The American Recovery and Reinvestment Act (the "Stimulus Package") will significantly change provisions in the HIPAA Privacy and Security Regulations ("the Regulations"), broadening their applicability and creating new provisions that will place new requirements on those covered by the Regulations. These are the first substantial revisions to these laws since they took effect in 2003 and 2005, respectively.
Under the Regulations, the largest compliance obligations fall upon certain defined entities such as health care plans, clearinghouses, and health providers that conduct certain electronic transactions ("Covered Entities"). While the Regulations do not directly regulate employers that do not fall into one of the foregoing categories, some employers may have obligations under the Regulations by virtue of a self-insured health plan, flexible spending account or cafeteria plan or an employer's role as a business associate of a Covered Entity. Both self-insured health plans and flexible spending account/cafeteria plans are considered covered health plans under the Regulations. Examples of functions that may trigger business associate requirements include legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, financial services, claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, billing, benefit management, practice management, and repricing for a Covered Entity. Employers who have signed these "Business Associate Agreements" over the years will now be subject to increased scrutiny and penalties, as discussed below.
Prior to the Stimulus Package, the Regulations did not directly apply to Business Associates of Covered Entities. Business Associates were subject to contract provisions required to be included in agreements with Covered Entities, but regulatory authorities could not enforce the provisions against the Business Associate. The Stimulus Package changes this, expanding enforcement and the scope of the businesses covered by these complex regulations. These changes include:
- extension of many provisions of the Regulations to Business Associates;
- expansion of civil and criminal penalties for violation of the applicable Regulations to Business Associates;
- requiring periodic compliance audits of Business Associates by the United States Department of Health and Human Services; and
- expansion of the definition of Business Associate to include those that provide data transmission services and require access to protected health information on a routine basis, as well as vendors that offer personal health records to patients.
The Stimulus Package also creates the first comprehensive security breach notification requirements for "the unauthorized acquisition, access, use, or disclosure of protected health information which compromises the security or privacy of such information." Unless an exception applies, the Stimulus Package will require Covered Entities and Business Associates to notify both individuals and the Secretary of Health and Human Services of "unsecured protected health information" breaches. Where a breach involves more than 500 individuals, notification of prominent media outlets where the individuals reside must occur.
In addition, penalties will be increased and tiered up to a maximum of $1.5 million depending on aggravating factors. Some groups have criticized the United States Department of Health and Human Services Office of Civil Rights for the limited number of enforcement actions taken under the Regulations. The new law gives State Attorneys General the authority to bring suit in federal district court against any person violating the rules on behalf of state residents to enjoin further violation or to obtain damages. The Court will be allowed to award attorneys fees to the state in such actions.
Even employers who are not subject to the strict requirements should be sensitive to the rules. HIPAA has sensitized the American public to privacy issues. Limiting the health information obtained by employers regarding their employees to the absolute minimum and segregating it from the employment functions of an organization will assist employers in defending discrimination-type claims. In all cases, given the current regulatory environment, employers that come in contact with health information should make every effort to safeguard it and ensure its confidentiality.
The new provisions are extremely detailed and complex and will impact businesses in a variety of ways. In addition, the effective date of the law varies by section and regulations clarifying the rules have been and continue to be released. Hiscock & Barclay, LLP has provided counsel to Covered Entities and Business Associates in interpreting the Regulations, training staff, drafting and updating policies and procedures, drafting Business Associate Agreements and responding to investigations by regulatory agencies. Should you have specific questions regarding how the new law impacts your business, please contact Melissa Zambri, Margaret Surowka Rossi, or any member of our Health Care and Human Services or Labor and Employment Practice Areas.