STIMULUS PACKAGE MODIFICATIONS TO HIPAA: WHAT HAS CHANGED AND WHAT MUST BE DONE TO COMPLY
By Elizabeth F. Larsen
Introduction
The American Recovery and Reinvestment Act of 2009 (ARRA), also referred to as the stimulus package, became law on February 17, 2009. The Health Information Technology for Economic and Clinical Health Act (HITECH), was enacted as a part of the stimulus package, and it made significant modifications to the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The three most significant modifications made by HITECH were to business associate agreements, breach notification requirements, and requests by patients for an accounting of disclosures of their protected health information (PHI).
Business Associate Agreements
Prior to ARRA, HIPAA required covered entities to enter into contracts, known as business associate agreements, with entities performing services on their behalf if the services performed by those entities involved the exchange of health information. Business associates were required to use safeguards to protect the health information they received, but they were not required to directly comply with many of HIPAA's security rules.
HITECH requires business associates to fully implement the information security safeguards specified by HIPAA. Business associates must therefore comply with the privacy rules made applicable to them by their contract with the covered entity, and they also must comply with any changes to HIPAA as a result of HITECH regardless of whether or not those changes are in their contracts. Business associates can also now be held directly accountable for any failure to comply with HIPAA as amended by HITECH.
Breach Notification
HITECH requires covered entities to notify individuals of breaches of their PHI, which HIPAA previously did not. Business associates are also required to notify covered entities of any breaches, and the covered entity must then notify the individual. In determining whether or not notice is required, two questions are relevant: (1) did the breach qualify as a breach under the breach definition, and (2) was the information protected by an encryption-like technology. Breach is defined as the unauthorized access, use, or disclosure of PHI. Only breaches of unsecured information trigger the notification requirement. As long as the breach of information has been rendered unusable, unreadable, or indecipherable to unauthorized individuals, using a technology specified by the Secretary of Health and Human Services ("Secretary"), the notification requirement is not triggered. A breach also does not occur under the following circumstances: (1) where an unauthorized person who receives the information cannot reasonably have been able to retain it; (2) if the acquisition of the information was unintentional, and the access occurs in the scope of employment or a professional relationship and the information does not go any further; or (3) if it is an inadvertent disclosure that occurs within a facility, and the information does not go any further.
HITECH requires that notice of a breach must be given to the patient within 60 days after the breach is discovered, and discovery is deemed to occur when at least one employee of the entity knows or reasonably should know of the breach. Notice is required to be given to media outlets if the breach involves more than 500 individuals. Notice of all breaches involving more than 500 individuals must also be provided to the Secretary immediately. Covered entities must further notify the Secretary of breaches involving less than 500 individuals in an annual log.
As a result of these new requirements, covered entities should consider modifying their business associate agreements to include language that the business associate must provide notification of a breach within two days of the associate's discovery of the breach. This should allow the covered entity sufficient time to comply with its own notification requirements under HITECH.
Accounting for Disclosures
The current HIPAA regulations require covered entities to provide an individual, at that individual's request, with an accounting of disclosures of PHI made from the individual's medical record for the previous six years. However, disclosure for treatment, payment and healthcare operations are specifically exempted from this requirement. Under HITECH, covered entities using electronic medical records may no longer exempt disclosures for treatment, payment, and healthcare operations from an accounting, though the accounting is required only for the previous three years.
Conclusion
The modifications to HIPAA by HITECH are significant and address a wide range of privacy issues. Providers should consider reviewing both their business associate agreements and their HIPAA policies and procedures now in order to determine what changes need to be made in light of HITECH. If such actions are taken, providers will help ensure that they are in compliance with HITECH's requirements, and will minimize any problems that may arise in the future.