As the one year anniversary of the American Recovery and Reinvestment Act of 2009 (the ARRA) draws near and many of the HITECH provisions become effective, attorneys need to be cognizant of the potential implications for our clients and for the practice of law.
The ARRA was signed into law by President Obama on February 17, 2009.[i] Contained within the ARRA was the Health Information Technology for Economic and Clinical Health (HITECH) Act. The HITECH Act revised some of the original HIPAA[ii] provisions and established funding sources for the adoption of electronic health records.[iii]
Of vital importance to attorneys are HITECHs additional protections for the privacy and security of health information and strengthening of penalties previously in effect under the HIPAA. Litigators working with medical records in any capacity will need to prepare for the inevitable transition to electronic health records and educate themselves on how to function optimally in this new electronic age.
This article will focus on the changes to the HIPAA privacy and security regulations made by the HITECH Act, and specifically on what it means for attorneys to be business associates under the HITECH Act and the forthcoming new regulations.
Business Associates
HITECH expanded the scope of HIPAA by statutorily imposing certain HIPAA privacy and security rules on business associates. Under HIPAA, covered entities must have written agreements with their business associates specifying that the business associate will abide by certain HIPAA regulations and would report any unauthorized uses or disclosures of protected health information (PHI) to the covered entity. Prior to HITECH, HHS[iv] had no right of action against business associates who violated applicable HIPAA regulations and business associates could only be held responsible for breaches of privacy and security through breach of contract claims brought by the covered entity. Under HITECH, business associates are subject to direct enforcement of the HIPAA by both HHS and each states Attorney General.
Sections 13401 and 13404 of HITECH require that certain HIPAA provisions relating to privacy and security be included in all business associate agreements, therefore requiring amendments of all outstanding business associate agreements. New business associate agreements must be in effect by February 18, 2010.
Lawyers as Business Associates
While many attorneys may think that the new regulations only affect health care attorneys and their covered entity clients, in fact, the reach of HITECH extends far beyond the health care arena. Attorneys are business associates when they receive, transmit, or maintain PHI of patients from any covered entity. As such, attorneys are subject to the direct enforcement of HIPAA by HHS and state Attorneys General. Litigators need to be aware of the new requirements and exercise discretion and caution when submitting PHI about a plaintiff via electronic communications or in maintaining electronic medical records (EMR) on computers and other portable electronic devices. Using email to communicate about a plaintiffs health in a personal injury case, for example, could subject the attorney and the attorneys law firm to liability.
Under the new federal breach notification provisions, any unauthorized disclosure of unsecured personal health information must be reported to the entity or health care provider from whom the records originated and the law firm may face enforcement by HHS Office for Civil Rights (OCR). Attorneys transmitting PHI via email or maintaining PHI on a laptop or other portable electronic device should consider encrypting the information to protect it from inadvertent disclosure. While encryption is not required under HIPAA or HITECH, to avoid being subject to breach notification requirements under HITECH, entities will likely encrypt PHI to get it out of the bailiwick of unsecured PHI. Encryption will likely become the de facto standard. Further, attorneys should review their state laws for more stringent regulations on the transmittal of PHI.
Attorneys who represent covered entities and with whom the attorney also has a business associate agreement need to be cautious in the drafting of such agreements. Attorneys may run into ethical dilemmas in drafting the firms own business associate agreement with the covered entity. To avoid ethical entanglements, health care attorneys may want to consider referring the covered entity to an outside attorney for reviewing or drafting the business associate agreement.
Federal Breach Notification
As the HITECH provisions were originally drafted in the ARRA, the federal breach notification provision required that notice be given to the covered entity, the individual, OCR, and in some cases the media, regardless of whether or not the individual whose information was used or disclosed would have been harmed by the unauthorized use or disclosure.[v] This lack of a risk of harm threshold placed a substantial burden on covered entities and business associates. However, OCR recognized this burden and released guidance that substantially changed the affect of the breach notification provision.[vi]
The HHS Breach Notification Interim Final Rule relaxed these requirements by requiring that breaches affecting more than 500 individuals be reported to the affected individuals, OCR, and the media.[vii] In the event of a breach affecting less than 500 people, the entity is only required to inform the affected individuals and report the breach to OCR on an annual basis.[viii]
Timing
The notification clock starts when the covered entity or business associate knows or should reasonably have known of the breach. Because the clock starts when even one work force member is aware of the breach, the covered entity should have breach notification policies in place and work force training on the reporting requirements. Knowledge by the business associate of a breach is imputed to the covered entity and starts the clock; therefore, covered entities should ensure that their business associate agreements contain reporting requirements for the business associate that provides the covered entity sufficient time to report the breach.
