The Health Information Technology for Economic and Clinical Health (“HITECH”) Act was enacted as part of the American Recovery and Reinvestment Act of 2009 (“ARRA”). One of the major goals of HITECH is to promote and expand the use of health information technology. In addition, HITECH includes significant amendments to the Health Insurance Portability and Accountability Act (“HIPAA”) the Privacy Rule and the Security Rule. This article addresses specifically the HITECH Act amendments that: 1) extend many aspects of the HIPAA Privacy and Security Rules to Business Associates (effective February 17, 2010); 2) subject Business Associates to criminal and civil penalties for violations (effective February 18, 2009); and 3) imposes new breach notification requirements effective September 23, 2009).
In response to the HITECH Act, Covered Entities and their Business Associates must review and revise Business Associate Agreements to incorporate references to the new requirements under the HITECH Act.
In general, a Covered Entity may not use or disclose protected health information, except: (1) as the Privacy Rule permits or requires; or (2) as the individual who is the subject of the information (or the individual’s personal representative) authorizes in writing.
Further, the HIPAA Privacy Rule requires Covered Entities to maintain PHI in accordance with certain standards to protect health information as it is used and disclosed for the provision of health care and related services.
To the extent that a Covered Entity contracts with individuals or businesses (“Business Associates”) to provide services on its behalf, and the performance of these services requires access to PHI, a Covered Entity is required to enter into “Business Associate” Agreements with such third parties in order to restrict the use of PHI by third parties and to require that PHI be securely maintained. In the event of an unauthorized use or disclosure of PHI, however, the Covered Entity was originally the only party accountable under federal law. As a result of the HITECH Act, Covered Entities as well as Business Associates have an obligation to protect the privacy and security of PHI and both can be held accountable for unauthorized use or disclosure.
- A Covered Entity is a health care provider who transmits any health information in an electronic form, a health plan, or a health care clearinghouse (45 C.F.R. § 160.103).
- A health care provider is a provider of medical services or any other person or organization who furnishes, bills, or is paid for health care in the normal course of business. For example, hospitals, skilled nursing facilities, comprehensive outpatient rehabilitation facilities, home health agencies, or hospice programs are health care providers (42 U.S.C. § 1395x[u]).
- A health plan is an individual or group plan that provides or pays the cost of medical care. For example, health insurance companies, HMOs, Part A or Part B of the Medicare program, the Medicaid program, and any other individual or group plan that provides or pays for the cost of medical care including an employer sponsored group health plan (45 C.F.R. § 160.103).
- A health care clearinghouse is a public or private entity that engages in either of the following: (1) processes or facilitates the processing of health information received from another entity in a nonstandard format or containing nonstandard data content into standard data elements or a standard transaction; or (2) receives a standard transaction from another entity and processes or facilitates the processing of health information into nonstandard format or nonstandard data content for the receiving entity (45 C.F.R. § 160.103).
- PHI is individually identifiable health information that is transmitted by electronic media, maintained in electronic media, or transmitted or maintained in any other form or medium. More specifically, individually identifiable health information is health information, including demographic information, that is created or received by a Covered Entity and can be used to identify the individual or there is a reasonable basis to believe that the information can be used to identify the individual. Therefore, PHI can be anything that identifies an individual and is related to the individual’s physical or mental health, receipt of health care, or payment for health care services1 (45 C.F.R. § 160.103).
Who is a Business Associate?
A Business Associate is a person or business who “on behalf of a Covered Entity or organized health care arrangement2 performs or assists in the performance of a function or activity involving the use or disclosure of individually identifiable health information…or any other function or activity regulated” by HIPAA (45 C.F.R. § 160.103). The Department of Health and Human Services (“HHS”) has provided examples of business associates which include third party administrators of health plans, claims processing or billing companies, transcription companies, and persons who perform legal, actuarial, accounting, management or administrative services for covered entities and who require access to PHI. A workforce member of a Covered Entity or an organized health care arrangement is not considered a Business Associate.3 Examples of services which might be performed by Business Associates include utilization review, quality assurance, or billing services as well as legal, accounting, or financial services. This list is not exhaustive and any relationship involving the use or disclosure of PHI should be evaluated in order to determine whether access to the PHI is being provided by a Covered Entity thus creating a Business Associate relationship. If a Business Associate relationship exists, the Covered Entity is required to have a Business Associate Agreement with the person or business qualifying as a Business Associate. As discussed below, in more detail, the definition of a “business associate” may be expanded.
