Volume 13, Issue 9   |   May 14, 2009

See Archives
American Recovery and Reinvestment Act of 2009 (ARRA) Impacts HIPAA Privacy and Security Rules

 Overview

In the past, HIPAA was largely a formality as action was rarely taken for noncompliance as long the necessary paperwork was in place. Legislation imposed by ARRA* demands HIPAA be taken more seriously. Penalties that were once $100 per violation are now potentially thousands of dollars. Furthermore, the Department of Health and Human Services (HHS) will significantly increase auditing activities and apply penalties as needed.

ARRA imposes more strict and complex compliance duties on Plan Sponsors, especially those who serve as a Covered Entity to administer self funded plans such as Flexible Spending Accounts. State Attorney Generals can now bring HIPAA enforcement action against a Covered Entity that is in violation.

* The portion of ARRA that pertains to the HIPAA Privacy and Security Rules is known as the
    Health Information Technology for Economic and Clinical Health Act (HITECH).

UPCOMING WEBINAR
ArlenGroup will be hosting a webinar on the topic of the ARRA's impact on HIPAA Privacy and Security on Wednesday May 27th from 12:00 – 1:00 pm. Employee benefit law expert, John Barlament, from the Employee Benefits Group of Michael Best & Friedrich LLP, will provide a practical explanation of these new rules and the steps you and your health plan must take to be in compliance.  Click here for more information.


Key Impact on Employers/Covered Entities

  1. HHS is required to increase the frequency of audits of Business Associate and Covered Entities and both will face the same civil monetary and criminal penalties for non-compliance. The penalties for violation of HIPAA rules have significantly increased. 

  2. Employers may be required to have a Business Associate Agreement with organizations that transmit PHI on their behalf. In addition, Business Associates are subject to the terms of HIPAA's Security Rules and certain Privacy Rules which originally only impacted Covered Entities.

  3. Covered Entities are required to disclose only the “minimum necessary” as defined as a limited data set of information, unless more is necessary. 
  1. ARRA prohibits Covered Entities and Business Associates from receiving compensation for the exchange of PHI in marketing and non-marketing communications, unless certain provisions are met.
  1. ARRA prohibits a Covered Entity from sending fundraising communications to an individual if they have elected not to receive any material.
  2. If a Business Associate or Covered Entity suspects a PHI breach has taken place, a pre-determined breach notification procedure must be followed. Individuals affected by a breach may be able to collect a percentage of any monetary settlement. 

  3. In the event of a breach, if proper technologies and methodologies are followed, distribution of notifications to affected individuals may no longer be required (Note: Covered Entities and Business Associates are not necessarily relieved from other privacy and security obligations under federal and state laws).
  1. Individuals are now entitled to restrict a Covered Entity from PHI disclosure under certain circumstances. An individual also has the right to receive a copy of their Electronic Health Record (EHR) for the three year period prior to the request as well as to direct the Covered Entity to transmit their EHR to another entity.
  1. Covered Entities and Business Associates must keep a log to track each time they disclose EHRs with respect to PHI. This now includes treatment, payment and/or health care operations. 

  2. The effective dates for the new penalties and audits went into effect on February 17, 2009. The Breach notification procedures will go into effect no later than September 15, 2009 and the majority of the remaining requirements will go into effect on February 17, 2010.
   Employer Action Items 

Prior to September 15, 2009:

  1. Track where PHI is located within the company and have a system in place to monitor access.

  2. Determine the breach notification procedures applicable to the company and set up a database of individual contact information in the event of a breach.

  3. Adopt technologies and methodologies (encryption and destruction of PHI) that meet ARRA standards.

  4. Inform and train employees on ARRA provisions if they are likely to access PHI.

Prior to February 17, 2010:

  1. Obtain revised HIPAA documents and gather revised Business Associate Agreements from all third party administrators.

  2. Develop processes and procedures to ensure the employees’ PHI requests can be met.

Prior to January 1, 2011:

  1. Require the Business Associate to establish a log to account for PHI disclosures after January 1, 2009 (PHI disclosed prior to January 1, 2009 have until January 1, 2014).

 

Key Questions Surrounding ARRA

  1. Will ARRA require changes to HIPAA Forms? ARRA will require changes to HIPAA Forms. ArlenGroup will provide revised forms for all clients. The final versions will be available in late summer, after final regulations are in place.

  2. How can an individual receive full accounting of EHR disclosures? Covered Entities will either aggregate the data from their Business Associates’ logs or direct individuals to approach the Business Associates directly.

Terminology & Resources

The Insight newsletter is not intended to provide legal advice but perspective on recent regulatory issues, trends and standards affecting employee benefits. Please consult your own legal counsel for further information on the topics discussed in this issue of Insight.

ArlenGroup  |  101 Montgomery Street, Suite 1750  |  San Francisco, CA 94104  |  415-733-7000