Although changes made to the Health Insurance Portability and Accountability Act of 1996 (HIPAA)1 by the new HITECH (Health Information Technology for Economic and Clinical Health Act) law2, passed as part of ARRA, the American Recovery Act of 20093, impact all health care providers, this article will focus on the changes that affect self-insured health care plans as well as business associates and the subcontractors of those business associates. This focus was chosen because there are probably many self-insured health care plans and business associates who aren't even aware of the impact the new law and HIPAA regulations have on them.
The first major change involves sanctions for HIPAA violations. Since the Privacy Rule went into effect in 2003, followed by the Security Rule in 2005, there have been very few fines or other actions taken under HIPAA for violations. First, it took several years before an enforcement mechanism was put in place. Then, the focus of the Health and Human Services (HHS) personnel enforcing HIPAA Rule provisions initially was to bring covered entities into compliance. By June of 2006, of the 19,420 grievances filed with HHS Office of Civil Rights, there had been no civil fines imposed and only two criminal cases had been prosecuted.4
That all changed with the HITECH law5. Congress, legislating for the first time on HIPAA Privacy and Security Rule issues, which had previously been formulated through a rule-making process, decided that it wanted to put some teeth into enforcement as it encouraged the adoption of electronic records. Along with providing $27 billion to provide funding for medical practices and hospitals which had substantial amounts of Medicare and Medicaid business to adopt electronic records, minimum sanctions were also imposed. It is the minimum sanctions, plus a new breach notification provision, and the application of HIPAA to business associates and their subcontractors that will be summarized in this article.
Business associates6 are entities that perform functions on behalf of health care providers and health care plans and which generally include law firms, billing services, accountants, and other independent contractors who perform services on behalf of providers and who have access to protected health information (PHI). Since the original HIPAA Privacy and Security rules directly applied only to providers, Health and Human Services used a business associate contract approach to require providers to contractually obligate business associates to follow HIPAA Privacy and Security rule standards and procedures. Under these rules, however, the most drastic sanction under HIPAA for a business associate violating HIPAA rules would be cancellation of the contract between the business associate and the provider or health care plan. There may also, depending on the state, have been state remedies available to patients who had their confidential health information disclosed, as HIPAA did not provide a private right of action for a violation of its rules. However, with the new HITECH law, business associates are now directly subject to HIPAA sanctions for HIPAA violations, just as providers and health care plans are7. This is true whether or not they have been informed they are business associates by providers or self-insured health care plans and whether or not they have signed business associate contracts with the covered entities for which they are handling information. The proposed rules issued on July 14, 2010 also extended HIPAA requirements specifically to subcontractors of Business Associates, but they will be brought into the system contractually.8
The sanctions can only be described as draconian, particularly in light of the fact that for years there were effectively no HIPAA sanctions imposed by HHS for HIPAA violations, as the intent was to correct problems and bring entities into compliance. The new set of sanctions9 are divided into categories: Tier A violations, where the offender could not have reasonably known or through exercising reasonable diligence would not have known about the violation, would result in a financial penalty starting at $100 and rising to $50,000 for each separate violation; for Tier B violations which are due to reasonable cause and not willful neglect, the penalty amount starts at $1,000 and may reach $50,000 for each violation. However, for "willful neglect," which under new regulations published on July14, 2010 removed the "lack of knowledge" as an affirmative defense10, the penalties are not less than $10,000 or more than $50,000 for each violation, but only if they are timely corrected (if not corrected the minimum is $50,000 for each violation), with a maximum of $1,500,000 for violations of the same requirement in any one calendar year for all three tiers of penalties. If, for instance, the self-insured health care plan or a business associate has not developed policies and procedures governing the use of protected health information or they have not trained their employees, they may be subject to drastic minimum sanctions, as these would fall into the willful neglect category. The HITECH law also requires HHS to periodically audit for violations.11
The HITECH law also provides for a new enforcement mechanism for state Attorneys General.12 They may seek damages on behalf of residents of their states in an amount equal to the number of violations in their state multiplied by $100. The total amount of damages imposed for each identical violation is capped at $25,000 for a calendar year.
