The Catholic University of America

TOPIC:

HITECH Act: New Law Requires Significant Investment in Health Information Privacy and Security

INTRODUCTION:

On February 17, 2009, the stimulus law, the American Recovery and Reinvestment Act of 2009 ("ARRA") [1], was enacted. Title XIII of the ARRA, The Health Information Technology for Economic and Clinical Health Act ("HITECH Act" or the "Act"), imposes new federal security breach notice requirements and adds numerous new privacy and data security restrictions for covered entities and their business associates under the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") [2].

Many provisions of the Act directly impact colleges and universities that:

  • Have medical clinics, counseling centers, physicians and other providers and facilities that are covered entities under HIPAA [3]
  • Are business associates of covered entities, such as medical or public health schools that provide certain services to hospitals, clinics or state healthcare programs [4]
  • Sponsor employer health plans that are self-insured [5]

The most significant challenges posed by the Act are:

  • Business associate agreements will be subject to potentially contentious renegotiation and amendment
  • Compliance may require investment in new information systems and applications
  • Compliance will require new business processes and retraining of all affected staff

The costs of compliance, much of which will need to be incurred by February 2010, may be substantial for many institutions [6].

This Note provides a brief overview of the requirements of the Act and the challenges faced by colleges and universities subject to it. It presumes readers have a working knowledge of HIPAA's privacy regulations ("Privacy Rule") [7] and security regulations ("Security Rule") [8].

DISCUSSION:

Background

Since their enactment in 2003 and 2005, respectively, the Privacy Rule and the Security Rule have affected significantly the way health information is handled, used and disclosed [9].

The Privacy Rule puts complex restrictions on how covered entities may use and disclose protected health information ("PHI") [10]. The Security Rule requires that covered entities protect health information [11] with administrative (e.g., policies and procedures), technical (e.g., using passwords to limit access to databases and audit trails to determine who has accessed data) and physical (e.g., requiring key cards to access data servers) safeguards. Violations of these Rules can result in civil penalties, criminal prosecutions, and private lawsuits [12]. Compliance is complicated further by the numerous overlapping state laws that govern health information, which in many cases are not preempted by HIPAA [13].

In addition to the increased costs associated with compliance with HIPAA, many colleges and universities have struggled with understanding the requirements of the HIPAA Rules and how they apply to institutional activities. Up until now, however, many institutions -- at least those without clinics or hospitals -- have avoided significant compliance costs because their primary roles are as business associates rather than as covered entities.


THE HITECH ACT CREATES SWEEPING NEW REQUIREMENTS THAT RAISE THE STAKES FOR COLLEGES AND UNIVERSITIES

The HITECH Act extends the reach of HIPAA, making it applicable directly to business associates as well as covered entities and also adds to the complexity of the Privacy Rule and Security Rule requirements. These dramatic changes can be summarized in four categories.

1. Business Associates Have Increased Obligations that Require Information System Upgrades and Enhanced Security Infrastructure
Business associates currently are not directly subject to HIPAA and instead are subject only to the fairly general privacy and security obligations imposed on them contractually in business associate agreements. The Act changes that balance of power, specifically imposing most Security Rule and many Privacy Rule obligations directly on business associates effective February 17, 2010. At the same time, the Act makes business associates directly subject to HIPAA civil and criminal enforcement and the accompanying penalties [14]. In many cases, these new obligations will, among other things, trigger the need for information systems changes (see numbered section 2 below).

The Act also requires the new obligations for business associates be included in business associate agreements, thus necessitating the renegotiation and amendment of college and university business associate agreements. When paired with the increased enforcement and liability risks (see numbered section 4 below) and the new restrictions placed on use and disclosure of PHI (see numbered section 2 below), these negotiations are likely to be contentious, requiring significant resources over a short time period.

