The economic stimulus package enacted earlier this year includes provisions that extend and strengthen the privacy requirements of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). These changes affect employer health plans significantly, together with the various vendors and contractors that provide services to these plans.
HIPAA regulates the use and disclosure of an individual’s protected health information held by health care providers, health plans, and health care clearinghouses (referred to under HIPAA as covered entities).
Vendors and contractors to health plans — such as those providing legal services, accounting services, consulting services, information technology and the like — are considered business associates and previously were not subject to the HIPAA privacy and security rules directly. They did, however, sign business associate agreements to maintain the privacy and security of protected health information, so as to enable the covered entities they contracted with to comply with HIPAA.
In a significant change to this approach, the Health Information Technology for Economic and Clinical Health Act (HITECH), part of the American Recovery and Reinvestment Act of 2009 (ARRA), extends HIPAA’s privacy and security provisions to business associates that provide services to health plans, thus making them directly subject to these provisions in the same way that covered entities are, and also subject to the same direct government penalties as covered entities in the event of a breach. In another significant change, HITECH specifies breach notification procedures that must be followed when there is an unauthorized disclosure of unsecured protected health information. Under regulations issued by the Department of Health and Human Services, these provisions require both the covered entity and business associate to notify each affected individual directly (including any individual whose unsecured protected health information “is reasonably believed” to have been compromised) of a breach “without unreasonable delay but in no case later than 60 calendar days after discovery of the breach.” The regulations specify methods of notice, including use of prominent media outlets if the breach is believed to involve more than 500 individuals. They also specify the information that should be included in a breach notification.
The regulations also define the technologies and methodologies that can be used to secure protected health information. Because the breach notification requirements apply only to unsecured protected health information, when health information is secured in the ways outlined in the regulations, the breach notification requirements do not come into play.
HITECH also directs that penalties collected in enforcement proceedings will be channeled back for additional enforcement efforts. Some commentators have noted that this might indicate more aggressive enforcement of HIPAA’s privacy and security efforts down the road.
Employer health plans and other covered entities will need to review and amend their contracts with health plan service providers to reflect these changes. HITECH states specifically that HIPAA requirements that relate to security and that are applicable to covered entities, in addition to now being applicable to business associates, “shall be incorporated into the business associate agreement between the business associate and the covered entity.”
The Department of Health and Human Services has issued initial guidance on HITECH provisions, but more will be forthcoming. The timetable for implementation of HITECH provisions affecting the HIPAA privacy and security requirements varies. Given the complexity of these new rules, and their potential impact if not followed, companies with health plans subject to HIPAA should take steps now to ensure they are up to speed with compliance.