health related information on an individual that is created, gathered, managed or consulted by authorized health care clinicians and staff) to include routine disclosures for TPO in any accounting list. However, the TPO accounting would be limited to three (3) years. It is not clear how this new requirement would impact group health plans – group health plans typically hold claims records that are created by health care providers, either for treatment or consultation in deciding a claim for benefits.
The compliance deadlines for the new TPO rules are staggered. For electronic health records held by a Covered Entity as of January 1, 2009, the new TPO requirements would apply to TPO disclosures on or after January 1, 2014 (this may be extended to 2016). For electronic health records created after January 1, 2009, the new TPO requirements would apply to TPO disclosures after January 1, 2011 (this may be extended to 2014).
Payment for Exchange of PHI or Marketing Communications
Under the current HIPAA rules, a Covered Entity must obtain an individual authorization disclosing possible remuneration (direct and indirect) for the communication, in order for it to communicate to an individual for marketing purposes – “marketing communications.” “Marketing communications” generally include communications that encourage individuals to purchase or use a product or service. In contrast to marketing communications – communications for “health care operations” do not require individual authorizations. ARRA has changed these definitions to tighten the requirements for “marketing communications."
Under ARRA, in order for a communication to qualify as a communication for “health care operations,” and thus be exempt from the individual authorization requirement, it must fit an exception under the “marketing” definition; furthermore, the Covered Entity must not receive direct or indirect remuneration in connection with the communication. This provision applies 12 months after enactment of February 17, 2010.
Furthermore, ARRA also prohibits the direct or indirect payment for the exchange of PHI unless authorized by the individual. ARRA provides several exceptions to this rule, including where PHI is exchanged for public health activities, research, treatment, the sale of the Covered Entity, and services under a business associate agreement. Regulations further clarifying this provision are required to be issued within 18 months of enactment, and the new prohibition is effective 6 months after the final regulations.
Right to Access to PHI
HIPAA provides individuals with a right to access their PHI within 60 days of a request and at an appropriate cost for labor, copying and postage. Under ARRA, if a Covered Entity holds an “electronic health record” (i.e. an electronic record of health-related information on an individual that is created, gathered, managed or consulted by authorized health care clinicians and staff), an individual must be able to request their PHI in electronic form and only be charged for labor costs. These provisions are effective 12 months after enactment or February 17, 2010.
Restricting Disclosures for TPO (Treatment, Payment and Health Care Operations)
Currently, HIPAA permits an individual to request that a Covered Entity not disclose PHI, even for TPO. However, the Covered Entity has the right to not agree to this request.
Under ARRA, the Covered Entity must now abide by requests for non-disclosure, even for TPO, when the services have been paid in full solely by the participant (and not a group health plan or health insurance issuer). These provisions are effective 12 months after enactment or February 17, 2010.
Increased Penalties and Enforcement
ARRA expands the amount and nature of the civil and criminal penalties which may be imposed for a violation of HIPAA’s Privacy and Security standards. Importantly, ARRA expands the pool of potentially liable individuals to include any individual who comes into contact with PHI, including but not limited to Business Associates. Previously, Business Associates were only liable to Covered Entities for violations of a breach under the terms of their Business Associate Agreements. Further, HHS is now required to audit Covered Entities to ensure their compliance with HIPAA’s Privacy and Security standards.
Civil penalties can also be imposed for criminal violations of HIPAA that are not enforced by DOJ. Further, ARRA mandates a formal investigation and imposition of civil penalties for HIPAA violations due to willful neglect. Further, ARRA imposes a new tiered penalty system based upon the nature of the HIPAA violation – with varying amounts for a “No Knowledge” violation, a “Reasonable Cause” violation, and a “Willful Neglect” violation – with no penalty applying if the violation is corrected within 30 days of the date the person knew or should have known about the violation.
ARRA also provides state attorneys general with the authority to bring a civil suit against individuals who violate HIPAA’s rules and obtain penalties against individuals. Further, it appears that individuals may also now have the right to enforce a violation of HIPAA’s Privacy and Security Standards as it relates to their own PHI.
Health Information Technology Items
In addition to the significant changes to the HIPAA Privacy and Security, ARRA imposes significant requirements and vastly expands the use of health information technology (HIT). In addition to providing for a significant appropriation for the implementation of HIT policies and procedures, ARRA mandates that federal agencies, as well as those who contract with federal agencies, must use HIT systems and products that meet required standards. The government is currently implementing a task force to assist in meeting its target for implementation in 2014.
Conclusion
ARRA imposes several significant new rules for HIPAA Privacy and Security, as well as expands the scope of HIPAA’s application. These changes require you to start implementing steps to comply with the new rules. We provide a brief list of “Action Items” we recommend for you to start implementing in order to comply with ARRA’s far reaching changes to the new HIPAA Privacy and Security rules and enforcement.
ACTION ITEMS
Reconfirm and Identify Business Associates - Identify all current Business Associates and amend existing agreements to include the new penalties, duties, and confirmation that Business Associates have documented policies and practices for data security.
Implement a process and procedure for handling breaches of PHI - Routinely perform and document a HIPAA checkup to ensure that you are complying with the new rules. Develop a detailed procedure for reporting of breaches.
Amend HIPAA Privacy Policies and Procedures - ARRA’s new penalties, as well as the creation of new individual rights requires Covered Entities (and now Business Associates) to ensure that they have policies and procedures in place that adequately address these changes. All existing policies and procedures should be reviewed and, if you do not have HIPAA policies and procedures in place, they should be developed.
Develop Mitigation Strategies - Ensure that a mechanism is in place for reporting and dealing with violations of HIPAA Privacy and Security and ensure that all employees are properly trained on the requirements for handling and firewalls related to the HIPAA information.
Review HIPAA Forms - ARRA provides additional individual rights related to the accounting and disclosure of PHI. All HIPAA forms should be amended to reflect these changes.
For more information, please contact:
Kristen Belz Ornato 412 394 7749 kornato@thorpreed.com
Heather L. Bednarek 412 394 2352 hbednarek@thorpreed.com
If you have any additional questions, do not hesitate to contact a member of Thorp Reed and Armstrong’s Benefits Practice Group or Health Care Practice Group, or a Thorp Reed Attorney with whom you routinely work.
This Thorp Reed & Armstrong, LLP Communiqué is prepared in summary form and is not to be construed as legal advice or opinion on any specific fact or circumstance. We do not assume any responsibility to revise the Communiqué if there are subsequent changes in the law.
IRS CIRCULAR 230 NOTICE: To ensure compliance with requirements imposed by the Internal Revenue Service, we inform you that any U.S. tax advice contained in this communication (or in any attachment) is not intended or written to be used, and cannot be used, for the purpose of (i) avoiding penalties under the Internal Revenue Code or (ii) promoting, marketing or recommending to another party any transaction or matter addressed in this communication (or in any attachment).
May 2009
