In addition to funding the development of health information technology (as well as several other federal initiatives), the American Recovery and Reinvestment Act (“ARRA”) greatly expanded security and privacy requirements at the federal level. The ARRA expanded the scope of federal security and privacy provisions to include the business associates of health plans and providers, potentially subjecting agents, brokers, third party administrators among others to the federal rules. ARRA also created new federal security breach notice requirements and expanded the enforcement powers under the HIPAA security and privacy rules.
Security
ARRA applies the HIPAA security regulations to business associates. Business associates are defined as entities that perform, or assist in the performance of a function or activity on behalf of a health plan or health care provider involving the use or disclosure of individually identifiable health information. Examples include claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, billing, benefit management, practice management and repricing. It also includes legal, actuarial, accounting, consulting, management, administrative, accreditation or financial service.
Specifically ARRA subjects business associates to the following security requirements and requires implementation of:
Administrative safeguards including security management process, workforce security, training and security incident procedures.
Physical safeguards including facility access controls, workstation use, workstation security and devise and media control.
Technical safeguards including access controls, audit controls and transmission security and
Policies and procedures and documentation requirements including written security policies and procedures and documentation of incidents and activities that are subject to the security requirements
The penalty provisions of the federal security rules are also applied to business associates.
Security Breach Notices
ARRA creates new federal standards for security breach notices and applies those standards to health plans and providers, as well as to business associates. Under the new law, covered entities and business associates must notify effected individuals if there has been a security breach involving “unsecured” personal health information. A breach is generally defined as any unauthorized acquisition, access, use or disclosures of protected health information. This definition is much broader than the definition found in most state security breach notice laws because it does not require a finding that harm or the potential of harm must exit before requiring a notice to individuals.
The required notice must be delivered without unreasonable delay or no later than 60 days after the discovery of the breach. Notice must be provided directly to the individuals whose information was breached. In addition, in some instances notice must be provided to “prominent media outlets” serving the state. Notice must also be provided to the Secretary of Health and Human Service.
ARRA prescribes five specific elements that must be included in the breach notice. When preparing breach notices it is important that the notice comply with both the ARRA requirements and applicable state law. A HIPAA preemption analysis should be applied when determining whether to comply with federal vs. state requirements. Generally speaking, whichever provision of law provides the greater protection and/or rights to individuals should be followed.
Privacy Provisions
ARRA also expands privacy protections in several important areas. First, it states that business associates are treated like covered entities regarding contract requirements, knowledge elements and the application of civil and criminal penalties. ARRA also places additional restrictions on the sale of health information and expands the rule on accounting for disclosures of health information. Under the new rules, covered entities must, if requested by an individual, provide an accounting of the disclosures of electronic health records of disclosures to carry out treatment, payment and health care operations. The Secretary of HHS is charged with developing regulations that take into account the interest of individual in receiving this information and the administrative burden of providing the accounting.
Enforcement
ARRA also contains provisions relating to the “improved” enforcement of HIPAA. By improved enforcement, ARRA means that the state attorney generals may, if they believe a resident of their state has been or is threatened or adversely affected by any person who violates any provision of ARRA’s security and privacy provisions, bring a civil action in federal court to enjoin further violations and to obtain damage including the state attorney general’s fees and the cost of the action. In a rather ironic way, the naivety of implying that state attorney generals feel they need statutory authority to take action against the insurance industry is somewhat amusing.
Chris Petersen is a Partner in the firm’s Insurance and Reinsurance Practice. He concentrates in legal and compliance services relating to the Health Insurance Portability and Accountability Act (HIPAA), privacy, state small-group and individual insurance reform regulation and the interaction between state and federal law. Chris received his bachelor’s degree from Washington University in St. Louis, Mo. and his law degree from Georgetown University.