In addition, HITECH also imposed new notification requirements for breaches of PHI. These have been in effect since September 23, 2009, with an interim final rule on this topic being published on August 24, 200913. Basically, the law and rule require that if there is a breach of a person's PHI which poses a significant risk of financial, reputational, or other harm to the individual, then the individual must be notified and the Secretary of HHS must be notified of all similar breaches on an annual basis14. However, if there are 500 or more individuals in one geographic area involved, in addition to individual notification, there must be immediate notification to the Secretary of HHS as well as to all prominent media outlets in the area15. Recently, however, HHS withdrew the final rule which it had developed based on the proposed interim final rule stating that based on comments received it needed to further consider ways to ensure that PHI is protected and secured to the extent possible and that individuals are appropriately notified when incidents occur. The interim final rule remains in effect until a final rule is published. The possibility exists that HHS will further strengthen the rule by removing the significant harm threshold for reporting, which would then require mandatory notification to individuals and HHS of every breach, regardless of the potential for harm.
Below is a list of major items that are basic requirements for minimally complying with HIPAA rules and laws. Failure to follow and implement these minimal procedures would put a business associate or self- insured health care plan in non-compliance and would potentially subject that entity to willful neglect penalties, which even if corrected can result in a monetary penalty of $10,000 to $50,000 for each violation, with a maximum per calendar year penalty of $1,500,000 for all such violations of an identical provision (meaning multiple provision violations could easily result in millions of dollars in penalties):
1. A Privacy/Security Officer for your business must have been named16;
2. Policies and procedures to implement the Privacy and Security Rules must be in place17;
3. All employees had to have been trained by April 14, 2003 for the Privacy Rule, by April 20, 2005 for the Security Rule and then new employees thereafter, with periodic trainings for all employees. Those subject to HIPAA should maintain a file on this, noting dates and types of training18;
4. A risk assessment must have been performed to determine how best to protect records under the Security Rule, to include administrative, physical and technical security measures19;
5. A complaint procedure must have been adopted which allows a person a right, without retaliation, to file complaints. Entities should document and maintain a copy of all complaints and note their disposition20;
6. Notice of Privacy Practices and Authorization Forms must have been adopted and used21;
7. Business associates with whom the business works were identified and then they must have executed a contract in which they agreed to protect PHI. (This applies to lawyers, accountants, and billing and collection people who have access to records.) Business associate contracts in place for the Privacy Rule must have been updated to include the Security Rule as well as the new HITECH Act breach notification provisions;
8. Sanctions were developed for employees, business associates, and/or business associate subcontractors who violate Privacy, Security and HITECH rules. Records should be maintained on actions taken to enforce these sanctions;
9. Forms were adopted to include with medical records which list the uses and disclosures of medical records22;
10. A procedure that will allow a person to inspect and copy their medical records must have been adopted, with the ability to correct errors, or make notations about their claim of error23;
11. A policy and procedure for mitigating damages once it is learned there has been an inappropriate use or disclosure of protected health information must have been adopted;
12. A procedure for handling breach notifications has been put in place which provides for the notification of a person without unreasonable delay, but in no case later than 60 days after the breach, if their personal information had been compromised and potential harm could result to the individual (check for a new final rule to be issued after publication of this article to determine if changes have been made to this requirement). The procedure should require business associates to notify the provider for whom they are handling the PHI, and if more than 500 persons in the same geographic area were involved in the breach it would require the notice to prominent media outlets as well as the Secretary of Health and Human Services.
The above list is general in nature and is not all-inclusive. Those affected should consult with experienced counsel on how to comply with all HIPAA requirements.
Although prior to the HITECH law many providers and their business associates may have been complacent about adopting measures to comply with HIPAA Privacy and Security requirements, that complacency in the future could result in drastic penalties being imposed on their businesses. Good risk management practice requires compliance and if insurance is available to cover some of the risk, that should be obtained.