HIPAA changes included in stimulus law

By Correy E. Stephenson
In addition to allocating substantial funds for the implementation of electronic health records, the American Recovery and Reinvestment Act of 2009 also included changes to the Health Insurance Portability and Accountability Act (HIPAA).
The changes, which affect HIPAA’s privacy and security requirements, came as something of a surprise because President Barack Obama didn’t indicate they were part of his health care policy plans, said Rachel Cutler Shim, a partner at Reed Smith in Philadelphia who is an expert on health and welfare plan compliance.
As a result, covered entities must “update their policies and procedures and retrain employees,” she said.
The biggest change involves new requirements for providing notification of a data breach.
The various provisions have different effective dates, with some already in effect and others not going into effect until 2010.
In addition, Shim noted, some provisions – even if they have a specific effective date – still require regulations from the Department of Health and Human Services.
Here is a look at some of the major changes:

• Increased notification requirements
Covered entities are now required to notify affected individuals when a privacy breach occurs. (Previously, an entity only needed to try to limit the negative effects of a breach).
If the breach affects more than 500 people, the covered entity must also report the incident to HHS and the media, noted Joseph Lazzarotti of White Plains, N.Y., a partner at Jackson Lewis, who coordinates the firm’s HIPAA and workplace privacy practice.
Notification must be given no later than 60 days after discovery of the breach, and if the breach includes 10 or more individuals with insufficient contact information the covered entity must make a conspicuous posting on its website or provide notice in print and broadcast media.
Importantly, Shim noted, the notification requirement applies only to “unsecured” information, which is defined as protected health information that is not secured by an accredited “technology standard.”
HHS issued a proposed guidance on this issue in May. )

• Business associates now covered
The changes expand who is covered by HIPAA to include “business associates” of covered entities.
Previously, a business associate – such as a third-party administrator who helped an employer administer its health plan – was covered by HIPAA only through a contractual agreement with a covered entity, Shim explained.
But now, business associates are directly subject to the security regulations and privacy requirements of HIPAA, said Edward I. Leeds, counsel at Ballard Spahr Andrews & Ingersoll in Philadelphia, who focuses his practice on health and welfare benefit plans.
This change “will have a big impact because business associates [already] had obligations through contractual agreements with covered entities but now must comply with the statutory requirements” as well, he explained.

• Mandatory audits by HHS
Before, HHS was permitted to perform audits on entities covered by HIPAA to make sure they were following the rules.
But the Act includes a provision requiring HHS to perform audits, which could increase the amount of enforcement actions, Shim said.

• Expansion of patients’ rights
There are several changes that increase patients’ rights under HIPAA, Shim said.
For example, “individuals are now able to go to a doctor, pay 100 percent for their procedure and then notify the doctor that they want to limit the disclosure of their information and say it cannot be provided to their health insurer,” she explained.
An employee might choose to keep information such as drug counseling private in this way, Shim said.
In addition, patients also have greater rights to get an accounting of how their protected health information is being used.

• Greater fines and penalties
Covered entities that violate HIPAA are now subject to a $1,000 per violation penalty (up from $100 per violation), and the maximum annual penalty has increased to $100,000 from $25,000. Both civil and criminal penalties now apply to business associates as well.

• ‘Minimum necessary’ rule tightened
Previously, the “minimum necessary” rule instructed covered entities that if they were using or disclosing protected information for any reason, the use or disclosure should be kept to the minimum amount necessary to accomplish the intended purpose.
Entities had a good deal of discretion in this area, Leeds said, but the “standard has now been tightened.”
Under the new Act, the disclosure and use of protected information must be restricted to a “limited data set” that has the patients’ identifying information removed “to the extent practicable.” This is another area where HHS is scheduled to issue further guidance.

Questions or comments can be directed to the writer at: correy.stephenson@lawyersusaonline.com