21 Mar 2009 in Ethics and Compliance Offices, Information Integrity, Legal Perspective
This is the first in a series of posts about the many new compliance obligations contained within the recently signed, recovery Act, formally called the American Recovery and Reinvestment Act. The initial posts will not focus on the expected reforms related to new rules for executive compensation at companies taking government bailout money but instead will highlight lesser known new policy reforms on data protection and privacy, healthcare, taxes, and corporate whistleblowers. Part One looks at how the law expand's HIPAA scope and the the compliance risks associated with breaches of Protected Health Information or PHI. To enhance enforcement, the Act also makes HHS audits of HIPAA-covered companies mandatory and requires investigation of privacy and security rule related complaints. Although we can describe the rough contours of the changes based upon statutory language the HIPAA provisions also will be subject to rulemaking that will determine more exactly how challenging managing the new reforms may be.
The American Recovery and Reinvestment Act, provides minimal guidance to companies about how to comply with changes to the privacy and security regulations of the Health Insurance Portability and Accountability Act. HIPAA requires healthcare providers—hospitals, health plans, nursing homes, healthcare clearing houses, and some drug and device manufacturers—to protect consumers’ health and personal information. The Recovery Act now expands that to include the “business associates” of those covered entities: essentially anyone who handles protected heath information, including third-party vendors.
This is a sweeping change affecting scores of businesses -- many of which may not yet know they are affected. Previously, HIPAA-covered companies entered into contracts with their business associates obligating them to maintain privacy and security. The Recovery Act now requires all the business associates to comply with HIPAA themselves. The ripple effects of this will impose HIPAA compliance on a broad swath of subcontractors and professional services providers including law firms, accounting firms, consultants, temp agencies, and others. In other words, almost anyone providing administrative services to or on behalf of HIPAA covered entities may now be required to comply with HIPAA.
In a windfall for privacy and contracts lawyers, many businesses never before subject to HIPAA requirements must get busy to review all their privacy and security policies and procedures, revise any HIPAA privacy notices and work to amend any affected contracts with their own business associates.
Additionally, the Act imposes new notification requirements when a breach of protected health information (PHI)occurs. Breaches of unsecured PHI involving fewer than 500 persons require company notification to the individuals and the Department of Health and Human Services (HHS). Breaches of the unsecured PHI of 500 or more persons also require notification of local media outlets.
Previously, HIPAA-covered entities were required to “mitigate the harmful effect of any breach,” but were neither required to notify affected persons nor the media. As if, enhanced penalties and tougher enforcement combined with mandatory audits and investigations were not enough to drive better compliance, under the new provisions also authorize state attorneys general to bring enforcement actions under HIPAA and allows individual plaintiffs to recover monetary damages from businesses for HIPAA violations. Individuals are also authorized to get information about how their PHI is used and disclosed which means that all covered entities must track more types of disclosures.
When the new privacy and security regulations are published-- quite likely as Interim Final Rules-- covered entities will have a very short time to implement the changes. PHI breaches that occur within 30 days of the publication of those regulations will be subject to compliance with the as yet not proposed rules.
Looks like we privacy lawyers may be in a fairly recession proof field....
GM
From laura paisely on
A terrific resource about these privacy provisions appears on the privacy blog at http://privacylaw.proskauer.com/tags/hitech-act/
From Grace Mastalli on
Thank you. You are correct that this Privacy Blog can be a good resource. It is maintained by the Proskauer Rose law firm.
Most recently, Jeffrey D. Neuburger and Sara Krauss posted that beginning "no later than Sept. 16, 2009, HIPAA-covered entities will be required to notify individuals when protected health information that is "unsecured" has been compromised. Notice must be given to the individuals whose data is affected "without unreasonable delay," and no later than 60 days after the breach. If the breach involves 500 people or more, the covered entity will be required to notify the U.S. Department of Health and Human Services and major media outlets."