The American Recovery and Reinvestment Act of 2009 requires "covered entities," which typically are employers or insurers that sponsor health plans, to notify individuals in writing if their personal health information is compromised. The notice must be within 60 days of discovering the privacy breach; if it involves 500 or more individuals, plan sponsors also must notify the Department of Health and Human Services and "prominent media outlets serving a state or jurisdiction."
For the first time, the American Recovery and Reinvestment Act extends direct HIPAA enforcement to "business associates," such as benefit consultants, third-party administrators and disease management and wellness program providers.
In addition, the legislation gives state attorneys general the authority to bring lawsuits seeking statutory damages and attorneys fees for HIPAA violations on behalf of affected state residents. Previously, the HHS' Office of Civil rights handled HIPAA enforcement solely.
When HIPAA was enacted in 1996, it did not require notification of individuals affected by privacy breaches, said Jessica Bernanke, an associate at Morgan, Lewis & Bockius in Washington. "It only required employers to protect the personal health information. It was up to the employer" to decide whether to notify plan members, she said.
The requirement in the new law is the first time the U.S. government has addressed the issue of notification in the event of personal information security breaches, said Lisa Sotto, a partner who heads the privacy and information management practice at Hunton & Williams in New York. While more than 40 states have security breech notification laws, only two—Arkansas and California—govern notification of unauthorized disclosure of personal health information.
"Now we're seeing the first federal breach law, and it covers health data only," Sotto said. "It's as if the gauntlet has been laid to serve as precedent for the passage of a general security breach notification law" at the federal level.
Before the American Recovery and Reinvestment Act, only the health plan sponsor, which generally was either an employer or insurer, was considered the "covered entity" subject to HIPAA's requirements. All associated providers were obligated only by contract to follow HIPAA, said Bernanke. "This puts more burden on the vendors," she said.
"This will affect employers' relationships with [pharmacy benefit managers], disease management vendors and others that previously flew under the radar," said Frances Wiet, chief privacy officer at Lincolnshire, Illinois-based Hewitt Associates Inc. "Employers will need to review their business associate agreements."
It was unclear last week whether the new HIPAA provisions apply to the creators of personal health records, although some sources said that is likely.
Ray Brusca, vice president of benefits at Black & Decker Corp. in Towson, Maryland, said he was not overly concerned about the HIPAA changes because Black & Decker has no direct access to its employees' personal health information.
"I would be concerned if I were the keeper of this information, but most of the real information is held by insurers and TPAs," Brusca said.
"This is creating more risk, especially on the health plan side," concurred Ed Jones, president of HIPAA, the Atlanta consulting firm that set up HIPAA.com. "I've worked with a lot of TPAs, and a lot didn't have these security provisions in place."
However, a spokesman for America's Health Insurance Plans, the Washington-based health insurer trade group, said most of its members already adhere to the HIPAA privacy and security rules as "covered entities" regarding their group and individual health plan business. Members apply the same security protection standards when they serve only as TPAs, he said.
The provision granting state attorneys general HIPAA enforcement authority almost certainly will lead to increased litigation over violations, Sotto predicted.
To illustrate her point, she said the New York attorney general's office responded in less than 24 hours to a case she is handling involving a security breech of one person's personal banking information.
"It tells you the extent to which AGs are focused on security breaches," Sotto said.
The American Recovery and Reinvestment Act also increases maximum civil penalties for HIPAA violations and allows plan members to seek a portion of any damages awarded in litigation, Bernanke said.
"There is some potential for abuse of litigation," said Hewitt's Wiet. "It sort of creates a private cause of action."
The increased penalties went into effect with the signing of the bill last week. In 60 days, the HHS secretary is required to issue guidance on what constitutes unsecured health information subject to HIPAA rules. Most of the other provisions take effect a year from the law's February 17 signing.