|
The
HITECH
Act:
A New Era For
Business Associates
The American Recovery and Reinvestment Act of 2009
("ARRA") was signed into law
earlier this year. Under ARRA, the
Health Information Technology for Economic and Clinical Health Act
("HITECH Act"), Title XIII,
details significant changes to the Health Insurance Portability and
Accountability Act ("HIPAA")
Privacy and Security Rules.
For the first time, the HITECH Act makes
the HIPAA Privacy and Security Rules, as
well as the civil and criminal penalties under the HIPAA, applicable to business associates
("BA"). BA's are entities providing services to
health care providers, health insurers and other HIPAA
"covered entities."
Historically, the HIPAA Privacy and
Security Rules only directly applied to covered entities.
Covered entities include health care providers, health plans and
health care clearinghouses. Covered entities were required to
implement Business Associate Agreements ("BAA") with
service providers whose services involved receipt of protected health
information ("PHI") from the covered entity. The BAA
imposed certain obligations upon the BA including privacy protections
for use and disclosure of PHI which may have been received by the BA
in the course of during business with a covered entity.
However, none of the enforcement provisions and penalties for HIPAA violations applied directly to BAs.
The only consequence of a BA breaching a BAA was a breach of contract
claim from the covered entity.
The HITECH Act drastically changes how the
Privacy and Security Rules apply to BAs, including enforcement
actions and civil monetary penalties. Every BA should carefully
review the HITECH Act and take the
requisite steps to comply with its new responsibilities.
What's New For Business
Associates
The HITECH Act expands the application of
the HIPAA Privacy and Security Rules to
BAs. Some of the most significant changes to BAs under the HITECH Act include the following:
- compliance with the HIPAA Privacy and Security Rules;
- notification requirements
for breaches of unsecured PHI;
- accounting for disclosures
of PHI;
- limit PHI disclosures to
limited data sets or minimum necessary;
- prohibition on sales of
PHI;
- restrictions on marketing;
- applicability of civil and criminal
penalties for violations; and
- mandatory compliance audits
by HHS.
Applicability
of the HIPAA Privacy and Security Rules
The HITECH Act expands the reach of the HIPAA Privacy and Security Rules directly to BAs
including imposition of criminal and civil penalties for violations.
The HITECH Act expressly states that
BAs will be subject to both the HIPAA
Privacy Rules and the HIPAA Security
Rules. Further, the obligations for compliance with the Privacy
and Security Rules must be incorporated in BAA between the BA and
covered entity.
Under the HITECH Act, a BA is permitted to
use or disclose PHI only if such use or disclosure is in compliance
with each applicable requirement of the Privacy Rule defining the
obligations of the BA. Thus, a breach of the BAA not only
results in breach of contract claims, but also includes a violation
of law (i.e., criminal and civil penalties).
According to the HITECH Act, BAs will be
required to meet a broad range of requirements such as obtaining
patient authorization for certain uses and disclosures of PHI,
establishing privacy and security policies and procedures, providing
patients with rights of access to PHI, an accounting of PHI
disclosures, conducting security risk assessments for electronic PHI
("e-PHI"), and other requirements previously applicable
only to covered entities.
Moreover, the HIPAA Security Rules relating
to administrative, physical and technical safeguards of electronic
PHI ("e-PHI") will apply directly to BAs similar to the way
that those standards apply to covered entities. As a result,
BAs will be required to conduct a formal risk assessment, appoint a
security officer, adopt written security policies and procedures, and
train their employees among other requirements. Additionally,
violations of the Security Rule by a BA may result in civil and
criminal penalties.
The effective
date for provisions subjecting BAs to HIPAA
privacy and security requirements is February 17, 2010.
However, until HHS implements regulations,
the full effect of these changes remains somewhat unclear,
particularly the BA's compliance with the HIPAA
Privacy Rule.
Breach Notification Rule
Recently the Department of Health and Human Services ("HHS") published an interim final rule
addressing notification requirements for breaches of
"unsecured" PHI in accordance with the HITECH
Act (the "Breach Notification Rule")[1]. The Breach
Notification Rule applies to both covered entities and BAs. For
purposes herein, we address the BA's duty of notification in the event
a breach of unsecured PHI occurs.
