Increased HIPAA Security Requirements Under the Stimulus Bill (ARRA)

Posted Tuesday, June 9, 2009

The recent American Recovery and Reinvestment Act (ARRA) contains a number of changes to the Health Insurance Portability and Accountability Act (HIPAA) privacy and security rules. Among the most important changes are new notification obligations in cases of breaches of protected health information (PHI).

For employers, the new rules may mean a greater HR administrative burden and a greater risk of privacy related lawsuits.  The new Administration is expected to pay closer attention and push for tighter review and greater enforcement of HIPAA privacy and security rules.

Employers whose health plans must comply with HIPAA will have to review and update contracts with business associates to make certain the documents reflect the new privacy and security laws.  Third-party vendors, benefits brokers and consultants will need to take additional steps to ensure that they are complying with the substance of the HIPAA security standards with the adoption of physical, administrative, and technical safeguards.  Business associates will now be subject to civil and criminal penalties for violation of the rules and the Department of Health and Human Services (HHS) will now be required to conduct periodic compliance audits of business associates as well as covered entities.  Previously the burden fell on the covered entity (group health plans, heath care clearinghouses and health care providers) to identify business associates and obtain the necessary agreements.

If a breach of unsecured PHI is discovered, health plans will now be required to notify affected individuals and — if more than 500 individuals are affected — HHS and prominent media outlets serving the area must also be notified. Health plans will also be required to maintain and submit annually to HHS a log of all breaches.

The new notification obligations are expected to take effect by September 15th (30 days after regulations regarding the notification obligations are required to be published). Health plans will be required to act quickly to revise their HIPAA policies and procedures and amend their business associate agreements to include breach notification obligations.

One way to minimize risk of security breaches and avoid breach notification obligations is to use de-identified information to the maximum extent possible. De-identified information is not PHI and, therefore, is not subject to the breach notification requirements.

Another way to reduce the likelihood of a breach is to use technologies that secure PHI by making it unusable, unreadable, or indecipherable to unauthorized individuals. If health plans and other organizations apply the technologies and methodologies specified in the guidance to secure information, they will not be obligated to provide ARRA notifications in the event the information is breached.

Employers are encouraged to:

• Revise your HIPAA policies and procedures to address these procedures and breach notification obligations.*
• Revise your business associate agreements to address these new procedures and obligations.*
• Make certain your physical and technical (IT) safeguards of PHI are up-to-date.
• Review your liability insurance to make certain that you are covered for potential HIPAA violations.