By Kirk Nahra, CIPP
The new Health Insurance Portability and Account-ability Act (HIPAA) privacy and security requirements, imposed by the Health Information Technology for Economic and Clinical Health Act (the HITECH Act), will have a significant impact on the privacy and security of healthcare information, and on the compliance obligations for affected healthcare companies. While the healthcare industry itself struggles to implement these new requirements, the biggest changes may impact HIPAA business associates—the service providers to the healthcare industry. These companies—for the first time—will be covered directly by most of the HIPAA rules. Meeting these new requirements will be a substantial challenge, and business associates need to move quickly to develop an appropriate plan to ensure compliance by the February 2010 HITECH deadline.
The HIPAA era began with the passage of the Health Insurance Portability and Accountability Act of 1996. While “HIPAA” now means many things to many people, at its foundation, the HIPAA law focused on “portability,” the idea that individuals could “take”their health insurance coverage from one employer to the next, without having pre-existing health conditions acting as an impediment to job transitions.
When Congress passed HIPAA, it also added into the mix a variety of other topics related to the healthcare industry (such as creating large funding for what has now become more than a decade-long fight against healthcare fraud). One of the policy mandates adopted in HIPAA was to move toward standardized electronic transactions for the healthcare industry. The idea was that certain “standard transactions”—like the submission of a health insurance claim and the payment of that claim—could be standardized, and thereby create efficiency savings and more effective results. (Keep this in mind as you consider the current debate about electronic health records and their potential impact on the healthcare system). With these standardized transactions came a concern about healthcare information being put into electronic form, with the resulting requirements for the creation of the HIPAA Privacy Rule and the HIPAA Security Rule.
But this background also led to one key component of these rules: the limits on the applicability of these rules to “covered entities”—the entities (such as doctors, hospitals, and health insurers) who might be participating in these standardized transactions. The law mandated the rules—but restricted their application to those covered entities only.
Accordingly, when the Department of Health and Human Services (HHS) began to develop these rules, it was faced with a significant limitation on its jurisdiction—it could apply the rules only to covered entities. HHS developed a creative solution to respond to a key fact about the healthcare system. While the covered entities are core participants in the industry, they rely on tens of thousands of vendors to provide them services, with many of these services involving patient information. Therefore, the concept of a “business associate” was born—an entity that provides services to the healthcare industry where the performance of those services involves the use or disclosure of patient information.
Because HHS had no direct jurisdiction over these “business associates,” HHS imposed an obligation on the covered entities to implement specific contracts with these vendors that would create contractual privacy and security obligations for these vendors. The failure to execute a contract would mean that the covered entity violated the HIPAA rules. A business associate’s failure to meet a contractual privacy standard would be a breach of that contract, but would not subject the business associate to government enforcement, because the business associate was not regulated under the HIPAA rules. This system has existed since the inception of the HIPAA Privacy Rule in 2003.
The primary changes
Now, in the HITECH Act, Congress has blown this HIPAA structure to bits, by imposing direct legal compliance obligations on business associates. Although this legislation does not turn business associates into covered entities, it does impose—for the first time—direct accountability on these business associates, with potential civil and criminal liability for a failure to meet these requirements.
While there are many changes to the HIPAA rules, three developments stand out from the rest:
1. More enforcement risk
It was widely anticipated that the Obama Administration would be more aggressive about HIPAA enforcement than its predecessor. Independent of this inclination, the new legislation creates substantial new opportunities for aggressive enforcement of the HIPAA rules. Over the course of the next few years, we can expect these changes to produce a fundamental shift in the overall enforcement of the HIPAA Privacy and Security Rules.
First, the provisions increase substantially the penalties that are available for violations of the rules, from the current high of $25,000 to as much as $1.5 million. Fines are mandatory in situations involving “willful neglect."
Second, state Attorneys General (AGs) now have clear and explicit authority to enforce the provisions of the HIPAA rules. While state AGs have initiated healthcare-related privacy and security actions in the past, relying on their inherent authority to act to protect citizens of a state, this new provision essentially creates a parallel enforcement environment for HIPAA violations. On the one hand, this enforcement is limited in meaningful ways, mainly in terms of amounts that can be sought by the state AGs. On the other hand, however, this approach creates realistic risks of differing standards and inconsistent action across differing states, most likely without the procedural protections of the HIPAA Enforcement Rule.
