By Mike King, Esq

Question: Did the American Recovery and Reinvestment Act of 2009 (ARRA) change my responsibilities and potential liability under the Privacy and Security Rules of the Health Insurance Portability and Accountability Act of 1996 (HIPAA)?

Answer: The Health Information Technology for Economic and Clinical Health (HITECH) Act makes several changes to the Privacy and Security rules of HIPAA.

Should you be concerned about the changes to the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") brought about by the American Recovery and Reinvestment Act of 2009 ("ARRA") and the Health Information Technology for Economic and Clinical Health ("HITECH") Act? You should be worried if your business is a "covered entity", or in some circumstances, a "business associate" of a "covered entity." Generally, the HIPAA regulations define "covered entities" as healthcare providers that handle business transactions, healthcare management organizations and health plans. Covered entities would include employer-sponsored group health plans. For example, a self-insured group health plan under the Employment Retirement Income Security Act ("ERISA") would be a covered entity under HIPAA if it provides medical care. On the other hand, if the plan is self-administered with fewer than 50 participants, it is not a covered entity.

Importantly, employers are not automatically covered entities under HIPAA just because they are employers. If an employer sponsors an ERISA health plan, the third party administrator of the employee health plan may be the covered entity under HIPAA. Dental plans, vision plans, flexible spending plans, and "cafeteria plans" may be covered entities if they are employee-welfare benefits plans under ERISA and pay for medical care.

Employers who do not deal with "protected health information" are not covered entities under HIPAA. Employers that offer group health plans through insurance policies or health maintenance organizations may be excluded.

Even if your business it not a covered entity, the HIPAA privacy and security requirements apply to business associates of covered entities under the HITECH Act. Keep in mind that companies providing data transmission services to covered entities are business associates under HITECH and directly liable under HIPAA. So be careful to determine whether your non-covered entity is a business associate with a covered entity because your company may still be subject to the same penalties as the covered entity. All business associate agreements need to be revised to include new privacy and security requirements.

But if your company intends to ignore the HIPAA and HITECH Act requirements because you assume the company is not a covered entity or business associate of a covered entity, you had better be right. Civil violations of HIPAA will now be subject to more severe penalties. Since ARRA was signed by President Obama on February 17, 2009, the maximum penalty for violations of HIPAA is $50,000 per violation up to $1.5 million for all identical violations during a calendar year.

Civil monetary penalties escalate based upon the decision of the U.S. Department of Health and Human Services ("HHS") as to the extent and nature of the violation and harm caused by the HIPAA violation.

If HHS thinks you didn't know or wouldn't have known by exercising reasonable diligence that you were violating HIPAA, then the penalty is $100 per violation with an annual cap of $25,000.

If the agency thinks your violation was due to reasonable cause rather than willful neglect, then you will only be assessed $1,000 per violation with an annual cap of $100,000.

On the other hand, if HHS decides that you violated HIPAA due to willful neglect, but you correct your willful neglect within 30 days of finding out about it, then the penalty is $10,000 per violation with an annual cap of $250,000.

But if the federal regulating agency decides that your violations of HIPAA are due to willful neglect and are not corrected within 30 days, the penalties will be $50,000 per violation with an annual cap of $1,500,000.

Because these penalties have gone up substantially and because of potential ambiguities as to "covered entities" and "business associates," businesses need to review their HIPAA policies and procedures, employee training manuals, and other documentation to ensure compliance.

Another hazard for businesses is that state attorneys general are now authorized to bring civil actions against persons who violate HIPAA. HHS may intervene and participate in the action, but previously HHS was the only agency able to enforce violations of HIPAA. So be careful if your state's attorney general is running for re-election and has shown an antipathy for healthcare entities.

As mentioned, HHS was the only entity able to enforce HIPAA violations. Individuals still do not have a private right of action after enactment of the HITECH Act, but that Act does give financial incentives to individuals alleging they were harmed by HIPAA violations. Those harmed by HIPAA violations may share in monetary penalties or settlements collected due to those violations. Thus, individuals now have more incentive to allege HIPAA violations against your company.

Moreover, before the HITECH Act, HHS could decide whether or not to investigate HIPAA complaints and impose penalties. Now, the HITECH Act requires investigation of complaints indicating possible willful neglect and requires civil monetary penalties for HIPAA violations due to willful neglect.
In addition, HHS has issued "guidance" about what needs to be done to protect health information under HIPAA and when that protected health information will be considered "unsecured." If certain procedures and measures are taken, then covered entities will be exempt from the requirement to provide notice of certain breaches related to unsecured protected health information. Otherwise, ARRA requires covered entities under HIPAA to notify individuals of breaches in the confidentiality of unsecured protected health information. If the breach of security of unsecured protected health information affects 500 or more individuals, HHS must be notified. If the breach affects more than 500 individuals in a state, then prominent media outlets in that state must receive notice of the breach of the confidentiality of the protected health information. I'm sure that is what your marketing department wants to see on the five o'clock news!

A breach of the security of the protected health information is the unauthorized acquisition, disclosure, access, or use of protected health information compromising the security or privacy of the information.

HHS has provided a "safe harbor" from the notification requirements. HHS has identified processes for securing protected health information through encryption, shredding, sanitization or destruction. If the covered entity or the business associate follows the identified processes which have been approved by the National Institute of Standards and Technology, then notifications of breaches of privacy of protected health information are not required.

As you may have gathered, the issues of the parties covered by these provisions of HIPAA are less than clear. The penalties have been increased and the ability of other parties to enforce penalties in the event of violations has been expanded. If you have any questions about compliance with ARRA, HITECH Act, HIPAA, or any other governmental programs, regulations, or bureaucracies and need assistance, please call me at (602) 256-4405.

Michael R. King is a partner with the law firm of Gammage and Burnham which is a sponsor of the Phoenix CEO-CFO Group. September 15, 2009