The following is reprinted with permission from Jackson Lewis, a national law firm specializing in employment law. Visit www.jacksonlewis.com.
The American Recovery and Reinvestment Act of 2009 (ARRA) enhances the privacy and security safeguards required under the Health Insurance Portability and Accountability Act (HIPAA) for certain individually identifiable health information.
The tightening of these safeguards is critical to building the network of computerized health record-keeping systems endorsed by the Obama administration. Most businesses will be affected by these changes to some degree. Some key changes include the following:
Business Associates
Generally, individuals and entities are treated as “business associates” when they provide services to entities covered under HIPAA. Prior to ARRA, business associates were not directly subject to HIPAA privacy and security regulations, but they had obligations through agreements entered into with covered entities. Business associates are now directly subject to certain privacy and security regulations. Additionally, ARRA subjects business associates to the same civil and criminal penalties as covered entities for violations of the privacy and security requirements. These changes likely will require modifications to existing business associate agreements.
Breach Notification
As breaches of personal information continue to affect millions of individuals in the U.S., the ARRA adds a breach notification requirement to HIPAA. The requirement is similar to state rules, with some important distinctions:
• A breach requiring notification does not occur when the unauthorized person who receives a disclosure of protected health information would not reasonably be able to retain the information.
• Unless a delay in notification is permitted for law enforcement purposes, notification may not be provided later than 60 days after discovery of the breach.
• If the breach involves 500 or more individuals, covered entities must notify the Secretary of Health and Human Services immediately.
Breaches involving 10 or more individuals for whom there is insufficient or out-of-date contact information require conspicuous posting on the covered entity’s website or notice in major print or broadcast media.
The notification requirement applies only to breaches of “unsecured” personal health information, which, subject to future guidance, generally means it is not secured by a technology standard, developed or endorsed by an accredited organization that would render the information unusable, unreadable or indecipherable.
Enforcement
State Attorneys General may now bring a civil action in federal court to enforce the privacy and security regulations under HIPAA. These actions may seek damages on behalf of state residents. Damages are determined by multiplying the number of violations by $100, subject to a calendar-year cap for “violations of identical requirements or prohibitions” equal to $25,000. If successful, a State Attorney General also could recover attorneys’ fees. The HHS generally has taken a compliant-driven approach to enforcement. Provisions of the ARRA seek to change this pattern.
Individual Rights
The HIPAA privacy and security regulations include a right to request access and restrictions on certain disclosures. The ARRA enhances some of these rights. For example, it requires covered entities to comply with certain requested restrictions, despite an existing rule that generally permitted covered entities to decline to grant restriction requests.
Summary
Regulation of the use, disclosure and safeguarding of privacy and security of personal information, particularly personal health information, will continue to grow, whether at the federal or state level. Businesses should evaluate the kinds of information they maintain both for their business and their employees in order to determine the extent to which these laws may apply. Implementation of appropriate policies and procedures, among other steps, such as developing a breach response plan, can go far to reduce potential liability.