Health Privacy Changes Create Increased Risks
and Obligations for Holders of Health Data
July 7, 2009
Recent changes to federal law governing health information suggest expanded regulation, increased enforcement, and significantly enhanced penalties could be on the horizon for businesses working in health and health-related areas. The Health Insurance Portability and Accountability Act (HIPAA), which was amended by the American Recovery and Reinvestment Act of 2009 (ARRA) in February, regulates the use of, access to, and dissemination of healthcare information. The changes to HIPAA mean that more entities are subject to the law, and that there are new responsibilities for certain healthcare vendors and increased penalties for violations. The amended law also includes new security breach notification requirements for protected healthcare information.
Changes for Business Associates
The recent changes to the law expand the scope and responsibilities of entities that are required to comply with HIPAA even if they are not healthcare providers or health plans.
Under HIPAA, business associates of covered entities (such as healthcare providers or health plans) have obligations governing the collection, use, and disclosure of protected health information (PHI).1 The new amendments expand the definition of "business associate" to include any organization that (1) provides data transmission of PHI to a covered entity or its business associate and (2) requires access to such PHI on a routine basis.2
Another significant change to HIPAA requires that all business associates abide by HIPAA's security provisions. Thus, business associates must have documented policies and procedures in place to implement administrative, technical, and physical safeguards for protected health information (the full text of the HIPAA security rule can be found at http://www.cms.hhs.gov/securitystandard/downloads/securityfinalrule.pdf). Prior to the amendment, only covered entities were subject to civil and criminal penalties for violations of HIPAA; with the recent changes, business associates are now directly responsible and may be held liable for compliance with applicable security provisions. As a result, the costs and risks of compliance, and the importance of evaluating whether or not a company is in fact a "business associate," have significantly increased.
New Civil Penalty Provisions for HIPAA Violations
Larger fines, less discretion for penalties
HIPAA violations can result in large monetary fines, even when the violation is unintentional or negligently committed by an employee of the covered entity or business associate. The recent changes set up a multi-level penalty scheme that limits the discretion of the Department of Health and Human Services (HHS) in assessing penalties. As of February 17, 2009, the minimum HIPAA fine is $100 per violation, with a calendar-year cap of $25,000 for identical violations. The maximum fine can be as high as $50,000 for each violation, with a $1.5 million calendar-year cap for identical violations. The amount of the fine is dependent, in part, on whether reasonable diligence was exercised or whether HHS finds that there was willful neglect. Although some penalty discretion is retained, a finding of willful neglect triggers a mandatory fine.
State attorneys general enforcement
Even if HHS chooses not to impose a fine, under the recent changes, state attorneys general may bring civil actions for damages on behalf of their state residents. Thus, any HIPAA violation carries with it both the risk of a large fine and additional litigation costs.
Possible penalty reductions for corrective action
The new law also creates incentives to exercise diligence and improve practices. A HIPAA violation may be resolved without a civil fine if it was not the result of willful neglect and it was corrected within 30 days of discovery. Even where the violation is deemed to have resulted from willful neglect, the new provisions create incentives to address violations promptly: while a fine for willful neglect will still be imposed, the fine may be reduced (from the potential maximum of $1,500,000) if corrective action is taken within 30 days of discovery.
Clarification of Criminal Penalties – Risks for Employees
The changes to HIPAA also clarify who may be criminally liable for violations. The criminal-penalty provisions now explicitly state that any person, including an employee of a covered entity or business associate, that commits certain acts knowingly may be fined up to $250,000 and/or imprisoned for up to 10 years. Covered entities and business associates may now find themselves liable for criminal acts committed by their employees acting within the scope of their employment. The movement toward regulating employee behavior and holding employers accountable for the improper acts of their employees appears to be growing, making it even more important for entities that come in contact with healthcare information to have clear policies and procedures regarding employee access to and use of that information.3 Training and documenting such training may become increasingly relevant to compliance.
New Breach Notification Rules
The ARRA includes specific provisions for notification of individuals and government entities in the event of security breaches, regardless of whether the breach involves an entity that is traditionally subject to HIPAA compliance. For example, the ARRA requires notice in the event of a breach of unsecured protected health information.4 Protected health information is secured if it is unusable, unreadable, or indecipherable. In the event of such a breach:
- a business associate must notify the appropriate covered entity, providing identification of each individual affected;
- a covered entity must notify each individual affected and the Secretary of HHS;
- vendors of personal health records5 must notify all individuals affected and the FTC (which must then notify the Secretary of HHS); and
- all notifications must be made no later than 60 days after discovery of the breach, where discovery occurs on the first day that the breach is known or should reasonably have been known.
The ARRA further requires that the notification include specific elements.
In addition to these requirements, the ARRA directs the Secretary of HHS and the FTC to issue final regulations regarding breach notification no later than August 16, 2009. The FTC issued interim regulations covering vendors of personal health records (PHRs) on April 16, 2009, which may be found at http://www.ftc.gov/os/2009/04/R911002healthbreach.pdf. The FTC's proposed rule applies to (1) vendors of personal health records, (2) PHR-related entities, and (3) third-party service providers. Thus, not only vendors of PHR, but also many entities that maintain relationships with such vendors, are covered by the interim rule. For example, businesses that offer services such as Web-based health-management tools—which the consumer reaches by clicking on a link on the website of a PHR vendor—are subject to this interim rule.
Overall, the recent changes to HIPAA place new responsibilities on business associates while simultaneously bringing many new entities within the scope of "business associates." Moreover, entities that do not fit the definition of "business associate" may still have HIPAA compliance obligations as a result of their contact with personal healthcare information, regardless of whether that contact is directly—or merely tangentially—related to the business that entity conducts. In the wake of the recent changes, organizations that handle protected health information may consider:
- reassessing any potential HIPAA obligations;
- determining the extent of that obligation, if they are obligated to comply with HIPAA; and
- reviewing existing HIPAA compliance policies and procedures in light of the legal changes, and regularly in the future, to assure continued compliance with the law.
Wilson Sonsini Goodrich & Rosati attorneys regularly assist clients with all aspects of their privacy and information governance needs, including HIPAA compliance evaluations, security incident response, and incident avoidance. For additional information about the new legislation and related questions, please contact Lydia Parnes at firstname.lastname@example.org or (202) 973-8801; Gerry Stegmaier at email@example.com or (202) 973-8809; or Wendy Devine at firstname.lastname@example.org or (858) 350-2321.
1 "Business associates" are those persons or entities who perform functions involving the use or disclosure of individually identifiable health information on behalf of a covered entity, or provide other services, such as legal, accounting, or data-aggregation services, for a covered entity.
2 "Protected health information" (PHI) includes any individually identifiable health information that is maintained or transmitted in any form or medium. "Health information" includes any information that is created or received by a healthcare provider, health plan, public health authority, employer, life insurer, school or university, or healthcare clearinghouse and relates to the past, present, or future physical or mental health or condition of an individual, the provision of healthcare to an individual, or the past, present, or future payment for the provision of healthcare to an individual.
3 Similar obligations for the actions of employees were recently implemented in California, as discussed in a previous WSGR Alert available at http://www.wsgr.com/WSGR/Display.aspx?SectionName=publications/PDFSearch/clientalert_medicalinfo.htm.
4 A "breach" is the unauthorized acquisition, access, use, or disclosure of protected health information that compromises the security or privacy of such information, except where an unauthorized person to whom such information is disclosed would not reasonably have been able to retain such information.
5 A "vendor of personal health records" is an entity other than a covered entity that offers or maintains personal health records.