Risk of HarmMost importantly, this Rule clarified that the language compromises the security or privacy of the protected health information used in the HITECH Act means poses a significant risk of financial, reputational, or other harm to the individual. Therefore, the federal breach notification provision now includes a risk of harm threshold. Further, in cases where the covered entity or business associate takes immediate steps to mitigate an impermissible use or disclosure such that the risk of harm is reduced to a less than significant risk, then no breach has occurred.
Technologies and Methodologies that Render Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals
The Security Rule requires covered entities, and now business associates, to safeguard electronic PHI and permits covered entities and business associates to use any security measures that reasonably and appropriately implement all safeguard requirements.
Under 45 CFR 164.312(a)(2)(iv) and (e)(2)(ii), a covered entity must consider implementing encryption as a method for safeguarding electronic PHI; however, as an addressable[ix] implementation specification, a covered entity may be in compliance with the Security Rule even if it reasonably decides not to encrypt electronic PHI and instead uses a comparable method to safeguard the information.[x] If the covered entity or business associate does not encrypt PHI and a breach occurs, the covered entity or business associate must follow the federal breach notification provisions outlined above.
While not directly affecting most attorneys, the HITECH Act also made several revisions to the original HIPAA. The following paragraphs briefly address the significant changes made to HIPAA with which covered entities must now comply.
Communication Restrictions in Self-Pay
Under HIPAA, a covered entity could use and disclose information for any treatment, payment or health care operation, even in cases where the individual was self-pay and requested that the entity not disclose information to his insurance company. If an individual with health insurance chose to self-pay for particular services, the entity could, and was usually required by contract with the insurance company, report the treatment to the insurance company. This prevented health care fraud and schemes to hide preexisting conditions from insurance companies.
HITECH permits individuals to request that their provider not disclose information to the insurer if the patient paid out of pocket. Many question the driving force behind this change and whether it will facilitate fraud. The potential effect of this provision on preexisting conditions remains to be seen.
Accounting Rule
The Accounting Rule is one of the most underutilized individual rights under HIPAA. It permits an individual to request a list of all of the disclosures of their health information, excluding disclosures for treatment, payment and health care operations, from their health care providers for the previous six years.
The HITECH change to the Accounting Rule only affects covered entities that use EMR; however, the potential impact is significant. Entities using EMR must include all disclosures, even for treatment, payment and health care operations, on their Accounting of Disclosures.[xi]
Marketing
Under HITECH, a health care entity cannot use a marketing communication where it receives direct or indirect remuneration for the communication without specific authorization from the individual. A marketing communication is defined as any communication that encourages a recipient to purchase or use the product or service that is the subject of the communication.[xii] Under this definition, health and wellness promotions are likely prohibited absent an authorization from the patient.
Enforcement
Under HIPAA, penalties were discretionary and were capped at $25,000 in the aggregate for the same violation. OCR did not prosecute or penalize many of the subjects of complaints and entity cooperation went a long way in minimizing sanctions. Further, no private right of action of action existed under HIPAA, unless permitted by state law.
HITECH increased the penalties available for violations of HIPAA. If violations are due to willful neglect, OCR may issue a penalty up to $50,000 per violation with an annual maximum of $1.5 million. Lesser penalties will be imposed when the violation is not determined to be willful neglect or is corrected within 30 days of the date discovered or the date it should have been discovered.
In addition to the increased penalties available, HITECH expressly permits State Attorneys General to enforce provisions of HIPAA and HITECH. The AGs may obtain injunctions to enjoin continuing violations or damages of up to $25,000 on behalf of the harmed individuals. Further, HITECH grants State AGs the option of compensating the individual harmed by the violation. While HIPAA did not provide a private right of action, HITECH takes a step in that direction by permitting direct compensation to victims.
