The economic stimulus bill enacted by the House and currently under consideration by the Senate, the American Recovery and Reinvestment Act of 2009 (H.R. 1), contains significant changes that would substantially broaden the scope and impact of the existing security and privacy rules implemented under the Health Insurance Portability and Accountability Act (HIPAA). These changes impact not only health care providers, but also business associates and other entities not currently subject to the HIPAA rules. These changes are extensive and include, but are not limited to, the following:

1. Business Associates. The legislation would extend the application of the main provisions of the security and privacy rules to business associates, and would subject business associates to civil and criminal penalties for violation of the rules. It also requires the Secretary of HHS to conduct periodic compliance audits of business associates as well as covered entities.

In addition to entities currently classified as business associates, the legislation designates as business associates organizations that provide PHI data transmission and require access to such PHI on a routine basis, as well as vendors who contract with covered entities to offer personal health records to patients. These entities include Health Information Exchange Organizations, Regional Health Information Organizations, and E-Prescribing Gateways.

2. Notification Requirements. Currently, a covered entity is not required to notify individuals of privacy or security breaches unless the covered entity determines that such notification is necessary to mitigate damage to the individual. H.R. 1 requires covered entities to notify both individuals and the Secretary of the Department of Health and Human Services (HHS) of “unsecured protected health information”  breaches.  In the event that the breach affects more than 500 individuals, notification must be made to prominent media outlets serving the state or jurisdiction in which the individuals reside. The Secretary would also post the notification on the HHS website.

“Unsecured protected health information” is defined as protected health information (PHI) not secured through the use of a technology or methodology specified by the Secretary of HHS. The Secretary is required to issue and annually to update guidance specifying technologies and methodologies that render PHI “unusable, unreadable, or indecipherable to unauthorized individuals.” If the Secretary fails to issue this guidance within 60 days of enactment, the technology standard applied will be developed or endorsed by a standards developing organization accredited by the American National Standards Institute.

3. Requested Restrictions of Disclosures of Health Information. Currently, an individual has the right to request that the covered entity restrict certain disclosures of PHI, but the covered entity is not required to agree to the restriction. Under H.R. 1, the covered entity would be required to comply with the request, unless otherwise prohibited by law, if the disclosure is to a health plan for payment or health care operations purposes and the PHI pertains solely to a health care item or service for which the health care provider has been paid out of pocket in full.

4. Minimum Necessary Standard. The HIPAA privacy rule requires covered entities to apply a minimum necessary standard to uses and disclosures of and requests for PHI. H.R. 1 requires the Secretary to issue guidance on what constitutes “minimum necessary” within 18 months after enactment. Until this guidance is issued, H.R. 1 would require that, before using, disclosing or requesting PHI, the covered entity determine whether a limited data set would accomplish the purpose.

A “limited data set” is PHI that excludes the following identifiers: names; postal address information, other than town or city, State, and zip code; telephone numbers; fax numbers; electronic mail addresses; social security numbers; medical record numbers; health plan beneficiary numbers; account numbers; certificate/license numbers; vehicle identifiers and serial numbers, including license plate numbers; device identifiers and serial numbers; web universal resource locators; internet protocol address numbers; biometric identifiers, including finger and voice prints; and full face photographic images and any comparable images. If a limited data set is not practicable, the covered entity must then apply the minimum necessary standard.

5. Accounting of PHI Disclosures from Electronic Health Record. Currently, the privacy rule’s accounting requirement does not include PHI disclosures for treatment, payment and health care operations purposes. Under this legislation, if a covered entity uses or maintains an electronic health record (EHR), an individual will have the right to receive an accounting of these disclosures  made during the 3 years prior to the date of the request. A “reasonable fee”, not greater than the entity’s labor costs in responding to the request, may be imposed. This requirement would be effective as of January 1, 2014 for covered entities that have acquired an EHR prior to a certain date.¹ For covered entities acquiring an EHR after that date, the requirement will be effective on the later of January 1, 2011 or the date the EHR is acquired.

6. Health Care Operations. The legislation instructs the Secretary to eliminate from the definition of  "health care operations" any activities that can reasonably and efficiently be conducted through the use of deidentified information.

7. Sale of EHRs or PHI Obtained from EHRs. H.R. 1 prohibits a covered entity or business associate from directly or indirectly receiving any remuneration in exchange for an individual’s PHI unless the covered entity receives a valid authorization that specifies whether the PHI may be further exchanged for remuneration by the recipient of the PHI. Exceptions exist for research; public health activities; treatment; activities related to sale, transfer, merger or consolidation of the entity; payment by a covered entity to a business associate for activities covered by the business associate agreement; and providing a copy of the PHI to the individual. The Secretary is authorized to create additional exceptions.

8. Individual Access to PHI. H.R. 1 requires covered entities that use or maintain EHRs to provide access of PHI to individuals in electronic format if requested.

9. Marketing. The legislation includes stricter prohibitions on the use of PHI for marketing.

10. Personal Health Records. H.R. 1 imposes notification requirements on vendors of personal health records (PHRs)  in the event  that a security breach is discovered involving unsecured identifiable health information in a PHR maintained or offered by the vendor.

11. Psychotherapy Notes. The legislation requires the Secretary to revise the definition of  "psychotherapy notes" to include test data that is related to direct responses, scores, items, forms, protocols, manuals or other materials that are part of a mental health evaluation as determined by the mental health professional providing treatment or evaluation.

12. Enforcement. The legislation also includes the following provisions with regard to enforcement of the privacy and security rules:

• Clarifies that, in addition to the covered entity itself, employees or other individuals are subject to criminal penalties;

• For purposes of applying wrongful disclosure criminal penalties, states that a person is considered to have obtained or disclosed PHI in violation of the statute if the information is maintained by a covered entity and the individual obtained or disclosed the information without an authorization;

• Requires the Secretary to impose civil penalties for violation of the rules due to “willful neglect”;

• Requires that any civil monetary penalty (CMP) or settlement amount collected as a result of a privacy or security rule violation be transferred to the Office for Civil Rights to be used for enforcement of the HIPAA privacy and security rules;

• Requires the Secretary to establish a methodology to distribute a percentage of the CMPs collected to individuals harmed by the violation;

• Establishes the following tiered system of CMPs:

  • Unknowing violations - at least $100 per violation, not to exceed $25,000 in a calendar year;

  • Violation due to reasonable cause, not willful neglect - at least $1000 per violation, not to exceed $100,000 in a calendar year;

  • Violation due to willful neglect - at least $10,000, not to exceed $250,000 in a calendar year, except that if the violation is not corrected within 30 days of the first date the person liable for the penalty knew or should have known that the violation occurred, the penalty increases to at least $50,000, not to exceed $1,500,000; and

  • The Secretary retains discretion to use corrective action without penalty in cases where the person did not know and by exercising reasonable diligence would not have known of the violation. 

• Requires the Secretary to conduct periodic audits to ensure covered entity and business associate compliance with the privacy and security rules; and

• Gives state attorneys general authority to bring suit in federal district court against any person violating the rules on behalf of state residents to enjoin further violation or to obtain damages on behalf of such residents. Statutory damages are determined by multiplying the number of violations by up to $100, not to exceed $25,000 in a calendar year for violations of identical requirements or prohibitions. In addition, the court may award attorney fees to the state. The Secretary has the right to intervene in such actions.

¹The language of the bill is inconsistent. In one paragraph, it states that the EHR must be acquired by January 1, 2009 in order to qualify for the 2014 effective date; in the next paragraph, it states that EHR must be acquired after January 1, 2010 in order to be subject to the 2011 effective date.