One provision of the Act that may lead to more difficult negotiations of business associate agreements is the imposition directly on business associates of the obligation to terminate the business associate contract for material violations by the covered entity of that contract (absent cure by the covered entity) [15]. If termination of the business associate contract is infeasible, the business associate must report the violation to the Department of Health and Human Services ("HHS") [16]. With business associates now having the obligation to do something about covered entity breaches, business associates likely will demand additional representations and warranties from covered entities about their own HIPAA compliance.

The Act also clarifies that organizations such as Health Information Exchanges, Regional Health Information Organizations, and e-prescribing gateways [17] are business associates and are required to enter into business associate agreements with covered entity participants [18].

2. New Restrictions on Uses and Disclosures and Increased Individual Rights
The numerous modifications to the HIPAA Privacy and Security Regulations required by the Act create additional burdens and restrictions that will require investment in new information systems, new business processes, and retraining of all relevant staff. The new requirements include the following:

  • Accounting of Disclosures. Existing HIPAA obligations to provide individuals with an accounting of disclosures have been expanded [19]. Covered entities will be required to keep a record, and provide an accounting to requesting individuals, of all disclosures made to third parties (including healthcare providers) for treatment, payment, and health care operations purposes when those disclosures are made through "electronic health records," a term which is not well defined in the Act [20]. In addition to accounting to an individual for disclosures, covered entities may require their business associates to account directly to the individual for disclosures made by the business associate on the covered entity's behalf. HHS is directed to promulgate regulations to assist with the implementation of these new requirements, which are scheduled to go into effect in either 2011 or 2014, depending on the date on which the covered entity acquired the electronic health record at issue [21], but there are additional provisions that allow HHS to delay these effective dates by two more years. Nonetheless, compliance is likely to require systems and process changes for colleges and universities [22].
  • Minimum Necessary Disclosures. The Act puts increased emphasis on, and additional teeth behind, the requirement that a covered entity must limit uses and disclosures of PHI (both for internal operations and in disclosing PHI to a third party) to only that information that is the "minimum necessary" to effect the intended purpose of the use or disclosure [23]. In addition to imposing this minimum necessary obligation directly on business associates, the Act requires HHS to issue guidance on what constitutes "minimum necessary" information for a permitted use or disclosure [24]. Until such guidance is released, the Act creates a "safe harbor" by providing that use or disclosure of a "limited data set," which is PHI with all direct identifiers removed (i.e., essentially de-identified data with dates and zip codes added back in), will be deemed the minimum necessary. If more than a limited data set is disclosed, the covered entity or business associate disclosing the PHI should first have made and documented the determination that the PHI to be disclosed is the minimum necessary to achieve the intended purpose. These new requirements are effective February 17, 2010. Because many systems are not capable of controlling data access to the granular level needed to limit that access to the minimum necessary or limited data set, the Act effectively creates a need for investment in new systems and processes.
  • Right to Restrict Disclosures to Health Plans. Under current HIPAA provisions, individuals may request restrictions on permitted disclosures of their PHI, but covered entities are not required to agree to any request [25]. As of February 17, 2010, the Act now requires that covered entities must comply with requests by individuals not to disclose PHI to a health plan for payment or health care operations purposes if the PHI relates solely to an item or service for which the provider has been paid out of pocket in full [26]. Processes will need to be put in place to handle this new requirement [27].
  • Right to Obtain Electronic Copies of Records. An individual's right to obtain a copy of his or her medical records when such records are maintained by the covered entity in an electronic health record is expanded as of February 17, 2010 to include the right to obtain a copy in electronic format, and to direct that the covered entity transmit the copy to an entity or person designated by the individual [28].
  • Prohibition on Remuneration in Exchange for PHI. Currently, if a covered entity is permitted to disclose PHI to a third party, nothing prohibits the covered entity from receiving payment or other value in exchange for the disclosure. With limited exceptions, the Act prohibits covered entities from receiving direct or indirect remuneration in exchange for PHI without individual authorization [29]. Limited exceptions include for treatment and for public health activities and research, but any remuneration received in exchange for PHI for research may be limited to the cost of preparation and transmission of the data. HHS is directed to issue initial regulations on or before August 17, 2010, and compliance is required six months after final regulations.
  • Limitations on Marketing to Individuals. Communications that encourage the use or purchase of a product or service are permitted without an individual authorization, and covered entities can be paid for making the communications, if they are (i) about products and services included in the individual's plan of benefits or available only to health plan enrollees, (ii) for treatment purposes, or (iii) for care management or to recommend alternative therapies or providers [30]. With limited exceptions, the Act provides that for communications sent on or after February 17, 2010, a covered entity may not receive direct or indirect payment for making these otherwise permitted communications [31]. One limited exception provides that "reasonable" payment, to be defined by HHS in forthcoming regulations, is not prohibited if the communication relates to a drug or biologic currently prescribed for the recipient of the communication. This prohibition targets communications made by covered entities such as pharmacies, providers, and health plans when the communications are paid for by third parties, including pharmaceutical manufacturers.
  • De-identification. The Act specifies that HHS must issue guidance on or before February 17, 2010, on best practices for implementing HIPAA requirements for de-identifying PHI [32]. For colleges and universities that de-identify data or use de-identified data, the new guidance may require an overhaul of the methodologies used for the de-identification or place additional restrictions on those methodologies.

