TERMS OF USE

#


HOME


Welcome to Brach Eichler, New Jersey Lawyers and NJ Law Firm Publications


Getting Ready for a "High Tech" World


Lani M. Dornfeld and Isai Senthil Buried among the bailout provisions and executive compensation items in the American Recovery and Reinvestment Act of 2009 is a section that amends the Health Insurance Portability and Accountability Act of 1996 (HIPAA) in a previously unforeseen manner. Among other things, this section, known as the Health Information Technology for Economic and Clinical Health Act (HITECH Act), significantly increases penalties and enforcement efforts, introduces the first federal security breach notification requirement and imposes substantial new obligations on business associates and HIPAA covered entities.

Increased Enforcement
The HITECH Act extends civil and criminal liability under HIPAA to business associates and provides that criminal penalties may apply to an individual or employee of a covered entity who discloses PHI without authorization. The Act provides a tiered civil penalty mechanism; penalties increase according to the cause of the violation and the violator’s knowledge of the violation. At the low end, for violations without knowledge, the Office for Civil Rights of the Department of Health and Human Services (HHS) may impose a penalty ranging from $100 to $50,000. At the next level, for violations due to reasonable cause (defined in HHS regulations as circumstances that would make it unreasonable for the covered entity, despite the exercise of ordinary business care and prudence, to comply with the provision violated), penalties range from $1,000 to $50,000 per violation, with a cap at $1.5 million per calendar year. At the second highest level, for violations caused by willful neglect that were corrected within 30 days of discovery of the violation, penalties range from $10,000 to $50,000, with a cap at $1.5 million per calendar year. Finally, a penalty of $50,000 may be imposed for each violation caused by willful neglect (defined by HHS as conscious, intentional failure or reckless indifference to the obligation to comply with the provision violated) which is not corrected within 30 days of discovery, with a cap at $1.5 million per calendar year. When there is a penalty range, the specific amount will be determined by HHS upon its review of the nature and extent of the violation, the resulting harm, as well as other factors, such as the covered entity’s history of compliance or financial condition. A provider may raise an affirmative defense to the imposition of penalties for violations that are not due to willful neglect (that is, without knowledge or due to reasonable cause) that are corrected in a timely fashion.

The HITECH Act also authorizes state attorneys general to enforce HIPAA. (Previously, such enforcement authority rested solely with HHS.) In January, 2010, Connecticut Attorney General Richard Blumenthal became the first attorney general to exercise this new authority by filing suit against Health Net of Connecticut, Inc. for allegedly failing to secure patient records and financial information involving hundreds of thousands of Connecticut enrollees and failing to promptly notify individuals endangered by a breach of such information. The complaint alleges, among other things, that Health Net failed to promptly notify Blumenthal and various Connecticut agencies of the missing information and failed to encrypt the sensitive information on the computer hard drive in blatant disregard of Health Net’s policies and procedures and legal requirements. The complaint also alleges multiple HIPAA violations for failure to comply with several standards, including failing to identify and respond to security incidents, failing to mitigate harmful effects of such incidents and failing to adopt and implement policies and procedures to prevent, detect and correct security violations.

It is likely that other state attorneys general will follow Blumenthal’s lead and exercise their new enforcement authority.

Breach Notification
Perhaps the most significant provision of the HITECH Act is the new federal breach notification requirement, which requires covered entities to notify affected individuals of a breach of their unsecured PHI (i.e., PHI that is rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of technology or methodology specified by the Secretary of HHS). HHS guidance provides only two methods for securing PHI in a way that precludes application of the HITECH Act’s breach notification requirements, effectively providing a "safe harbor." First, PHI will be deemed unusable, unreadable or indecipherable if it has been encrypted, as specified in the HIPAA Security Rule (i.e., by ‘‘the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key’’) and consistent with National Institute of Standards and Technology (NIST) encryption processes. Thus, if a laptop with encrypted PHI is stolen from a covered entity, and if the encryption method follows standards approved by HHS, then the HITECH Act’s breach notification rules would not apply, because the PHI would be considered secured rather than unsecured. However, it is important to keep in mind that several states have adopted their own breach notification rules, which may continue to apply regardless of whether the PHI is encrypted.

