New Privacy Restrictions in Stimulus Package
The American Recovery and Reinvestment Act of 2009 includes the Health Information Technology for Economic and Clinical Health Act (HITECH Act). The HITECH Act is significant for health care providers not only for the dramatically increased federal funds that will flow into the health care system but also for the significant expansion of law aimed at protecting the privacy and security of medical information. The Act makes important substantive changes to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and mandates extensive new regulations around electronic medical records. The Act:
Extends the HIPAA Privacy and Security Provisions and Penalties to Business Associates of Covered Entities Business Associates, including health information exchanges, regional health information organizations, e-prescribing gateways and other technology vendors, will now be treated just like Covered Entities for purposes of the HIPAA privacy and security provisions, including liability for civil and criminal penalties. Covered Entities will likely have to revise their existing Business Associate Agreements to incorporate language reflecting this change.
Increases Penalties for HIPAA Violations and Expands Enforcement Mechanisms
Not only are Business Associates now subject to liability for civil and criminal penalties for HIPAA violations, but the amount of civil monetary penalties (CMPs) available has increased. Further, under the Act, anyone whose PHI is accessed in violation of HIPAA will be eligible to share a percentage of any CMPs collected. Not only will the Office of Civil Rights continue to enforce HIPAA compliance but State Attorneys General will now have the power to enforce HIPAA by bringing suit in federal district court. Finally, the Act requires DHHS to periodically audit Covered Entities and Business Associates to assess HIPAA compliance. These increased penalties and expanded enforcement mechanisms send a strong signal that HIPAA enforcement will likely become more stringent so Covered Entities and Business Associates need to make sure that all of their HIPAA policies and procedures are up to date and in use.
Creates a Comprehensive New Set of Requirements Around Notification of Data Breaches or Suspected Data Breaches
Notification must be made within 60 days of discovery which will require prompt investigation and assessment of suspected breaches. The Act mandates public reporting to both the DHHS and media outlets in the event of a breach affecting more than 500 individuals. DHHS will publish a list on its website that identifies each Covered Entity involved in a breach of more than 500 individuals.
Creates a New Breach Notification Requirement for Vendors of Personal Health Records and Other Non-HIPAA Covered Entities
In the event of a breach of “unsecured” PHI, vendors of personal health records and related vendors must notify the Federal Trade Commission (FTC) and any U.S. citizens whose information was acquired as a result of the breach. These provisions empower the FTC to begin policing medical privacy which is a significant expansion of federal oversight of medical information.
Expands HIPAA Mandated Accounting of Disclosures for Those Using Electronic Health Records
Covered Entities and Business Associates using electronic health records will be required to make available an accounting of all uses and disclosures of the electronic health record in the previous three years, including disclosures for payment, treatment, and operations. This is a dramatic expansion of existing law which may require significant revisions to existing electronic health record software.
Adopts New Prohibitions on the Sale of Electronic Health Information
While this sounds reasonable, the language is sufficiently vague to create uncertainty about the ability of regional health information organizations, health information exchanges, and even e-prescribing services to charge fees for their services. The limited exceptions to the sweeping prohibition add to the uncertainty around these provisions.
Eliminates Sharing of PHI for Marketing and Fundraising Purposes from the Definition of Health Care Operations Under HIPAA
Communications by Covered Entities or Business Associates that are about a product or service and that encourage recipients to purchase or use the product will not qualify as health care operations unless they meet very specific exceptions. These exceptions are complex and difficult to decipher as they are subject to multiple qualifications and limitations. In addition, fundraising is no longer considered part of operations; therefore, in order to use PHI for direct fundraising campaigns, a Covered Entity must first obtain an authorization from the patient. To comply with these new prohibitions, many health care providers will have to amend their marketing and fundraising policies and procedures.
It is clear that the Act has dramatically changed the landscape of privacy and security of medical information. Everyone involved in the exchange of medical information, not just health care providers, needs to carefully review the Act and assess what changes may be needed to stay in compliance with the new requirements. It is important to keep in mind that the Secretary of DHHS will be promulgating regulations to implement many of these new legal requirements, some of which do not go into effect for 12-18 months. There will be opportunities to participate in this rulemaking and those involved in health care or e-health should not panic, but must give this careful attention and act appropriately. Health care providers should also remember that the Act offers significant incentives for electronic health record adoption and use which may help make accepting this expansion of HIPAA more palatable.
For further information about the Act, you may contact Steven D. Gravely, Health Care Practice Group Leader, Troutman Sanders LLP at 804-697-1308 or steve.gravely@troutmansanders.com.
|
|
Sign up to receive insight on other legal issues and practice areas from Troutman Sanders.
Unsubscribe from all future Advisory communications.
This Advisory may be forwarded to any contacts who may have an interest in its content. |
Troutman Sanders LLP
This Advisory is intended to inform you of recent changes in the law, upcoming regulatory deadlines or significant judicial opinions that may impact your business.
It does not render legal advice or legal opinion. Such advice may only be given when related to actual fact situations.
|
