Vendors to Health Care Providers - New Law May Directly Regulate Your Data Privacy Practices
April 20, 2010
by Michael Fleming & James Graves
Although some refer to the recently-enacted healthcare reform bill as simply, "The Healthcare Bill," those in the health industry know that it is not President Obama's first law with healthcare implications. That distinction goes to the Health Information Technology for Economic and Clinical Health (HITECH) Act, which was part of the American Reinvestment and Recovery Act of 2009.
The HITECH Act made significant changes to the HIPAA's requirements for "business associates." Under HIPAA, a business associate was anyone outside a covered entity's workforce who used or disclosed protected health information. HIPAA regulated business associates, if at all, through its requirement for Business Associate Agreements (BAAs). Covered entities were required to enter into these contracts with their business associates. The BAAs had to include terms limiting the disclosures business associates could make and requiring them to appropriately safeguard protected health information. Any enforcement of these agreements was left to the covered entities—only covered entities were directly subject to HIPAA or its regulatory enforcement mechanisms.
HITECH changed all that. A business associate's obligation to protect data no longer depends on the existence of a contract. HITECH makes business associates directly responsible for compliance with most of the primary HIPAA privacy and data security requirements to the same extent as covered entities. It also gave the Department of Health and Human Services direct regulatory authority over business associates—thus, business associates who violate HIPAA or HITECH requirements may be subject to federal regulatory enforcement actions instead of (or in addition to) private suits for breach of contract.
Even with the direct regulation of business associates now provided by HITECH, covered entities continue to be required to obtain a BAA from each of their business associates. Those BAA forms should now specify that they incorporate the HIPAA data security obligations to be enforceable against the business associate.
The HIPAA requirements that are now directly enforceable against business associates are numerous, but one particularly notable provision is HITECH's data breach notification requirement for protected health information. Nearly all states now have laws requiring organizations to notify people when their personal data may have been accessed in a breach, but there is no similar federal law. HITECH created a nation-wide breach notification law that, unlike the state laws, applies only to health information.
HITECH also increased enforcement powers and penalties. It gave state attorney generals the ability to sue over HIPAA violations. At least one has already flexed this newfound enforcement power: Connecticut's Attorney General has sued an insurer that lost a hard drive containing protected health information, as noted in an earlier TechBuzz article, and is considering a second lawsuit against a radiologist who improperly accessed patient information.
Lack of compliance with HITECH and HIPAA can be costly. According to Health and Human Services interpretations, HITECH's revisions to HIPAA now allow enforcement penalties of up to $50,000 per violation and $1.5 million per year—even for unintentional violations. These penalties would be in addition to any costs of breach notification or private lawsuits. Clearly, the hazards to business associates of mishandling medical data have increased substantially, and anyone who handles protected health information should take extra care with that data whether they have entered into a business associate agreement or not.
- Michael Fleming is a member of the Larkin Hoffman Daly & Lindgren Ltd. Intellectual Property, Technology and Internet Practice. James Graves, CISSP, is a J.D. candidate at William Mitchell College of Law and is a law clerk at Larkin Hoffman.