3. Federal Security Breach Notification Requirements
Incidents of unauthorized access or acquisition of personal data, including patient data, have increased significantly the last few years, resulting in laws in most states that require that individuals be provided written notice of these security breaches. Most of these state laws do not apply to a security breach involving health information that does not include certain information such as a social security number or driver's license number or that is encrypted. These notice requirements have created a high public profile for businesses that have had security breaches.

The HITECH Act creates new federal security breach notice laws that apply to all personal information held by colleges and universities in their roles as covered entities, business associates, and vendors of personal health records (including those made available to employees). These laws require notice to individuals, government agencies, and, in some cases, the media.

For Covered Entities and Business Associates. The Act creates a new federal security breach notification law that applies to covered entities and their business associates and that goes into effect 30 days after HHS issues regulations, which are required to be issued on or before August 17, 2009 [33]. In addition to notifying individuals of the breach [34], the law requires reporting of all qualifying breaches to HHS, which will publicly post the information for certain breaches [35]. In cases in which more than 500 individuals are affected, the media also must be notified. The Act specifies detailed requirements regarding the content, timeliness, and methods of providing notice [36]. Because this federal law does not preempt State security breach notification laws, covered entities still must also comply with similar state laws.

A safe harbor against required notification exists for information that has been secured by technology that renders the PHI "unusable, unreadable or indecipherable" to unauthorized individuals. HHS recently issued guidance providing that encryption and destruction are the only two methodologies that are currently deemed to secure information. Notice is not required if the information subject to unauthorized acquisition was so rendered [37]. HHS will issue periodic guidance on other qualifying methodologies.

For PHR Vendors and their Contractors. The Act also includes separate and temporary security breach notification requirements for non-HIPAA covered vendors of personal health records ("PHRs"), PHR related entities, and their contractors [38]. These entities are required to notify affected individuals and the Federal Trade Commission ("FTC"), which in turn must notify HHS of any breaches of health care data. The FTC may take action under Section 5 of the FTC Act for unfair and deceptive trade practices. On April 16, 2009, the FTC issued notice seeking public comment on a proposed rulemaking in connection with these requirements [39].

4. Strengthened Enforcement and Increased Penalties
Since 2003, when compliance with the Privacy Rule was first required, government enforcement of the HIPAA rules has been almost non-existent, lulling many institutions subject to those laws into complacency. This will no longer be the case. Government agencies, plaintiffs' attorneys, and individuals now have attractive incentives and mandates for aggressive enforcement, which raises the stakes for colleges and universities and their employees with respect to compliance.

State AGs may enforce HIPAA. Before, HHS Office for Civil Rights and the Justice Department were the only HIPAA enforcement authorities. Now, state attorneys general are provided with specific limited enforcement power under the Act with respect to HIPAA violations, effective immediately [40].