Second, HHS has stated in its guidance that PHI will be deemed unusable, unreadable or indecipherable if the media on which it is stored or recorded has been destroyed by one of the following methods: (1) paper, film or other hard copy media have been shredded or destroyed such that PHI cannot be read or reconstructed; and (2) electronic media have been cleared, purged or destroyed in accordance with NIST standards such that PHI cannot be retrieved.

Although the HITECH Act defines “breach” broadly to include any “unauthorized acquisition, access, use or disclosure of PHI which compromises the security or privacy of such information, except where an unauthorized person to whom such information is disclosed would not reasonably have been able to retain such information,” regulations issued by HHS in August, 2009 somewhat narrow the scope. In the regulations, HHS defines “unauthorized” as an impermissible use or disclosure of PHI under the HIPAA Privacy Rule. HHS further expands upon the definition of the phrase “compromises the security or privacy of such information” to include a risk-of-harm threshold that must be met prior to triggering a notification requirement. Specifically, PHI is considered compromised only if the event poses a “significant risk of financial, reputational, or other harm to the individual.” It is likely that many breaches will not rise to this threshold level and therefore will not require notification to the affected individual. However, a covered entity's determination that a breach does not pose a significant risk of harm must be the result of a documented risk assessment and the covered entity must be able to support any determination not to notify affected individuals.

HHS regulations also track the HITECH Act's provisions which exclude certain disclosures from the definition of breach. In particular, a breach is not:
  • Any unintentional acquisition, access, or use of protected health information by a workforce member or person acting under the authority of a covered entity or a business associate, if such acquisition, access, or use was made in good faith and within the scope of authority and does not result in further use or disclosure in a manner not permitted under the HIPAA Privacy Rule.
  • Any inadvertent disclosure by a person who is authorized to access protected health information at a covered entity or business associate to another person authorized to access protected health information at the same covered entity or business associate, or organized health care arrangement in which the covered entity participates, and the information received as a result of such disclosure is not further used or disclosed in a manner not permitted under the HIPAA Privacy Rule.
  • A disclosure of protected health information where a covered entity or business associate has a good faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information. (For example, mail sent to the wrong individual but returned unopened as undeliverable.)
If a covered entity determines that a breach has occurred and that notification is warranted, then it must notify the affected individuals within a reasonable period of time, but not later than sixty calendar days after the covered entity knows, or reasonably should have known, of the breach. Such notification must be provided by first class mail (unless the individual has authorized the use of an electronic mail address for such notices) and must include: a brief description of what happened, including the date of the breach and the date of the discovery of the breach; a description of the types of unsecured PHI involved; any steps individuals should take to protect themselves from potential harm resulting from the breach; a brief description of actions taken by the covered entity to investigate the breach and mitigate potential harm; and contact information, including a toll-free phone number.

For breaches involving more than 500 individuals in one state or jurisdiction, the covered entity must notify prominent media outlets serving the state and regional area of the breach. For breaches involving 500 or more individuals, the covered entity also must notify HHS, which will list the breach on its website. For breaches involving fewer than 500 individuals, covered entities must maintain an internal log of such breaches (which, among other things, must include a description of what happened, including the date of the breach, the date of the discovery of the breach, and the number of patients affected, if known) and annually submit such log to HHS.

Finally, HHS also requires business associates to notify the applicable covered entity when the business associate discovers a breach of unsecured PHI.