Lastly, HITECH amended HIPAA to permit direct enforcement against individual violators employed by covered entities. Under HIPAA, if an individual unlawfully disclosed protected health information obtained by virtue of employment, then the covered entity employing the individual could be penalized but OCR could not penalize the offending individual. HITECH now permits direct enforcement against individual employees.
The increased penalties and the direct enforcement of business associates under the HITECH Act will require greater attention from attorneys, and others not directly involved in patient care, in the protection and confidentiality of PHI. Some states have expanded security regulations, requiring encryption of all electronic communications containing confidential information about an individual.[xiii] As the medical, legal, and social environments become more high-tech, attorneys must keep a close eye on federal and state policy developments and conform their practice to existing laws. While expansive, the HITECH changes are likely only the tip of the iceberg.
[i] American Recovery and Reinvestment Act of 2009, Pub. L. No. 111-5, Tit. XIII, Subt. D (enacted February 17, 2009).
[ii] Health Information Portability and Accountability Act and the applicable implementing regulations (HIPAA).
[iii] The HITECH Act provides for Medicare and Medicaid incentives for health care providers to adopt and implement electronic records beginning in 2011 and provides for reductions in reimbursements for those providers that do not adopt electronic records by 2015. This carrot and stick approach will likely increase the rate of adoption of electronic records, both internally within health care systems, and globally through Regional Health Information Organizations (RHIOs) and eventually a national health information network.
[iv] The Department of Health and Human Services (HHS).
[v] The HITECH Act originally stated that in the event of a breach (unauthorized access to unsecured PHI), the covered entity responsible for the breach must report the breach to the affected individual(s) and to HHS. The Act further required business associates to report a breach to the covered entity. The breach had to be reported as soon as reasonably practical but in no case longer than 60 days. If the breach affected more than 500 individuals, it also had to be reported to the media.
[vi] On August 19, 2009, the Department of Health and Human Services (HHS), Office for Civil Rights (OCR) released the Interim Final Rule for Federal Breach Notification for Unsecured Protected Health Information (PHI). This Rule eased the federal breach notification provisions contained in the HITECH Act and also clarified some of the guidance released regarding the implementation of the Security Rule. The Interim Rule was published in the Aug. 24 Federal Register (74 Fed. Reg. 42, 740 et seq.) with an effective date of September 23, 2009. The Federal Trade Commission (FTC) issued a similar breach notification regulation on August 17, 2009 which applies to entities that are not subject to HIPAA, such a personal health records vendors.
[vii] The Rule requires that the following information be included in the Notification to affected individuals: (1) a brief description of what happened, including the date of the breach and the date of the discovery of the breach, if known; (2) A description of the types of unsecured protected health information that were involved in the breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved); (3) any steps individuals should take to protect themselves from potential harm resulting from the breach; (4) a brief description of what the covered entity involved is doing to investigate the breach, to mitigate harm to individuals, and to protect against any further breaches; and (5) contact procedures for individuals to ask questions or learn additional information, which must include a toll-free telephone number, an e-mail address, website, or postal address.
[viii] In breaches affecting over 500 individuals but where those individuals live in different states so as no one state has over 500 affected individuals, notice to local media is not required.
[ix] Addressable implementation specifications set forth in the Security Rule do not specifically mandate the means or methods by which a covered entity or business associate must safeguard the information.
[x] Access controls and firewalls are two examples of methods used to safeguard information; however, they are not considered technologies or methodologies that render PHI unusable, unreadable or indecipherable as determined by the Secretary.
[xi] The idea behind this expansion in patient rights is that the electronic medical records automatically track all disclosures. However, while some EMR systems have the capability to automatically track all disclosures, this feature substantially slows down the system and is susceptible to bugs, so this feature is typically turned off. Without this feature, a covered entity would have to find a method of tracking each insurance claim, referral, consult, quality improvement activity, etc. The impact of this burden on the health care field would be astronomical.
[xii] 45 CFR 164.501, 164.508(a)(3). Additional guidance on marketing under HIPAA can be found on the Department of Health and Human Services, Office for Civil Rights website, available at: http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/marketing.html.
[xiii] Examples of states which have passed encryption laws include Nevada and Massachusetts.