Penalties are increased and HHS audits required. To date, HHS largely has worked with covered entities to correct the HIPAA violations that have come to the attention of HHS and has mostly refrained from levying monetary fines. The Act now requires HHS to audit covered entities and their business associates rather than just respond to violations brought to its attention [41]. Also, effective immediately, the Act adopts a tiered civil monetary penalty structure for HIPAA violations that increases the penalty amounts for violations (up to an annual maximum of $1.5 million for uncorrected violations based on willful neglect) and has the potential to significantly change the way HIPAA is enforced by HHS [42]. And while the Act specifically allows for corrective action in lieu of penalties for cases in which the person did not know and did not have reason to know about the violation, penalties are now required to be imposed in other cases.

Willful neglect violations must be investigated and resources are provided for enforcement. Other enforcement provisions take effect in the future. Provisions that (i) require investigation of violations that indicate willful neglect, (ii) require penalties for those violations, and (iii) allow the Secretary of HHS to impose civil monetary penalties for criminal cases that the Justice Department has declined to prosecute are to take effect in February 17, 2011, and shall be the subject of regulations to be issued on or before August 17, 2010 [43].

Individuals may be criminally liable. The Act also clarifies that criminal penalties may be imposed on individuals, including but not limited to employees of covered entities or business associates, for HIPAA violations [44].

5. Other Requirements
In other provisions, the Act also addresses the use of PHI for fundraising, the definition of psychotherapy notes, the establishment of HHS education and assistance outreach efforts, and required studies and reporting to Congress. The Act also confirmed that the current state of the law with respect to HIPAA preemption of state law is not changed.

6. Compliance Challenges
In addition to the sheer volume of new requirements that colleges and universities face as covered entities, business associates, and PHR vendors, compliance with the Act demands significant new investment in IT hardware; software changes; substantial changes in business processes, policies and procedures; and retraining of staff. These challenges come at a time when resources already are scarce and will require colleges and universities to make difficult decisions about resource/risk trade-offs.

7. Recommended Steps

  • Prepare For New Breach Requirements. The new breach provisions are likely effective in September 2009. Colleges and universities covered under the new breach provisions can prepare in advance for the new requirements by educating affected staff and putting compliance processes in place to respond to any breaches that may occur.
  • Address New Business Associate Requirements. To address the new business associate requirements, covered colleges and universities may wish to consider developing a new, revised business associate agreement form template. Covered colleges and universities should also be mindful of issues that may arise during negotiation or renegotiation of business associate agreements and determine when and if to renegotiate existing business associate agreements [45].
  • Perform a Security Risk Assessment. Under the new requirements, business associates are now subject to most of the requirements of the HIPAA Security Rule. As part of their compliance efforts, covered colleges and universities should perform a security risk assessment that evaluates and documents how it is in compliance with the Security Rule standards and specifications, determine a risk management strategy, and implement policies and procedures designed to ensure compliance.
  • Retrain Staff On The New Requirements. Covered colleges and universities should consider retraining all staff on the new requirements imposed on their organizations under the HITECH Act.



FOOTNOTES

RESOURCES:

Statutes and Regulations:

· HIPAA, Pub. L. No. 104-191 (Aug. 21, 1996).

· ARRA, Pub. L. No. 111-5 (Feb. 17, 2009).

· HIPAA Privacy Rule, 45 C.F.R. Part 160 and Part 164, Subparts A and E.

· HIPAA Security Rule, 45 C.F.R. Part 160 and Part 164, Subparts A and C.


NACUA Resources:

· HIPAA Resource Page


Additional Resources:

· Health Information Privacy Website, OCR.

· Summary of Health Privacy Provisions, Center for Democracy & Technology.







Permitted Uses of NACUANOTES Copyright and Disclaimer Notice

View this document in PDF or Word

NACUANOTES Homepage| NACUANOTES Issues
Contact Us | NACUA Home Page

"To advance the effective practice of higher education attorneys for the benefit of the colleges and universities they serve."