Business Associates
Effective February, 2010, certain HIPAA provisions apply directly to business associates. (At the time of this writing, HHS has not yet published regulations directly implementing this provision, and many other provisions, of the HITECH Act.) Previously, privacy and security requirements were imposed on business associates by way of contractual agreements with covered entities. Now, the HITECH Act explicitly requires business associates to, among other things, implement the HIPAA Security Rule’s safeguards for electronic PHI, and directly comply with the HIPAA Privacy Rule business associate safeguards, such as restricting the use and disclosure of PHI as specified in the business associate agreement or as required by law, making available its books and records to HHS, and returning or destroying PHI, if feasible, upon termination of the agreement.

As above-mentioned, business associates must also notify a covered entity of any security breach and provide contact information for affected individuals.

Accounting of Disclosures
The HITECH Act requires that covered entities maintain extensive accounting practices not previously required by HIPAA. Pursuant to current HIPAA regulations, covered entities must maintain an accounting of certain disclosures of PHI for the prior six years, not including disclosures related to treatment, payment and health care operations. Starting in 2011, covered entities that use or maintain electronic health records (“EHRs”) must be able to provide individuals with accountings that include disclosures for treatment, payment and health care operation purposes made in the prior three years. Furthermore, the HITECH Act provides that, when an individual requests an accounting of such disclosures, a covered entity may respond by providing the requested accounting of all disclosures made by the covered entity and by its business associates, or by providing the accounting of disclosures made by itself and a list of its business associates so that the requestor can contact those business associates directly to request an accounting of disclosures made by them. The effective date of this new requirement varies and is based upon the date on which the covered entity obtained EHRs. For covered entities that acquired EHRs on or before January 1, 2009, the new requirements apply to disclosures made on or after January 1, 2014. For covered entities that acquired EHRs after January 1, 2009, the new requirements apply to disclosures made on or after the later of January 1, 2011 or the date the EHR was obtained.

Restrictions on Disclosures
The HITECH Act affords individuals the right to demand, and requires covered entities to abide by, certain disclosure limitations regarding the individuals’ PHI. Previously, individuals only had the right to request a restriction on a covered entity’s use or disclosure of PHI for treatment, payment or health care operations. Covered entities were not required to agree to the requested restriction. The HITECH Act modifies this provision by requiring that covered entities abide by an individual's request that their PHI regarding a specific health care item or service not be disclosed to a health plan for purposes of payment or health care operations, if the covered entity has already been paid in full by the individual for the particular services. Disclosures for treatment purposes remain unchanged and can continue to be made in accordance with existing HIPAA rules and regulations.

Minimum Necessary Standard
Before the enactment of the HITECH Act, HIPAA required covered entities, when using or disclosing PHI, to reasonably ensure that the covered entity limited the PHI to that which was the minimum necessary to accomplish the intended purpose. Among other things, HIPAA exempts from the minimum necessary standard uses and disclosures made for treatment purposes, made to an individual, made pursuant to a HIPAA-compliant authorization, and those made as required by law. The HITECH Act requires that, until HHS issues additional guidance on what constitutes "minimum necessary," covered entities limit the use, disclosure, or, request of PHI, to the extent practicable, to a limited data set or, if needed, to the minimum necessary to accomplish the intended purpose of such use, disclosure, or request. (A limited data set is PHI that excludes direct identifiers, which include names, postal address information other than town or city, state, and zip code, telephone numbers, fax numbers, e-mail addresses, social security numbers, medical record numbers, health plan beneficiary numbers, account numbers, and photographic images.) The HITECH Act also clarifies that the party disclosing the PHI (as opposed to the party requesting the PHI) must make the determination as to what constitutes the minimum necessary to accomplish the intended purpose of such disclosure. This requirement will sunset when HHS issues guidance on what constitutes "minimum necessary," which must be issued no later than August of 2010.

Conclusion
This article discusses several aspects of the HITECH Act's impact upon HIPAA, but the HITECH Act also revises certain other HIPAA provisions, most of which require prompt action in the form of amending HIPAA policies and procedures and training workforce members on such revised policies and procedures.

© COPYRIGHT 2012 . BRACH EICHLER L.L.C. 101 EISENHOWER PARKWAY, ROSELAND, NJ 07068 (973) 228-5700