Third, correcting what many saw as an oversight in the prior HIPAA provisions, the legislation now permits enforcement actions against individuals employed by healthcare entities. Even though the Department of Justice has creatively pursued a limited number of criminal cases against individual employees (mainly where identity theft, healthcare fraud, or some other serious criminal activity is combined with the HIPAA issue), this new provision creates a broader and more explicit opportunity for enforcement against individuals.
2. Security-breach notification
At the same time that enforcement actions are given new strength, the legislation also creates a new federal security-breach notification requirement for the healthcare industry. Most security breaches—including many events that have not historically been thought of as security breaches—now must be disclosed not only to consumers but also to HHS and, in some situations involving larger breaches, even to the media.
This provision creates a new notification standard for the healthcare industry—whether the breach has anything to do with an electronic health record or not. While clearly there are open questions about details of the legislation, this provision is broader than most relevant state notification laws because it (1) applies to breaches involving any kind of personal information held by healthcare companies (not merely the specific categories—such as Social Security numbers—that are the subject of state laws), and (2) does not include any “risk of harm” threshold. Therefore, this provision will require reporting of a wide range of security breaches, regardless of the sensitivity of the information involved or the realistic risk of any harm from the breach.
For the healthcare industry at large, this breach-notification requirement may be the single most significant provision of this legislation—and the one that is likely to affect a large number of companies most quickly and publicly. Because the notice requirement applies only to “unsecured” information, this legislation also may accelerate the movement toward encryption of a wider range of healthcare data.
3. Extension of HIPAA requirements to business associates
The other change that will generate enormous work for the healthcare industry and its business partners will be a series of provisions that essentially extend full compliance responsibility for the HIPAA Privacy and Security Rules to the business associate category—all of the companies that provide services to the healthcare industry. Today, these vendors must sign a contract with their healthcare client that extends certain HIPAA provisions by contract to the business associate. The new provisions will obligate these business associates by law to follow most HIPAA provisions, rather than just the handful that have been required to be included within the business associate contracts. Again, this provision seems to have nothing to do (specifically) with electronic health records. It clearly extends HIPAA coverage to all business associates, whether they deal with electronic health records or not.
For the healthcare industry, these rules also create an apparent large-scale obligation: the need to revise all existing business associate contracts to incorporate these new requirements. Healthcare companies—with full memory of the difficulties of compliance with the initial HIPAA business associate contracting requirements in 2003—should promptly begin to develop model language and an approach to overall modification of thousands of business associate contracts.
Areas of impact for business Associates
Between the extension of the HIPAA rules to business associates, the new enforcement environment, and the significant concern and confusion about security breaches, the overall risks from the healthcare privacy structure are now magnified significantly for business associates. Business associates will need to review these provisions promptly, and identify where their current compliance policies are insufficient for this new environment.
What are the major areas that will deserve attention?
The HIPAA Privacy Rule
The HITECH provisions are somewhat confusing on how the Privacy Rule will be applied to business associates. It is clear that not all portions of the Rule will be applied to business associates. For example, there is no obligation for business associates to prepare and distribute a privacy notice to individual patients. This makes sense, since many business associates will be unknown to the patient community.
As a general matter, HITECH indicates that business associates must, by law, follow the provisions of the business associate contract that are mandated by the Privacy Rule. For business associates—who presumably have been following these contractual provisions for the past several years—there should be no significant new obligations; but the risks from a failure to meet these obligations have grown. All business associates should take this opportunity to re-evaluate their policies and procedures for meeting these requirements.
The HIPAA Security Rule
The HIPAA Security Rule presents significantly more challenges. Today, under a business-associate contract, a business associate has only limited obligations under the Security Rule. For example, the business associate must “[i]mplement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic protected health information that it creates, receives, maintains, or transmits on behalf of the covered entity.” This translates—for most business associates—into an obligation to maintain reasonable and appropriate security practices. However, now that business associates must comply with the overall HIPAA Security Rule, a substantially different compliance approach will be required. In particular, while the HIPAA Security Rule is very “process-oriented,” the detailed process is quite different from what most companies go through for reasonable security. In particular, there is an extensive list of particular topic areas for review, and the requirement to develop policies and procedures to document the choices that have been made. Accordingly, moving from “reasonable and appropriate” security standards to “HIPAA compliant” security standards may require a very substantial effort for many business associates. This effort will need to begin quickly.
