Publications

---

The American Recovery and Reinvestment Act of 2009, the economic stimulus bill signed into law this week by President Barack Obama, includes detailed provisions that endeavor to expand the availability of electronic health records. President Obama has indicated that he would like every American’s medical records to be available in electronic form by January 1, 2014.

Subtitle D of Title XIII imposes the broad new security breach notification obligations where “protected health information” (PHI), as that term is defined under the Health Insurance Portability and Accountability Act (HIPAA), is compromised. This is the first time Congress has enacted a statutory obligation to notify affected individuals of a security breach (although 45 security breach notification laws have been enacted at the state level). Additionally, Subtitle D imposes restrictions on the use, disclosure, and sale of PHI and “electronic health records,” as the latter term is defined under H.R. 1. Subtitle D would provide the Department of Health and Human Services (HHS) broad latitude to establish specific rules that would govern the security breach notification obligations and privacy provisions enacted as part of H.R. 1 and to enforce compliance.

To review Subtitle D, please visit page 144 of this PDF.

Security Breach Notice Obligations

The HHS Secretary is required to promulgate interim final regulations no later than 180 days after enactment of H.R.1. The security breach notification provisions become effective for security breaches that are discovered on or after the date that is 30 days after the date of publication of the interim final regulations.

Notification Obligation Covers Protected Health Information

Subtitle D imposes broad new security breach notification obligations on covered entities that are regulated by HIPAA. Under Subtitle D, a covered entity is required to notify any individual whose “unsecured personal health information” “has been, or is reasonably believed by the covered entity to have been, accessed, acquired, or disclosed as a result of such breach.” Under Subtitle D, a covered entity must:

• Notify affected individuals of a security breach “without unreasonable delay and in no case later than 60 calendar days after the discovery of a breach by the covered entity involved”;
• Deliver notification by first class mail;
• Post a conspicuous notice of the security breach on its website or provide notification to major print or broadcast media in relevant jurisdictions, if the covered entity has insufficient or out-of-date contact information for 10 or more individuals;
• Notify major media outlets if the security breach affects more than 500 residents in a single state or jurisdiction;
• Notify the HHS Secretary if the security breach affects more than 500 individuals nationwide, and, separately, maintain and submit a log on an annual basis to the HHS Secretary for security breaches that affect less than 500 individuals; and
• Comply with specific content of notice requirements prescribed by Subtitle D.

Restrictions on the Disclosure and Sale of Health Information

Subtitle D also imposes new restrictions on the sale and disclosure of both PHI and electronic health records. Under Subtitle D, covered entities must:

• Comply with any request to restrict the disclosure of PHI if (1) the disclosure is to a health plan for purposes of carrying out payment or health care operations and (2) the PHI pertains solely to a health care item or service for which the health care provider involved has been paid out of pocket in full;
• Provide an accounting, upon request, of disclosures that contain PHI for the purposes of treatment, payment, and health care operations, if the covered entity maintains electronic health records (this is a significant change from previous accounting requirements); 
• Refrain from participating in agreements where it directly or indirectly receives remuneration in exchange for any PHI of any individual, unless a valid authorization is obtained from the individual. This rule also applies to business associates. Exceptions are specified in Subtitle D.

Subtitle D clarifies issues related to marketing communications by a covered entity or business associate if direct or indirect payment is made in exchange for making such communications. Exceptions exist, however, for certain communications.

Separately, Subtitle D requires the HHS Secretary to promulgate a rule requiring an opt out provision in any written fundraising communication.

Subtitle D applies certain aspects of the HIPAA Privacy and Security Rules to business associates in the same manner that the Rules apply to covered entities.

Enhanced Enforcement Regime

Subtitle D enhances the enforcement regime for violations of the HIPAA Privacy and Security Rules, as well as substantive violations of the new privacy provisions outlined in Subtitle D. Subtitle D: 

• Provides that covered entities and business associates are subject to civil penalties where the failure to comply with privacy and security rules is attributable to “willful neglect.” This is a change from the actual knowledge standard, which previously existed under HIPAA; 
• Establishes a tiered civil penalty structure for violations of privacy and data security rules; and 
• Allows State Attorneys General to institute civil actions for violations of privacy and security rules.

IV. General Advice

In light of these new requirements, covered entities and business associates should consider doing the following: 

• Develop a security breach incident response plan that establishes procedures for providing notification in a manner that complies with Subtitle D; 
• Revisit both security and privacy policies governing the disclosure of PHI to ensure that only the minimum necessary information is used or disclosed for a specific purpose; 
• Update accounting policies under the HIPAA Privacy Rule to incorporate disclosures of PHI made for treatment, payment, and health care operations; 
• Ensure that any sale of PHI for which a covered entity is directly or indirectly remunerated fits within the exceptions set forth under Subtitle D; 
• Consider whether marketing communications for which a covered entity or business associate is directly or indirectly compensated constitute a “health care operation” under the HIPAA Privacy Rule; 
• Include an opt-out mechanism for any fundraising communication that is a “healthcare operation” under the HIPAA Privacy Rule; and 
• Address indemnity issues now that business associates may be held individually responsible for their use and disclosure of PHI and ePHI as well as their own compliance with HIPAA. The concept of mutuality is more important now than it was when only covered entities were held responsible for HIPAA violations and/or breaches. 
• Review and update business associate agreements to reflect the new changes/requirements.