Business Associate Agreements
Pursuant to the current statutes and regulations, a Covered Entity is expected to have a written agreement with its Business Associates to provide that the Business Associates will:
- Not use or disclose PHI other than as permitted by contract or as required by law;
- Utilize appropriate safeguards to prevent the unauthorized use or disclosure of PHI;
- Report any unauthorized use or disclosure of PHI to the Covered Entity;
- Ensure that any agents to whom the Business Associate provides PHI agree to the same restrictions and conditions that apply to Business Associates;
- Make PHI about an individual available to that individual;
- Make available PHI for amendment and incorporate any amendments to PHI by the subject individual;
- Make information available to permit an accounting of disclosures of PHI;
- Make internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of HHS for purposes of determining the Covered Entity’s compliance with the law; and
- If feasible, at termination of the contract, return or destroy all PHI received from the Covered Entity (45 CFR § 164.504).
Additional Requirements Imposed by HITECH
As stated above, the HITECH Act renders several sections of the HIPAA Privacy and Security Rules directly applicable to Business Associates. Specifically, the HITECH Act requires Business Associates to implement administrative, physical, and technical safeguards in order to protect the privacy and security of PHI.
- Administrative Safeguards shall include, among other things, conducting a thorough assessment of the risks and vulnerabilities to confidentiality and availability of electronic PHI held by the Business Associate, implementing security measures to reduce those risks and vulnerabilities, and applying sanctions against workforce members who fail to comply (45 C.F.R. § 164.308).
- Physical Safeguards should include, among other things, procedures to safeguard the facility and the equipment from unauthorized physical access, tampering, and theft; procedures to control and validate a person’s access to facilities based on their role and function; and the maintenance of a record of the movements of hardware and electronic media and any person responsible therefore (45 C.F.R. § 164.310).
- Technical Safeguards should include, among other things, assigning a unique name and/or number for identifying and tracking user identity; implementing electronic procedures that terminate an electronic session after a predetermined time of inactivity; and implementing a mechanism to encrypt and decrypt protected health information (45 C.F.R. § 164.312).
In addition to the implementation of administrative, physical, and technical safeguards, Business Associates are required to develop appropriate internal policies and procedures to address the use or disclosure of PHI as well as documentation requirements, identify a security officer responsible for the development and implementation of such policies and procedures, and develop a security awareness and training program for all workforce members with access to PHI.4
Perhaps, most significant, the HITECH Act now requires Covered Entities to notify affected individuals upon the discovery of any breach of unsecured PHI.5 Unsecured PHI includes that which is not rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of a technology or methodology specified by the Secretary of HHS.6 Breaches include the acquisition, access, use, or disclosure of PHI which compromises the security or privacy of PHI (45 C.F.R. § 164.402). If the Business Associate is the source of the breach, notification of all such breaches should be provided to the Covered Entity without unreasonable delay to permit the Covered Entity to notify the affected individuals. Pursuant to the HITECH Act, such notification to the affected individuals is expected to be made no later than sixty (60) days following discovery of the breach.
Business Associates are expected to provide the Covered Entity with the identity of all individuals affected by the breach as well as any additional information that may assist the Covered Entity in providing its notice to those affected. Failure to provide timely notice to the Covered Entity will render the Business Associate directly accountable to HHS and may subject the Business Associate to civil and criminal penalties.
In addition to the required notification to affected individuals, HITECH requires Covered Entities to notify the Secretary of HHS and in certain circumstances, the media. Also of note, the Act requires the Secretary of HHS to post a list of Covered Entities that experience breaches of unsecured PHI affecting 500 or more individuals.7 If the source of the breach is a business associate, the Business Associate is also identified in the posting.
The HITECH Act increases the civil and/or criminal penalties for violations of the privacy and security rules and also provides that such penalties may be directly imposed upon Business Associates who do not comply with the applicable provisions. With regard to civil penalties, there is a tiered increase in the amount of civil monetary penalties based upon whether the person knew or should have known of the violation or whether the violation was due to willful neglect. Civil penalties can range from $100 to $50,000 per violation and maximum penalties for all violations in one calendar year can range from $25,000 to $1,500,000 (42 U.S.C. § 1320d-5).
With regard to criminal penalties, such penalties can include fines of up to $50,000 and imprisonment of not more than one year. However, if the offense is committed under false pretenses or with the intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm monetary fines and length of imprisonment can dramatically increase (42 U.S.C. § 1320d-6).
Recent Notice of Proposed Rulemaking
Although the HITECH Act provisions extending many aspects of the HIPAA Privacy and Security Rules to Business Associates became effective February 17, 2010, HHS recently issued a notice of proposed rulemaking (“NPRM”) on July 8, 2010 addressing further the implementation of law.8 Upon publication of final regulations, HHS has indicated that covered entities and business associates will have one hundred eighty (180) days beyond the effective date of the final rule to come into full compliance.
