Among tax cuts and credits, more bailout fund requirements, and restrictions on executive pay packages, the American Recovery and Reinvestment Act of 2009 (ARRA) also includes a section that expands the reach of the Health Insurance Portability and Accountability Act (HIPAA) and introduces the first federally mandated data breach notification requirement.

Title XIII of ARRA, also known as the Health Information Technology for Economic and Clinical Health Act (HITECH Act), reserves $22 billion to "advance the use of health information technology" -- in large part so the U.S. will be able to move to e-health records by President Obama's 2014 deadline.

It also expands the reach of HIPAA data privacy and security requirements to include the "business associates" of those entities (health care providers, pharmacies, and the like) that are subject to HIPAA. Business associates, according to Goodwin Procter attorney Jacqueline Klosek, are companies like accounting firms, billing agencies, law firms or others that provide services to the entities covered under HIPAA.

Under the HITECH Act, those companies are now directly subject to HIPAA security and privacy requirements, as well as to the same civil and criminal penalties that hospitals, pharmacies and other HIPAA-covered entities face for violations. Before HITECH came into force, Klosek explains, business associates that failed to properly protect patient information were liable to the covered entities via their service contracts, but they did not face governmental penalties.

Kelly Hagan, a shareholder in the law firm of Schwabe, Williamson and Wyatt, says the most significant (and least publicized, in his opinion) changes in the HITECH Act are those that strengthen HIPAA enforcement measures. In particular, Hagan points to subsection 13410(c), which requires civil penalties that are collected under the HITECH Act to be funneled back into the Department of Health and Human Services' Office of Civil Rights enforcement budget.

He says the situation now is reminiscent of the creation of the Fraud and Abuse Control Account: "It was remarkable when they put the Fraud and Abuse Control Account in place and started funneling the monetary penalties back into the enforcement agency's budget how quickly that became a priority. If history repeats itself, what that suggests is that the OCR's traditional approach to enforcement, which has been complaint-driven and compliance-oriented, is going to ... become more proactive, more punitive."

Moreover, monetary penalties are mandatory for violations involving "willful neglect" as of Feb. 17, 2011. At that point, "all of a sudden HIPAA compliance becomes a fact of life instead of a paper tiger," Hagan says.

If that's not enough, Proskauer Rose associate Sara Krauss observes yet another enhancement: The HITECH Act provides for the Department of Justice to pursue criminal penalties for a violation that rises to the level of criminal activity. However, in the event that DOJ declines to act on a violation, the HITECH Act allows OCR to pursue civil penalties for that same violation.

Previous Page Next Page