Go
About UsServicesOur PeopleNewsEventsPublicationsBlogsDiversityLocationsCareers

Keyword(s)
By Practice or Industry
All Services
By Attorney
News Search
Publication Type
All
Alerts
Articles
Booklets
Newsletters
Join Mailing List

Professionals


Practice Areas


Industries


Alerts

Stimulus Bill Calls for Changes to HIPAA

February 25, 2009

Hinshaw Health Law Alert

The federal American Recovery and Reinvestment Act (Stimulus Bill), enacted on February 17, 2009, calls for significant changes to current HIPAA regulations. Perhaps the most notable change will require business associates (such as accountants, attorneys, claims companies, etc.) to comply directly with a number of HIPAA provisions and subject those entities and individuals to civil and criminal penalties under HIPAA. This change will likely require health care providers to modify their existing business associate agreements. It will also require business associates to, among other things, appoint a HIPAA security officer, develop privacy policies and procedures, train their employees on privacy procedures, and enact physical safeguards for protected health information.

Under the new changes, following a breach of the privacy or security of protected health information business associates will be required to notify the covered entities with which they contract. Covered entities will then be required to notify the individuals whose privacy has been compromised within 60 days if their unsecured protected health information has been disclosed as result of a breach. A covered entity will be required to notify the United States Secretary of Health and Human Services (HHS) if the breach affects more than 500 individuals; some smaller breaches will also need to be reported to HHS annually. These requirements are not in effect yet. The final regulations will be due within 180 days.

Another change to HIPAA found in the Stimulus Bill will allow patients who pay for health care in full with out-of-pocket funds to request that covered entities not disclose their protected health information to health plans for the plans’ health care operations. While current law generally allows covered entities to decline such restriction requests, covered entities will now be required to comply with restriction requests under these circumstances.

Also, covered entities using Electronic Health Records will be required to account for the past three years of disclosures of protected health information to any individual requesting such information. Covered entities will be able to choose between accounting for the disclosures of their business associates or providing the requesting individual with a list of their business associates, who will then be required to provide an accounting of disclosures directly to the individual. Specific regulations on this issue are to be issued by HHS within six months.

The Stimulus Bill also states that a covered entity or business associate cannot sell protected health information without first obtaining authorization from the individual whose information is being sold. There are some exceptions to this rule, such as exchanges that are involved in the sale or merger of a covered entity. The Stimulus Bill requires the Secretary of HHS to issue rules implementing this section within 18 months.

The Stimulus Bill also specifically gives individuals the right to a copy or explanation of their protected health information held by covered entities in electronic format and to have the covered entity transmit that copy to an entity or person of the individual’s choice. Any fee imposed by a covered entity for that copy should not exceed the labor cost. This change apparently takes into account the lower cost of e-mailing electronic health records and encourages electronic transmittal rather than the provision of paper copies of records.

The Stimulus Bill also clarifies certain criminal penalties for disclosure of protected health information and authorizes state attorneys general to bring civil suits to enforce HIPAA privacy violations on behalf of residents of their states. Additionally, the Stimulus Bill increases the amount of civil monetary penalties allowed and requires HHS to establish a regulation that permits individuals affected by HIPAA violations to receive a percentage of any civil monetary penalties or settlements collected by HHS or a state attorney general due to a disclosure of that individual’s protected health information. A portion of these monetary penalties and settlements will also be provided to HHS’s Office of Civil Rights to ramp up enforcement of HIPAA. The Stimulus Bill also requires periodic audits by HHS to ensure HIPAA compliance by covered entities and business associates.

Finally, under the Stimulus Bill the Secretary of HHS is instructed to study the definition of psychotherapy notes currently found in HIPAA and to issue a regulation to revise that definition if the Secretary believes that such action is warranted.

While most of these rules do not take effect immediately, HIPAA provisions will clearly be changing significantly over the next two years as a result of the Stimulus Bill.

For further information, please contact Lora L. Zimmer or your regular Hinshaw attorney.

This alert has been prepared by Hinshaw & Culbertson LLP to provide information on recent legal developments of interest to our readers. It is not intended to provide legal advice for a specific situation or to create an attorney-client relationship.

Site Map | Contact Us | | RSS | Disclaimer
© 2012 Hinshaw & Culbertson LLP. ATTORNEY ADVERTISING pursuant to New York RPC 7.1
The choice of a lawyer is an important decision and should not be based solely upon advertisements.