Life Sciences and the Stimulus Act - Part II: Changes to HIPAA Privacy and Security Standards
Click here to link to Part I of this article, “Life Sciences and the Stimulus Act - Part I: Promotion of Health Information Technology.”
By: ANN M. LADD, RYAN S. JOHNSON & KATHERINE J. DOUGLAS
March 6, 2009
The American Recovery and Reinvestment Act of 2009 (the Act) significantly changes HIPAA privacy and security standards in ways that will impact health care providers and others in the life sciences industry. The Act expands coverage of the HIPAA privacy and security standards to business associates and others, creates a new security breach notification obligation, limits the use of certain types of personal health information, expands the rights of data subjects, extends criminal sanctions to individuals, and creates civil enforcement rights. In this introductory article, we give a general overview of the changes to the HIPAA privacy and security standards. In upcoming articles, we’ll examine the potential impact of these changes on the relationships between health care providers and others in the life sciences industry, including medical device, health information systems, diagnostics, and pharmaceutical companies.
Business Associates and Others Now Explicitly Subject to HIPAA Privacy and Security Standards
Under the Act, business associates will be held to the same privacy and security standards as covered entities. Business associates now must establish policies and use procedures to safeguard, use, and disclose personal health information (PHI) and electronic PHI not just as a matter of contract with covered entities, but as a matter of law, and will be held civilly and criminally accountable for compliance with such standards.
The Act also expands the definition of business associates to include any entity that provides data transmission of PHI to a covered entity (or its business associate), such as Health Information Exchanges, Regional Health Information Organizations, E-prescribing Gateways, and vendors who contract with covered entities to offer a personal health record to patients as part of an electronic health record.
On a temporary basis, pending adoption of a federal breach notification law that covers all entities, vendors of personal health records who are not covered entities or business associates also are subject to a limited set of security obligations regarding notice of breach, discussed in more detail below.
Breach Notification Requirements and Other Significant Changes to Security Standards
Covered entities, business associates, and in limited circumstances, vendors of personal health records (and their service providers) will have a new obligation to notify individuals when there has been a breach involving the unauthorized acquisition, access, use, or disclosure of any unsecured PHI that compromises the security or privacy of such information.
The Secretary of HHS is expected to issue guidance defining the word “unsecured.” If the Secretary does not issue such guidance, “unsecured PHI” will mean PHI that is not protected by technology rendering it unusable, unreadable, or indecipherable using standards approved by an accredited standard setting organization.
Covered entities must give a data subject notice of a breach within 60 days of its discovery, and business associates must notify covered entities within the same time period. Notice generally must be made by US mail, although substitute notice by publication or media coverage is allowed in some circumstances, and telephonic notice is allowed in event of emergency. Additional reporting obligations apply for breaches involving more than 500 data subjects, and for breaches involving more than 500 data subjects in a single state. All breaches must be reported to the Secretary on an annual basis.
The notice must:
- provide a description of the incident, including the date of the breach, the date of discovery, and the type of PHI involved;
- recommend steps to take to prevent further misuse of the PHI;
- describe what the covered entity or business associate is doing to investigate the causes of the incident, mitigate the harm, and prevent future breaches; and
- list contact information for the covered entity or business associate.
The following are exceptions to the notification obligation:
- There is no breach if the information has been disclosed only to a person who “would not reasonably have been able to retain” the disclosed information.
- There is no breach if the disclosure involved only certain incidental and unintentional disclosures to employees and others acting under the direction of the covered entity or business associate made in good faith in the course of the professional relationship, or made in limited circumstances to other individuals in the same facility.
The obligation to notify data subjects of breaches explicitly extends to business associates (along with all other HIPAA privacy and security related obligations), and the Act specifically requires that all business associate agreements include provisions regarding the breach notification.
Similar obligations apply on a temporary basis to vendors of personal health records (and their service providers), for breaches involving unsecured PHI in a personal health record. Such vendors must notify both the data subject and the Federal Trade Commission of any breach.
