Home / Archived Articles / Economic Stimulus Measure Also Strengthens and Expands HIPAA's Privacy

Articles

Economic Stimulus Measure Also Strengthens and Expands HIPAA's Privacy

The economic stimulus package enacted earlier this year includes provisions that extend and
strengthen the privacy requirements of the Health Insurance Portability and Accountability Act of
1996 (HIPAA). These changes significantly affect employer health plans, along with the various
vendors and contractors that provide services to these plans.

HIPAA regulates the use and disclosure of an individual's protected health information held by
health care providers, health plans and health care clearinghouses (referred to under HIPAA as
covered entities). Vendors and contractors to health plans- such as those providing legal services,
accounting services, consulting services, information technology and the like- are considered
business associates and previously were not directly subject to the HIPAA privacy and security
rules. (They did, however, sign business associate agreements to maintain the privacy and security
of protected health information, so as to enable the covered entities they contracted with to comply
with HIPAA.) In a significant change to this approach, the Health Information Technology for
Economic and Clinical Health Act (HITECH), part of the American Recovery and Reinvestment Act
of 2009 (ARRA), extends HIPAA's privacy and security provisions to business associates that
provide services to health plans, thus making them directly subject to these provisions in the same
way that covered entities are, and also subject to the same direct government penalties as covered
entities in the event of a breach.

In another significant change, HITECH specifies breach notification procedures that must be
followed when there is an unauthorized disclosure of unsecured protected health information.
Under regulations issued by the Department of Health and Human Services, these provisions
require both the covered entity and business associate to directly notify each affected individual
(including any individual whose unsecured protected health information "is reasonably believed" to
have been compromised) of a breach "without unreasonable delay but in no case later than 60
calendar days after discovery of the breach." The regulations specify methods of notice, including
use of prominent media outlets if the breach is believed to involve more than 500 individuals. They
also specify the information that should be included in a breach notification.

The regulations also define the technologies and methodologies that can be used to secure
protected health information. Because the breach notification requirements apply only to unsecured
protected health information, when health information is secured in the ways outlined in the
regulations, the breach notification requirements do not come into play.

HITECH also directs that penalties collected in enforcement proceedings will be channeled back for
additional enforcement efforts. Some commentators have noted that this may indicate more
aggressive enforcement of HIPAA's privacy and security efforts down the road.

Employer health plans and other covered entities will need to review and amend their contracts with
health plan service providers to reflect these changes. HITECH specifically states that HIPAA
requirements that relate to security and that are applicable to covered entities, in addition to now
being applicable to business associates, "shall be incorporated into the business associate
agreement between the business associate and the covered entity."

The Department of Health and Human Services has issued initial guidance on HITECH provisions,
but more will be forthcoming. The timetable for implementation of HITECH provisions affecting the
HIPAA privacy and security requirements varies. Given the complexity of these new rules, and their
potential impact if not followed, companies with health plans subject to HIPAA should take steps
now to ensure they are up to speed with compliance.