By Jacqueline Darrah and Kelsey Brodsho, Halleland Lewis Nilan & Johnson
The American Recovery and Reinvestment Act of 2009 (ARRA) dramatically expands existing requirements under the Health Insurance and Portability Act of 1996 (HIPAA) for covered entities and business associates. The effective dates of
the ARRA requirements vary, and regulations further defining the requirements are forthcoming. The staggered effect of implementation may lead some to conclude that no action is necessary to comply at this time. However, organizations should take proactive steps to prepare for compliance in these key segments.
Expanded Enforcement
The ARRA greatly expands enforcement at both the federal and state levels. The ARRA requires the Centers for Medicare and Medicaid Services (CMS) to periodically audit covered entities and business associates for compliance with privacy and security requirements, increases civil monetary penalties, provides for penalties to be imposed on business associates, and authorizes state attorneys general to bring civil actions and assess damages for violations. Therefore, covered entities and business associates should conduct internal compliance assessments to evaluate any gaps in privacy and security practices, policies, and procedures and correct any deficiencies in anticipation of this increased enforcement activity.
The ARRA greatly expands enforcement at both the federal and state levels. The ARRA requires the Centers for Medicare and Medicaid Services (CMS) to periodically audit covered entities and business associates for compliance with privacy and security requirements, increases civil monetary penalties, provides for penalties to be imposed on business associates, and authorizes state attorneys general to bring civil actions and assess damages for violations. Therefore, covered entities and business associates should conduct internal compliance assessments to evaluate any gaps in privacy and security practices, policies, and procedures and correct any deficiencies in anticipation of this increased enforcement activity.
Business Associates
The ARRA holds business associates directly accountable for existing HIPAA privacy and security standards and new ARRA requirements. It also expands the scope of organizations that are considered to be business associates. Previously,
business associates were required to comply with select HIPAA requirements through contracts with covered entities. Therefore, organizations that have traditionally had limited responsibilities as business associates should review practices, policies and procedures to ensure compliance with all new and existing HIPAA requirements. To the extent that the new privacy and security regulations impact relationships with business associates, covered entities should be prepared to amend business associate agreements to comply with the additional requirements of the ARRA.
Disclosure of PHI
The ARRA requires covered entities, business associates, and other vendors of personal health records to notify the individual, various federal agencies and potentially, the media, of any breach of “unsecured” protected health information.
The scope and method of notification varies depending on the nature and extent of the breach. Notification requirements may include written notification by first-class mail, posting notices on the covered entity’s website, publication through the media, and even telephone contact. The content of the notification is also specifically defined by the ARRA. In order to meet this new requirement, covered entities and business associates should evaluate whether they are maintaining information that is “unsecured” and develop systems that identify breaches of protected health information.
Sale of PHI
The ARRA creates increased protections for protected health information by prohibiting the sale of protected health information for covered entities using electronic health records without a written authorization that specifies that the protected health information can be further exchanged by the entity receiving it, except in limited circumstances. In addition, unless an exception applies, any activity that involves the sale of a product or service or remuneration is deemed to be marketing, which requires an authorization from the individual. Compliance assessments should evaluate all marketing activities to determine whether the new definition creates an obligation for the covered entity to obtain a signed authorization from the individual.
Conclusion
Covered entities and business associates should review the basic requirements of the ARRA in anticipation of additional regulations, guidance, and increased enforcement. Assessing current compliance and proactively addressing additional
HIPAA requirements will help these organizations implement effective compliance activities. Taking this compliance approach will help organizations avoid exposure to the ARRA’s increased and expanded HIPAA enforcement mechanisms.
Jacqueline Darrah is a shareholder in the health care practice group at Halleland Lewis Nilan & Johnson and specializes in health, compliance and business law. Jacqueline has experience in legal, policy and educational roles in areas such as compliance, fraud and abuse, pharmaceuticals, antitrust, and HIPAA privacy.
Kelsey Brodsho is an associate in the health care practice group at Halleland Lewis Nilan & Johnson, specializing in health care ethics, compliance, and long-term care.