This aspect of the Act becomes effective 30 days following publication of interim final regulations by the Secretary, which are to be promulgated by about August 18, 2010.
Most states have laws that require notification of breaches involving unencrypted personal financial (or in a few instances, health) data. HIPAA preempts state laws that are contrary to the federal law, unless the state law is more stringent. Each security breach that involves both PHI and personal information otherwise subject to a state law, such as a social security number, may now require a comparison of the applicable state law to determine whether both the federal and the state law will apply, leaving the covered entity or business associate coping with complying with the most stringent provisions of each.
Expanded Rights of Data Subjects and Other Changes to Privacy Standards
The Act gives individual data subjects expanded rights regarding the use and disclosure of their PHI:
- Covered entities and business associates maintaining an electronic health record are now required to make an accounting, when requested by the data subject, for all use and disclosure in the prior 3 year period.
- Individuals can now request access to their PHI in electronic format.
- Except in very limited circumstances, neither covered entities nor business associates can sell PHI without a valid authorization from the individual that includes specific instruction on whether the PHI can be further disclosed in exchange for payment.
- Individuals can restrict disclosure of their information to a health plan if they pay for the cost of the item directly.
The Act also appears to create a new standard if a covered entity wishes to use or disclose more than a limited data set of PHI (as defined in the HIPAA privacy rule) for internal operations, showing that the additional data still falls within the “minimum necessary” standard. The Secretary is charged with issuing regulations to clarify the minimum necessary standard within 18 months. These regulations may impact the types of data covered entities use in support of internal business operations, such as billing and collection.
Covered entities are likely to take a number of steps to respond to these changes in the privacy standards, including updating their external notices of privacy and security practices and their internal privacy and security policies, thinking expansively about who qualifies as a business associate, and revising their business associate agreements to reflect the new requirements.
Limitations on “marketing” under the Act reflects increased Congressional attention to the relationship between health care providers and medical device, pharmaceutical and other companies. New limitations prohibit the use of PHI to communicate about a product or service to an individual, unless the communication:
- describes a health related product or service provided by or included in the plan of benefits offered by the covered entity making the communication;
- is made for the treatment of the individual; or
- is made for case management or care coordination.
In all other circumstances, the communication is subject to the provisions of the Marketing Rule. In addition, even when a communication fits one of the exceptions listed above, if the communication is paid for by a third party, it is considered “marketing,” and the covered entity or business associate will have to comply with the Marketing Rule. There is one limited exception—a third party can pay for a communication to an individual regarding a drug or biologic that the person has already been prescribed. Even here, however, the Act limits the payment to an amount determined to be “reasonable” by the Secretary.
“Sunshine” laws that have already been adopted in at least 6 states, the Physician Payments Sunshine Act introduced by Senators Grassley and Kohl , and the changes to the HIPAA privacy standards, all signal continuing distrust by Congress of the nature of the relationships between covered entities and others in the life sciences industry. Be prepared that any relationships you may have with a health care provider may be examined in hind sight, in public, by the Secretary or by a state attorney general.
Much Broader Criminal and Civil Penalties and Expanded Enforcement
The Act explicitly extends criminal liability for wrongful disclosure of PHI to employees and other individuals.
The Act expands the Secretary’s civil enforcement powers, establishing four levels of culpability for violation of the HIPAA privacy or security standards, depending on the level of knowledge and diligence exercised. The Secretary is directed to investigate allegations if the possible violation appears to have been caused by willful neglect, and to impose civil penalties if the violation was in fact caused by willful neglect.
The Act gives states attorneys general standing to sue on behalf of state residents to obtain injunctive relief and damages in certain circumstances. It also gives states attorneys general enforcement civil enforcement powers regarding the breach notification obligations (except where criminal enforcement is pending).
The threat of increased civil and criminal enforcement will likely motivate covered entities and business associates to create heightened awareness of the HIPAA privacy and security standards within their organizations, and to demand heightened expectations of compliance from their vendors and business partners. Start preparing today to respond to those heightened expectations.