In accordance with the HITECH Act, HHS was required to promulgate regulations
regarding notice requirements for breaches of protected health
information ("PHI") by covered entities and BAs. The
Breach Notification Rule is effective September 23, 2009; however,
due to some ambiguity regarding effective dates within the HITECH Act, HHS stated
it will not impose sanctions for failure to provide required
notifications for breaches occurring before February 22, 2010.
Notwithstanding the imposition of sanctions, HHS
states that following the effective date and during this initial
period it expects covered entities and BAs to comply with the Breach
Notification Rule.
The Breach Notification Rule requires BAs to provide notice to the
covered entities following discovery of a breach of
"unsecured" PHI that compromises the security or privacy of
the PHI. Under the Breach Notification Rule, a
"breach" means the acquisition, access, use, or disclosure
of PHI in a manner not permitted under the Privacy Rule which
compromises the security or privacy of the PHI. Accordingly, in
order to determine if notice is required under the Breach
Notification Rule, HHS identified three
practical steps for determining whether a breach has occurred.
The BA should (1) determine whether there has been an impermissible
use or disclosure of PHI under the Privacy Rule; (2) document whether
the impermissible use or disclosure compromises the security or
privacy of the PHI in a manner that poses a significant risk of
financial, reputational or other harm to
the individual; and (3) determine whether the incident falls under
one of the exceptions to the definition of breach.
Under the Breach Notification Rule, a BA must notify the covered
entity without "unreasonable delay," but no later than
sixty (60) calendar days after discovery of the breach. A
breach is treated as "discovered" on the first day on which
such breach is known to the BA or, by exercising reasonable diligence,
would have been known to the business associate. BAs are not
required to provide the notifications to affected individuals;
however, the Rule requires business associates to notify the covered
entity. Notice to the covered entity from the BA must include
the identification of each individual whose unsecured PHI has been,
or is reasonably believed by the BA to have been accessed, acquired,
used, or disclosed during the breach; and the BA shall provide the CE
with any other available information that the CE is required to include
in its notification to individuals. This means that the content
of the notice must also include the following elements:
(a) A
brief description of what happened, including the date of breach and
the date of discovery of the breach;
(b) A description of the types of unsecured PHI involved in the
breach (i.e., whether full name, social security number, date of
birth, home address, account number, diagnosis, disability code or
other types of information were involved);
(c) Any steps that individuals should take to protect themselves
from potential harm resulting from the breach;
(d) A brief description of what the covered entity is doing to
investigate the breach, to mitigate the harm to individuals and to
protect against any further breaches; and
(e) Contact procedures for individuals to ask questions or learn
additional information, which must include a toll-free telephone
number, an email address, web site, or postal address.
In connection
with the Breach Notification Rule, HHS
published guidance specifying the technologies and methodologies that
render PHI unusable, unreadable, or indecipherable (i.e., encrypted)
for purposes of securing PHI (the "Guidance").[2]
BAs should begin now to implement policies and procedures regarding
notice to covered entities in the event that a breach of unsecured
PHI occurs. Moreover, BAs should implement the security
measures and technologies specified in the Guidance to safeguard PHI,
and BAs should revise their BAA to reflect the new notice
requirements and security measures.
Additional Key Changes
In addition to the above key changes, BAs are subject to: accounting
requirements under certain conditions; compliance with the minimum
necessary standard for use and disclosure of PHI; limitations on
marketing communications; criminal and civil penalties;
Accounting
BAs must provide an accounting for disclosures of PHI if a covered
entity uses or maintains an electronic health record ("EHR") and includes the BA on a list as an
entity acting on behalf of the covered entity for purposes of patient
access to PHI. Therefore, BAs will be required to not only
maintain a log of the PHI disclosures, but also implement a procedure
for responding to patient requests.