As with many of the state laws, the obligation of a “business associate” under the HITECH breach-reporting provisions is to report a breach to the covered entity—much like the current reporting structure for “security incidents” under the Security Rule. For business associates, it will be critical to implement a program to identify these breaches, investigate them promptly and report them to customers. In addition, this provision creates some challenges for the business associate contracting process. Because the notice provision will be applicable to breaches that occur 30 days after the implementing regulation is issued—which is required to be issued within 180 days of passage of the law—this provision will take effect before most of the other provisions of the law. Business associates should anticipate pressure from customers to execute these agreements on a quicker timetable than otherwise would be required.
The planning process
With these new requirements and risks for business associates, how does a business associate work its way through these challenges?
The biggest challenge will be to manage the business associate contracting process. This will involve both timing and substantive issues. Companies that are business associates will want to promptly identify a strategy for this process, to assess the volume of contracts affected and the substance of what these documents should say. Moreover, companies should anticipate a wide range of new demands from healthcare customers related to these rules (and perhaps other topics as well). Companies should pay close attention to the “required” elements of a business associate contract, which will change somewhat, but not too dramatically, but also should carefully consider any proposed extension of these requirements to new or greater obligations than are required by the law.
Companies need to begin their security rule compliance efforts now. For some companies, this effort will mainly involve documentation—understanding the requirements of the HIPAA Security Rule and converting current security policies and procedures into HIPAA-compliant documents. For other companies, particularly those without well-developed information-security programs, the required efforts may be much more substantial. It will be critical to involve personnel beyond the information technology (IT) department in these efforts—the Security Rule requires a variety of steps beyond the usual expertise of IT departments (involving personnel policies, training, and other areas). Moreover, when HIPAA-covered entities went through the Security Rule compliance process, they found that the biggest challenge often was to “translate” security practices into meaningful policies and procedures that can be understood by the workforce and presented (if necessary) to customers and regulators.
Breach planning and education
In addition to an overall security process, business associates will need to develop security-breach notification plans. These will require not only a thorough process for investigating breach reports and mitigating potential damage, but also an internal education and training plan along with a communications strategy for reporting these breaches to customers. This is an area where the risks are quite high because any security breach notification situation involves a security failure of some kind. Moreover, these breach-reporting provisions may be the most complicated part of the business associate contracting process—because covered entities will be pushing for quick reporting with detailed investigative information about the breaches, along with provisions dictating financial responsibility for the results of breaches.
Overall compliance review
In addition, companies must conduct an overall compliance review to ensure that appropriate practices are in place. While there clearly are new requirements imposed by HITECH, business associates also must review their existing contractual obligations and practices. While many business associates have been diligent about their overall HIPAA compliance, others have taken a more “hands off” attitude based on a “low-risk” evaluation. Given the wide-ranging set of new obligations and the increased enforcement risks, this may no longer be an appropriate risk management approach.
Segregation of activities
Another challenge may be more subtle, but may be very important for some companies. If your company provides services only to the healthcare industry, you may not need or want to segregate your “HIPAA” component from your other activities. For other companies—where the healthcare industry is one of many industries serviced by your company—you may wish to evaluate whether there are reasonable means of separating the healthcare practices from those other areas so that the needs for HIPAA compliance do not bleed over into areas where meeting such rigorous requirements is not necessary. This may be easier to do on the privacy side than in connection with security. In fact, an inability to complete this segregation may mean that security compliance efforts are even more significant. This issue requires a careful evaluation of the HIPAA obligations in the context of your overall business activities.
For HIPAA business associates, there are broad new compliance obligations, coupled with significantly enhanced enforcement risks. While these challenges clearly are manageable, they require careful analysis and a thoughtful plan to respond to the many likely issues.
Kirk J. Nahra is a partner with Wiley Rein LLP in Washington, DC. He will present “Making Sense of the New Healthcare Privacy and Security Rules” on Friday, September 18 at the Privacy Academy 2009 in Boston.