Federal stimulus law beefs up HIPAA penalties, extends compliance requirements to ‘business associates’

Seymour M. Nayer

With the signing of the American Recovery and Reinvestment Act (“ARRA”) into law on Feb. 17 by President Barack Obama, the federal government created new compliance responsibilities under the Health Insurance Portability and Accountability Act (HIPAA) that every healthcare provider and their “business associates” need to understand.

The ARRA has substantially toughened HIPAA, which was enacted in 1996. To implement HIPAA, the Department of Health and Human Services (“HHS”) issued its Privacy Rule in Dec. 2000 (with modifications in Aug. 2002) and its Security Rule in February 2003. This article highlights some of the new compliance responsibilities.

As originally enacted, HIPAA and its Privacy and Security Rules fell most heavily on “covered entities” – essentially meaning any health plan or healthcare provider transmitting individually identifiable health information in electronic form. Such entities were subject to stringent requirements involving privacy policies, data safeguards, and workforce training and management. This continues to be the case after enactment of the ARRA.

The HIPAA Privacy and Security Rules also applied to “business associates” of covered entities, but in a less dramatic way. Business associates – entities that perform functions for or furnish services to a covered entity involving the use of individually identifiable health information – had to agree, by contract with the covered entity receiving its service, to impose safeguards on its use of such information.

The ARRA’s HIPAA amendments now impose many of the core requirements of the Privacy and Security Rules directly upon business associates, and not merely on covered entities. This will require business associates to appoint security officials, develop written policies and procedures and train their workforces in the handling of protected health information. Existing contracts between business associates and covered entities will have to be revised.

In short, business associates of covered entities such as health plans and healthcare providers have entered a new and more rigorous compliance era.

The ARRA also significantly strengthened the civil monetary penalties available to the government for HIPAA violations. Before the changes, the penalty was typically $100 for each violation. The ARRA increased this amount to up to $1,000 per violation due to “reasonable cause and not to willful neglect” (with a maximum penalty of $100,000); up to $10,000 for each violation due to willful neglect that is corrected (subject to a $250,000 maximum); and up to $50,000 for each willful violation that is not corrected properly (subject to a maximum penalty of $1.5 million dollars during a calendar year). These penalty enhancements are effective immediately.

Two more compliance items deserve mention. First, HHS is now required to conduct periodic audits to ensure that both business associates and covered entities are in compliance. Secondly, state attorneys general may now bring HIPAA enforcement actions against a covered entity or business associate that violates the HIPAA Privacy or Security Rules. Attorneys’ fees may be awarded against the violator in such proceedings.

The ARRA has added other requirements as well. Plunkett Cooney attorneys are available to help you with all HIPAA compliance needs, including the revision of contracts between covered entities and business associates, and the significant new compliance responsibilities of business associates.

Following are links to the complete healthcare provisions in the new economic stimulus legislation:

HIPAA Privacy and Security Provisions
American Recovery and Reinvestment Act of 2009, Division A, Title XIII, Subtitle D (Privacy)

Health Information Technology and Quality Provision
American Recovery and Reinvestment Act of 2009, Division A, Title XXX, Subtitle A (Health Information Technology)

Comparative Effectiveness Research Provision
American Recovery and Reinvestment Act of 2009, Division A, Title VIII, (Agency for Healthcare Research and Quality)