Under the NPRM, the definition of “Business Associate” would be expanded to include “those persons that perform functions for or provide services to a business associate, other than in the capacity as a member of the business associate’s workforce to the extent that they require access to protected health information.” As a result of this change, a subcontractor of a Business Associate with access to PHI will have the same obligations under the HIPAA Privacy and Security Rules as the Business Associate of the Covered Entity. In addition, business associates may need to develop agreements (similar to the agreements that covered entities have with their business associates) with their subcontractors who have access to protected health information to obtain assurance that such subcontractors will comply with the HIPAA Privacy and Security rules.
Under the NPRM, HHS has also proposed that Business Associate agreements include the following: 1) a requirement that a Business Associate comply with the Security Rule with regard to electronic PHI; 2) a requirement that a Business Associate report breaches of unsecured PHI to covered entities (See additional discussion on the Breach Notification requirements above); and 3) an acknowledgement from a Business Associate that any subcontractors that create or receive PHI on behalf of the Business Associate agrees to the same restrictions and conditions that apply to the Business Associate,
The NPRM, as proposed, would also require that when Business Associates use, disclose or request PHI, they limit such PHI to the “minimum necessary” to accomplish the intended purpose of the use, disclosure or request which is consistent with the current requirement imposed upon covered entities. A Business Associate would be expected to determine what constitutes the “minimum necessary”. In accordance with the HITECH Act, the Secretary of HHS is required to issue guidance on what constitutes “minimum necessary”. The NPRM solicits comments on what aspects of the “minimum necessary” standard covered entities and business associates believe would be most helpful for HHS to address in the guidance as well as the types of questions entities may have about how to determine what is “minimum necessary” for compliance purposes.
In view of the requirements imposed by the HITECH Act, individuals and businesses must assess their operations and their use of and need for access to PHI as part of the services they provide to Covered Entities. To the extent that an individual or business needs access to or use of PHI in relation to the services it provides, increased attention must be paid to the handling and storage of such PHI. Furthermore, as a Business Associate, it will be necessary to become familiar with the provisions of the HITECH Act and the implementing regulations. These efforts should not await the final adoption of the recently proposed regulations. As stated above, many aspects of the HITECH have already become effective and violations are subject to enforcement and potential penalties.
To obtain more information, the Office of Civil Rights (“OCR”) which is charged with enforcing the HIPAA Privacy and Security Rules maintains a website for easier access to the regulations as well as additional guidance.9
Ms. Cohen is a Partner and Ms. Hayes was an Associate with the Health Care Law Practice at
Wilson, Elser, Moskowitz, Edelman & Dicker LLP, in its Albany, New York Office. Ms. Cohen can be reached at Wilson, Elser, Moskowitz, Edelman & Dicker LLP,
677 Broadway, 9th Floor, Albany, New York 12207 or (518) 449-8893.
This communication is for general guidance only and does not contain definitive legal advice.
© 2010 Wilson Elser Moskowitz Edelman & Dicker LLP. All rights reserved.
1 The HITECH Act explicitly excludes education records covered by the Family Education Rights and Privacy Act; records of students who are 18 years or older, or are attending post-secondary educational institutions that are maintained by a treating provider and which are used only in connection with the provision of treatment to the student, and are not available to anyone other than persons providing such treatment; and employment records held by a Covered Entity in its role as employer from the definition of PHI (45 C.F.R. § 160.103).
2 An Organized Health Care Arrangement can be, among other things, a clinically integrated care setting in which individuals typically receive health care from more than one provider; a group health plan and a health insurance issuer or HMO with respect to such group health plan, but only with respect to PHI created or received by such health insurance issuer or HMO that relates to individuals who are or have been participants or beneficiaries in such group health plan; or a group health plan or one or more other group health plans each of which are maintained by the same sponsor (45 C.F.R. 160.103).
3 Workforce means employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a covered entity, is under the direct control of such entity (45 C.F.R. 160.103). For example, physicians on the voluntary medical staff or hospital volunteers would be considered members of the workforce.
4 45 C.F.R. § 164.308; 45 C.F.R. § 164.310; 45 C.F.R. § 164.312; 45 C.F.R. § 164.316.
5 Covered Entities and Business Associates will need to perform a risk assessment to determine whether notification is required. If there is a significant risk of financial, reputational, or other harm to the affected individual as a result of the unauthorized use or disclosure of unsecured PHI then notification is required.
6 On April 27, 2009, the Secretary of HHS issued guidance indicating that encryption and destruction are the only two technologies and methodologies accepted for securing PHI.
8 Federal Register, Vol. 75, No. 134, Wednesday, July 14, 2010.