Health data privacy and security: How does the stimulus bill change the legal landscape?

Although they have yet to attract attention, new requirements for protection of personal health information that are included in the recently enacted economic stimulus legislation, Public Law No. 111-5 (Feb. 17, 2009), will significantly effect members of the health care industry — as well as entities with whom they work.

These provisions increase the compliance stakes for “covered entities” regulated by the Department of Health and Human Services’ privacy and security rules implementing the Health Insurance Portability and Accountability Act of 1996. In addition, they expose “business associates” of such covered entities, as well as “vendors” of certain personal health information, to new liability risks.

The pertinent provisions of the stimulus legislation are part of the initiative for Health Information Technology that is designed to streamline the sharing of health information through the use of electronic medical records. To ensure the privacy and security of individually identifiable health information in this context, Congress expanded on many of the obligations and enforcement mechanisms under the HIPAA privacy and security rules. This article provides a high-level summary of just some of the more pertinent provisions.

Breach notifications

Following the lead of many states that have enacted laws requiring notification to law enforcement and affected individuals of breaches of personal information security, Congress included in the stimulus legislation similar breach notification requirements with respect to health information. Under these requirements, HIPAA covered entities (health care providers engaging in certain electronic transactions, health plans and health care clearinghouses), their business associates and vendors of personal health records must notify affected individuals of a breach of unsecured protected health information or personal health record information. In addition, covered entities and their business associates must provide breach notifications to the HHS (vendors must notify the Federal Trade Commission) and, if more than 500 individuals are affected in a particular area, also notify prominent media outlets serving that area. The HHS will post on its website a list of each covered entity involved in a breach affecting more than 500 individuals.

Marketing

The HIPAA privacy rule generally prohibits the use or disclosure of protected health information for marketing purposes without an individual’s written authorization. “Marketing” generally means providing a communication that encourages the recipient to purchase or use a particular product or service. However, such a communication is not marketing if it is made for purposes of describing a health-related product or service that is provided by, or included in a plan of benefits of, the covered entity; providing treatment to the recipient; or case management or care coordination, or directing or recommending alternative treatments, therapies, health care providers, or settings of care — even if the covered entity is paid by a third party to make the communication.

Under the new stimulus legislation, a covered entity is prohibited to make any of the three above-referenced “exempted” types of communications in exchange for payment (direct or indirect) without an individual authorization, unless the communication describes only a drug or biologic that is being prescribed for the recipient of the communication; and the payment received by the covered entity in exchange for making the communication is “reasonable in amount.” The HHS is charged with defining, by regulation, what constitutes reasonable in amount in this context.

Notably, the stimulus legislation states that “direct or indirect payment shall not include any payment for treatment [as defined in the HIPAA privacy rule] of an individual.” However, the HHS officials have said that, “It is not marketing for a doctor to make a prescription refill reminder even if a third party pays for the communication. The prescription refill reminder is considered treatment. The communication is therefore excluded from the definition of marketing and does not require a prior authorization.” Apparently, the stimulus legislation overrides this HHS interpretation of refill reminders as treatment, at least with respect to the requirement to obtain an individual authorization if the refill reminder is made in exchange for payment beyond “reasonable in amount.”

Sale of protected health information

The stimulus legislation prohibits covered entities and their business associates from receiving payment in exchange for protected health information without an individual authorization that refers to the payment unless the purpose of the exchange is for:

• Research and the price charged reflect the costs of preparation and transmittal of the data.
• Treatment.
• Due diligence in connection with the sale, transfer or merger of the covered entity.
• Permissible contracted work pursuant to a business associate agreement.
• The provision of a copy of the protected health information to the individual to whom it pertains.
• Other purposes as determined by the HHS.

Business associate liability

Business associates of covered entities are not subject to direct liability under HIPAA or its implementing rules; rather, they are liable for breach of their required business associate contracts with HIPAA-covered entities. The stimulus legislation changes that legal framework: it applies the pertinent provisions of both the HIPAA privacy rule and the security rule, including the enhancements to those provisions in the stimulus legislation, directly to business associates, such that the civil and criminal penalties for violating those provisions may be imposed on business associates in the same manner as they apply to covered entities. This could well alter the dynamics of negotiating business associate agreements, particularly in light of the new enforcement provisions included in the stimulus bill, as described below.

Enhanced enforcement

Only the HHS has authority to enforce the HIPAA regulations, except with respect to criminal conduct, which is subject to Department of Justice investigation and the imposition of criminal penalties. The stimulus legislation grants new authority to both the HHS and the DOJ with respect to penalties (and increases the amount of potential civil penalties imposed). The legislation also provides that any civil monetary penalties or monetary settlements obtained are to be transferred to the HHS Office for Civil Rights for use in its future privacy and security enforcement activities.

In addition, the stimulus legislation authorizes state attorneys general to bring a civil action on behalf of state residents that have allegedly been harmed by HIPAA violations. (They may not, however, bring such an action if the HHS had already initiated action regarding the same alleged violation, for as long as the HHS action is pending.) In such actions, state attorneys general may pursue injunctive relief, statutory damages and attorneys’ fees. The damages obtained in such an action could be as much as $100 per violation, with a maximum of $25,000 for all violations of an identical requirement or prohibition during a single calendar year.

Studies and regulations

The stimulus legislation requires that several studies be undertaken and that the HHS and the Federal Trade Commission promulgate a variety of regulations to implement the provisions relevant to their respective jurisdictional authority.

In general, the health information privacy and security provisions of the legislation take effect within one year of enactment, ie, on Feb. 17, 2010, and much of the regulatory work is required to be done prior to that date. Covered entities, their business associates, medical researchers and others with an interest in individually identifiable health information would be well advised to seek counsel on the potential effect of the new legislation on their activities and plans, as well as advice on how they might influence the content of the forthcoming implementing regulations.

The significance of the legislation and those regulations may be far greater for certain entities than is suggested by this short summary of selected provisions.

Nancy L. Perkins is counsel in the Washington, D.C. law firm Arnold & Porter LLP. Ms. Perkins regularly advises clients on federal and state requirements for privacy and security of medical, financial and electronic data. She has particular expertise in the Health Insurance Portability and Accountability Act, the Gramm-Leach-Bliley Act and the Fair Credit Reporting Act, as amended by the Fair and Accurate Credit Transactions Act, and their implementing regulations. She also has an extensive background in international law and advises clients on the rapidly developing framework for global protection of data privacy and security. Ms. Perkins can be reached at nancy.perkins@aporter.com.