Viewing ‘HIPAA’ Category

HITECH Act, Personal Health Record Vendors, And The FTC

The HITECH Act expands the legal obligations and liabilities related to safeguarding health records to entities which are neither covered entities nor business associates under HIPAA. The affected entities are personal health record vendors (PHR Vendors) and entities that: (i) offer products and services through the website of a PHR Vendor, (ii) are not covered by HIPAA and offer products or services through the websites of covered entities that offer individuals PHR; and (iii) are not covered entities and that access information in a PHR or send information to a PHR (each a “PHR Management Service”). A third party service provider which provides services to PHR Vendors and PHR Management Services in connection with PHR Records and “accesses, maintains, retains, modifies, records, stores, destroys or otherwise holds, uses, or discloses unsecured PHR identifiable health information in such a record as a result of such services.”

The new obligations created by the HITECH Act require such entities to provide notification in the event of a breach of security resulting in the acquisition of unsecured PHR identifiable health information without the authorization of the affected individuals. The PHR Vendor, PHR Management Services and their respective third party servicers are required to provide notifications to each affected individual and the FTC. The FTC is then required to provide notice to the HHS. The third party servicers must also provide notice to PHR Vendors and PHR Management Services of any breach that it discovers and such notice must identify each affected individual.

Each breach is considered to be a violation of Federal Trade Commission Act on unfair and deceptive acts or practices and subject to civil penalties of up to $16,000 per breach. Pursuant to the HITECH Act, the FTC has adopted the Health Breach Notification Rule and stated that an unauthorized acquisition will be presumed to include unauthorized access to unsecured PHR identifiable health information (the FTC Rule). However, the presumption is a rebuttable one, provided the PHR Vendor, PHR Management Service or respective third party servicer that experienced the breach has reliable evidence showing there has not been, or could not reasonably have been, any unauthorized acquisition of such information. The FTC has decided that the FTC Rule ‘‘does not apply to HIPAA-covered entities, or to any other entity to the extent that it engages in activities as a business associate of a HIPAA-covered entity.’’

The notification requirements for breaches set forth in the FTC Rule are similar to the requirements of the HITECH Act. The FTC Rule essentially places the same notification obligations on PHR Vendors, PHR Management Services and their third party servicers that the HITECH Act places on covered entities and business associates. The enforcement of the FTC Rule commenced on February 22, 2010 and the FTC has already posted incidents of breaches and the names of the entities involved.

The HITECH Act and the FTC Rule have upped the ante for entities not subject to HIPAA and require any businesses which deal with PHR to evaluate their operations to ensure compliance. The HITECH Act and the FTC Rule also create additional complexity for entities which may be covered by HIPAA and then alternatively may be subject to the FTC Rule.

 

Penalties Under The HITECH Act

Initially it was unclear whether the criminal penalties for breaches of HIPAA were applicable to persons other than covered entities and business associates. In fact, the Department of Justice adopted the position that only covered entities and directors, officers and employees are subject to prosecution. Under the HITECH Act, Congress dealt with this ambiguity by stating that criminal penalties are applicable to persons other than covered entities.

The HITECH Act added that civil money penalties could be imposed for willful neglect along with knowing violations of HIPAA. The HITECH Act also implemented tiered civil penalties the severity of which depended on the nature of the violation. Violations due to willful neglect are now subject to civil money penalties and the Secretary of the Department of Health and Human Resources will be required to investigate such violations based on a complaint starting in 2011. There are four tiers of violations under the HITECH Act amendments.

 

 Tier Nature of Violation Range of Penalties
A Breach of HIPAA that is not known by the covered entity or could not have been known by exercising reasonable diligence Each violation = $100

Total amount of $25,000 for all violations of an identical requirement or prohibition in a calendar year

 

B Breach of HIPAA due to reasonable cause and not due to willful neglect Each violation= $1,000

Total amount of $100,000 for all violations of an identical requirement or prohibition in a calendar year

 

C Breach of HIPAA due to willful neglect which is corrected during the 30-day period beginning on the first date the person liable for the penalty or damages knew Each violation= $10,000

Total amount of $250,000 for all violations of an identical requirement or prohibition in a calendar year

 

D Breach of HIPAA due to willful neglect which is not corrected during the 30-day period beginning on the first date the person liable for the penalty or damages knew Each violation= $50,000

Total amount of $1,500,000 for all violations of an identical requirement or prohibition in a calendar year

 

All of the penalties imposed on any violator for any tier shall be limited to $1,500,000.