Limited Data Sets/Minimum Necessary
The HIPAA Privacy Rule includes a
"minimum necessary standard" which governs the uses,
disclosures or requests for PHI to the minimum necessary to
accomplish the intended purposes of the use, disclosure or request of
the PHI. The HITECH Act directs HHS to issue guidance by August 2010 to establish
what constitutes the minimum necessary standard. In the
meantime, BAs should limit the use, disclosure or request for PHI, to
the extent practicable, to a limited data set or, if more information
is needed, to the minimum necessary amount of PHI to accomplish the
intended purpose of the use, disclosure or request. Prior to
next year, BAs should review the types of disclosures made on a
routine basis and confirm that the patient information disclosed
constitutes a limited data set or that the disclosures are limited to
the minimum necessary amount of PHI to accomplish the intended
purpose of the disclosure.
Selling PHI
The HITECH Act prohibits a covered entity
and BA from directly or indirectly receiving remuneration in exchange
for any PHI without an individual's authorization, unless an
exception applies.
Marketing Activities
Further, the HITECH Act limits marketing
activities by BAs. Unlike the HIPAA
Privacy and Security Rules, marketing is "any"
communication by a covered entity or BA regarding a product or
service and that encourages the recipient of the communication to
purchase or use the product or service. Under the HIPAA Privacy Rule, communications deemed
"health care operations" did not require patient authorization
and were not considered marketing. Thus, such communications
were permissible. Changes to the definition of marketing under
the HITECH Act broaden the types of
communications defined as marketing; therefore, BA communications to
patients may be limited. BAs should review whether their
communications to patients constitute marketing and, if so, should
limit those communications to health care products or services
provided by the covered entity and consistent with the individual's
specific health care needs.
Enforcement
The HITECH Act fundamentally changes the
enforcement of HIPAA Privacy and Security
Rules' violations and extends criminal and civil penalties to
BAs. Previously, only covered entities were subject to such
enforcement by HHS and the Office of Civil
Rights ("OCR"). Now BAs are subject to criminal and
civil penalties for violations of the HIPAA
Privacy and Security Rules.
HHS Periodic Audits
BAs should prepare for compliance audits conducted by HHS or its designee. Under the HITECH Act, HHS must
provide periodic audits to ensure that covered entities and BAs are
in compliance with the Privacy and Security Rules. This
requirement is effective as of February 17, 2010. Thus, BAs
should begin to ensure they are in compliance with the applicable
security and privacy requirements and ensure policies and procedures
are developed and implemented to demonstrate compliance.
Conclusion
The HITECH Act changes the landscape for
BAs by directly applying the HIPAA Privacy
and Security Rules to BAs. BAs are now accountable for
compliance with HIPAA obligations and any
violations occurring thereunder including
imposition of civil and criminal penalties.
As a result, each BA should act now to gain an understanding of the HITECH Act and current interim rules promulgated thereunder. BAA should be reviewed and
updated to comply with the HITECH Act, the
Guidance, and the Breach Notification Rule. BAs should develop
and implement policies and procedures addressing use, disclosure, and
exchanges of PHI and BAs should implement the requisite security
measures consistent with the Guidance to secure and protect
e-PHI.
Finally, BAs should prepare for periodic audits by implementing
appropriate written policies and maintaining documentation to
demonstrate compliance with the new privacy and security requirements
as each aspect of the HITECH Act becomes
effective.
If you have any questions regarding the HITECH
Act or would like assistance with drafting, updating, or reviewing
policies, procedures, or business associate agreements, please feel
free to contact any one of the following attorneys:
Gregory W. Moore: (248) 988-5842 I gmoore@clarkhill.com
Kristi R. Gauthier: (248)
988-5854 I kgauthier@clarkhill.com
Clark
Hill's Health Care Team can assist your organization with any one or
more of the following:
- Review, revise and draft HIPAA
policies and procedures;
- Update policies and procedures in accordance
with the HITECH Act;
- Update Business Associate Agreements;
- Provide HIPAA
Training; and
- Provide general counsel regarding HIPAA privacy and security matters.
[1] Federal Register, Vol. 24,
No. 162, August 24, 2009, Breach Notification for Unsecured Protected
Health Information.
[2] Federal Register, Vol. 74,
No. 79, April 27, 2009.
|
