On February 17, 2009, The Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part of the American Recovery and Reinvestment Act of 2009, was signed into law. The official title is Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act.
The goal of the provision was to promote the adoption and meaningful use of health information technology. Subtitle D of the HITECH Act addresses the privacy and security concerns associated with the electronic transmission of health information, in part, through several provisions that strengthen the civil and criminal enforcement of the HIPAA rules. This provision is important to the entire health care industry, including covered entities, business associates of covered entities, contractors tied directly to the covered entities and its business partners.
A Key component of the HITECH Act, Section 13410(d), which became effective on February 18, 2009, revised section 1176(a) of the Social Security Act (the Act) by establishing:
- Four categories of violations that reflect increasing levels of culpability;
- Four corresponding tiers of penalty amounts that significantly increase the minimum penalty amount for each violation; and
- A maximum penalty amount of $1.5 million for all violations of an identical provision.
It also amended section 1176(b) of the Act by:
- Striking the previous bar on the imposition of penalties if the covered entity did not know and with the exercise of reasonable diligence would not have known of the violation (such violations are now punishable under the lowest tier of penalties);
- Providing a prohibition on the imposition of penalties for any violation that is corrected within a 30-day time period, as long as the violation was not due to willful neglect.
The Breach Notification Standard
- The Breach Notification Standard is probably the most scrutinized component of the HITECH ruling. Most of the HIPAA rules regarding Breach Notification have not changed however there are some significant updates regarding Covered Entities and its business relationships.
- Specifically, HHS has eliminated the "risk of harm" standard that was implemented in the interim final rule. Under this provision, notification was required for individuals when the breach involved a "significant risk of financial, reputational or other harm" for the individual.
- There are two key steps in the changes implemented by HHS. First, HHS has clarified that the "presumption" is that a breach requires notification to the affected individuals unless the covered entity "demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment." This change was designed to ensure that companies did not use the absence of clear information about a breach as a basis for a "no notice" decision. It is now explicit that notice is required unless a covered entity can conclude there is a "low probability" of "compromise" of the data.
- Second, HHS has replaced the "risk of harm" threshold with a more precise "risk assessment" designed to determine whether there is a "low probability" of "compromise" of the data. While there is no longer a specific definition of this idea of "compromise," the set of factors for the risk assessment indicates that the analysis made by a covered entity will be very similar to what is being done today. Specifically, a covered entity, as part of its risk assessment, must review the following factors (along with any others that are appropriate):
- The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;
- The unauthorized person who used the protected health information or to whom the disclosure was made;
- Whether the protected health information was actually acquired or viewed;
- The extent to which the risk to the protected health information has been mitigated.
- Business Associate Privacy Rule Obligations
The omnibus regulation addresses a variety of issues dealing with business associates. First, the regulation implements the HITECH provision that business associates now will have a legal obligation to comply with the required provisions of a business associate contract under the Privacy Rule. For business associates, this change should not affect behavior (since business associates already should have been following their contractual obligations under the business associate contracts), but now creates legal exposure for violations. The regulation makes clear that business associates do not need to comply with all provisions of the Privacy Rule (such as providing a privacy notice), but only those provisions that are incorporated into a standard business associate agreement.
- Business Associate Security Rule Obligations
The regulation also now requires business associates to comply in full with the HIPAA Security Rule. This is an enormous new obligation. Today, under business associate contracts, business associates have an obligation to implement reasonable administrative, technical and physical safeguards to protect electronic protected health information. Under the new provisions, business associates will need to comply with the full HIPAA Security Rule. This is a significant additional step in security compliance that will affect an enormous number of business associates. Moreover, this is one of the HIPAA requirements that takes both time and resources—to evaluate security programs, conduct an appropriate risk assessment, implement risk management strategies and prepare appropriate written policies and procedures encompassing a full information security program.
- A Business Associate Has Obligations Even Without a Contract
HHS also has made clear that the question of whether an entity is a business associate or not is a legal question, not simply a matter of contract. This means that the obligations of a business associate are imposed by law, whether or not an appropriate business associate contract is in place.
The new definitions of "business associate" (which adds in certain entities like health information organizations) incorporates the idea of a "conduit," although it still leaves some open questions about certain entities that solely transmit data for a short, finite period of time (following the prototype "conduit" example of the US post office). However, to clarify a misunderstanding from the proposed rule, HHS states that entities that "maintain" data, even if they do not routinely access it, are considered to be business associates. The rule makes clear that the "conduit exception is a narrow one and is intended to exclude only those entities providing mere courier services." An entity that "maintains protected health information on behalf of a covered entity is a business associate and not a conduit, even if the entity does not actually view the protected health information." This means that entities such as document storage companies—who "maintain" data even if they never access it—are business associates.
The regulation also makes clear that downstream subcontractors of business associates are covered as business associates. This is a significant issue, as it broadens substantially the range of entities affected by these regulations as business associates. The idea is that any entity that receives or has access to PHI in the course of the downstream relationship will be considered a business associate.
- Transition Periods
HHS has developed a specific transition period for revised business associate agreements that incorporate these new standards. Essentially, if an appropriate business associate agreement is in place as of the publication date of the omnibus rule (January 25, 2013), then there is an additional period of one year beyond the compliance date of September 23, 2013 to revise business associate agreements to remain in compliance. This transition applies only to the revised agreements themselves—business associates still must comply with the applicable HIPAA provisions as of the compliance date for the regulation.
- This interim final rule conforms to HIPAA’s enforcement regulations to these statutory revisions that are currently effective under section 13410(d) of the HITECH Act. This interim final rule does not make amendments with respect to those enforcement provisions of the HITECH Act that are not yet effective under the applicable statutory provisions.
The Office of Civil Rights (OCR) investigates HIPAA violations and can charge $100 – 50,000 per violation. That gets capped at $1.5 million for multiple violations. The charges are harsh to help ensure that data is safe and companies are following the HIPAA rules.
Sonte Consulting can significantly reduce your organizations exposure to punitive damages due to HIPAA/HITECH violations.