Written Notification Under The HITECH Act

In the event that a breach requiring notification under the HITECH Act occurs the covered entity or business associate must provide notification to the individuals affected by the breach. The outline below sets forth the requirements on such notices.
A. Timing of Notification:
i. Notification must be provided without unreasonable delay
ii. No later than 60 days after discovery of the breach
iii. A breach is discovered when it is first known to the covered entity or business associate
iv. “Known” means to the knowledge of an employee, officer or agent, other than the person committing the breach
v. Since the business associate must inform the covered entity of its breach, the clock does not start for the covered entity until it is informed by the business associate
vi. Notice may be delayed if a law enforcement official determines that it will adversely affect a criminal investigation or national security
B. Method of Notification
i. Notice must be provided in writing
ii. Notice must be sent by first class mail to the last known address or the next of kin
1) Electronic mail may be used if the individual expressed a preference
iii. If the contact information is out of date then a substitute method is required
1) If 10 or more individuals require this alternative method then the notice must conspicuous and for a length of time set by the Secretary of HHS
I. Alternative methods can be
a. On the home page of the website of the covered entity or business associate, or
b. In prominent media outlets (print or broadcast), including media outlets where affected individuals reside
c. These alternative methods must include a toll free number
iv. In addition to the above methods, a telephone call to affected individuals is permitted if there is high risk of “possible imminent misuse of unsecured” PHI
v. If a breach involves 500 or more residents of a defined geographic area, in addition to the above methods
1) Prominent media outlets shall be used to provide notification
2) HHS must also be notified immediately if unsecured PHI of 500 or more individuals is acquired or disclosed
I. Otherwise only a log has to be maintained which is submitted to HHS annually
II. HHS will publicly identify each reporting covered entity on its website and report them to Congress annually
C. Content of Notification
i. Regardless of the form all notifications must set forth:
1) Description of the breach and timing
2) Nature of the unsecured PHI subject to the breach
3) What affected individuals can do to protect themselves
4) Description of the efforts to investigate the breach, mitigate the harm and limit future breaches
5) How affected individuals may contact the covered entity or business associate to get assistance and access more information

HITECH Act Ups The Ante Under HIPAA

Passed on February 17, 2009, the Health Information Technology for Economic and Clinical Health Act (“HITECH Act”) requires entities covered by HIPAA and their business associates to notify each individual “whose unsecured PHI (protected health information) has been, or is reasonably believed by the covered entity to have been, accessed, acquired, or disclosed” due to a breach. Protected health information is deemed to be secured when it has been encrypted or destroyed in accordance with the standards of the National Institute of Standards and Technology.

A breach is defined under the HITECH Act as “the unauthorized acquisition, access, use, or disclosure of protected health information which compromises the security or privacy of such information, except where an unauthorized person to whom such information is disclosed would not reasonably have been able to retain such information.” The HITECH Act also sets forth two exceptions to reporting a breach when (1) an employee or authorized individual of a covered entity or a business associate has unauthorized acquisition, access, or use made in good faith within the course and scope of employment or other professional relationship and no further acquisition, access, use, or disclosure of the PHI takes place; or (2) an individual authorized to access the PHI at a facility operated by a covered entity or business associate inadvertently discloses the PHI to a similarly situated individual at the same facility and no further acquisition, access, use, or disclosure of the PHI takes place.

Written notification of a breach must take place without unreasonable delay i.e., no later than 60 calendar days after the circumstances of the breach is known by the covered entity or business associate’s employee, officer, or other agent, exclusive of the individual causing the breach. Notifications can be provided in electronic format if that preference is expressed and if the contact information is out of date or nonexistent then alternative notice must be provided via the website or major media outlets. The alternative notice methods must include a toll free number. If a large number of individuals in a state or jurisdiction are affected by the breach (i.e. 500 or more) then in addition to the usual notification methods, then notice must be provided via prominent media outlets. The notices must set forth the nature of the breach, the description of the PHI disclosed, the steps individuals have to take to protect themselves, the actions taken by the covered entity or business associate and contact procedures.

HITECH Act clarified an ambiguity under HIPAA and stated that the criminal penalties of HIPAA apply to persons other than covered entities. Thus business associates and other third parties which obtain or disclose PHI without authorization are subject to criminal penalties for disclosure of PHI. The civil penalties for failure to comply with HIPAA have been increased under the HITECH Act. HITECH Act implemented tiered penalties the severity of which depended on the nature of the violation. Violations due to willful neglect are now subject to civil money penalties and the Secretary of the Department of Health and Human Resources will be required to investigate such violations based on a complaint starting in 2011. There are four tiers of violations under the HITECH Act amendments. The penalties are escalated from $100 per violation at the lowest level to $50,000.00 per violation at the highest and the overall penalties for a calendar year can range from $25,000 to $1,500,000.

This summary only covers the salient points of the HITECH Act for the lay person. The details of
other provisions will be covered in other postings in this series.