Barclay Damon
Barclay Damon

Legal Alert

American Recovery and Reinvestment Act Significantly Revises the HIPAA Privacy and Security Rules

The American Recovery and Reinvestment Act (the “Stimulus Package”) significantly changes provisions in the HIPAA Privacy and Security Regulations (“the Regulations”), broadening their applicability and creating new provisions that will place new requirements on those covered by the Regulations. These are the first substantial revisions to these laws since they took effect in 2003 and 2005, respectively.

Prior to the Stimulus Package, the Regulations did not directly apply to Business Associates of Covered Entities. Business Associates were subject to contract provisions required in agreements with Covered Entities but regulatory authorities could not enforce the provisions against the Business Associate. The Stimulus Package changes this, expanding enforcement and the scope of the businesses covered by these complex regulations. These changes include:

  • Extension of many provisions of the Regulations to Business Associates; 
  • Expansion of civil and criminal penalties for violation of the applicable Regulations to Business Associates; 
  • Requiring periodic compliance audits of Business Associates by the United States Department of Health and Human Services; and 
  • Expansion of the definition of Business Associate to include those that provide data transmission services and require access to protected health information on a routine basis, as well as vendors that offer personal health records to patients.

The Stimulus Package also creates the first comprehensive security breach notification requirements for “the unauthorized acquisition, access, use, or disclosure of protected health information which compromises the security or privacy of such information.” Unless an exception applies, the Stimulus Package will require Covered Entities and Business Associates to notify both individuals and the Secretary of Health and Human Services of “unsecured protected health information” breaches.

Where a breach involves more than 500 individuals, notification of prominent media outlets where the individuals reside must occur. “Unsecured protected health information” is defined as protected health information not secured through the use of a technology or methodology to be specified by the Secretary of Health and Human Services annually, as it will release guidance on what technologies and methodologies will render protected health information “unusable, unreadable, or indecipherable to unauthorized individuals.” The law requires interim final regulations regarding these provisions within 60 days of February 17, 2009.

Other changes to the Regulations include: 

  • Covered entities are now required to comply with an individual’s request to limit access to his/her protected health information. There is an exception for payment or health care operations purposes where the health care provider has not been paid by the individual in full out of pocket;
  • The Secretary of Health and Human Services will issue guidance on what constitutes “minimum necessary” within 18 months after enactment; 
  • New requirements for accounting of disclosures where a covered entity uses or maintains electronic health records; and 
  • Tiered increases of Civil Monetary Penalties up to a maximum of $1.5 million depending on aggravating factors.
    Some groups have criticized the United States Department of Health and Human Services Office of Civil Rights and Centers for Medicare and Medicaid Services for the limited number of enforcement actions taken under the Regulations. The new law gives State Attorneys General the authority to bring suit in federal district court against any person violating the rules on behalf of state residents to enjoin further violation or to obtain damages on behalf of such residents. The Court will be allowed to award attorneys fees to the state in such actions.

The new provisions are extremely detailed and complex and will impact businesses in a variety of ways. In addition, the effective date of the law varies by section. Hiscock & Barclay, LLP has provided counsel to Covered Entities and Business Associates in interpreting the Regulations, training staff, drafting and updating policies and procedures, drafting Business Associate Agreements and responding to investigations by regulatory agencies. Should you have specific questions regarding how the new law impacts your business, please contact Melissa Zambri or any member of our Health Care and Human Services Practice Area.