The Economic Stimulus Law’s Impacts on HIPAA

August 28, 2009

When Congress approved the economic stimulus package, known as the American Recovery and Reinvestment Act of 2009 (“Stimulus Act”), earlier this year, the Stimulus Act incorporated the Health Information Technology for Economic and Clinical Health Act (“HITECH Act”).  The HITECH Act amends HIPAA in ways that affect what is required for entities to comply with HIPAA’s privacy and security rules.  While not as headline-breaking as other aspects of the Stimulus Act, entities covered by HIPAA and their business associates (collectively, “HIPAA Entities”) should be informed of these updates in order to remain in compliance and to prevent HIPAA violations.  If HIPAA Entities are unaware of the changes, they risk subjecting themselves to penalties which have increased under the HITECH Act.  The following highlights some of the most significant effects on HIPAA compliance resulting from the Stimulus Act.

Expanded Applicability

 The HITECH Act expands the scope of those subject to HIPAA’s privacy and security rules.  Previously, business associates (those entities which provide services to HIPAA covered entities involving the use and disclosure of individually identifiable health information, such as billing and claims processing companies) were not directly subject to HIPAA’s requirements.  Instead, business associates were only required to comply with provisions of a written business associate agreement, which is an agreement that covered entities are responsible for having in place with each of their business associates.  Under the HITECH Act, business associates must now directly comply with HIPAA’s privacy and security rules and are subject to civil and criminal penalties for violations of those rules.    

Breach Notification

 The most significant new requirement imposed by the HITECH Act is for HIPAA Entities to provide notification of privacy breaches of unsecured protected health information (“PHI”).  The HITECH Act defines “unsecured” PHI as PHI “that is not secured through the use of a technology or methodology specified by the Secretary” of the U.S. Department of Health and Human Services (“HHS”).  Previously, HIPAA did not mandate that a breach of privacy or security of unsecured PHI required the entity responsible for the breach to take substantial action (although many states, including New Hampshire, have laws requiring notification of individuals and public officials of security breaches of personal information).  Now, when a covered entity discovers a breach, it is required to notify the individual affected by the breach within 60 days from the discovery.  Likewise, business associates are required to notify covered entities of breaches.  If a major breach of privacy has occurred—one affecting over 500 individuals in a state—covered entities must notify a prominent media outlet and must immediately notify HHS.   

Enforcement and Penalties

 Civil penalties for violations of HIPAA have increased significantly under the HITECH Act.  Prior to the Stimulus Act, enforcement by HHS of HIPPA’s requirements was somewhat rare, most likely as a result of a lack of resources devoted to enforcement.  Now, with an increase of penalties and broader methods of enforcement, including enforcement authority by state attorneys general, enforcement is expected to increase.  The HITECH Act has established tiers of civil penalties based on varying states of mind underlying the violations.  Penalties vary from $100 per violation for an unknowing violation to a maximum of $1,500,000 for uncorrected willful violations. 

 Fortunately, help with compliance is available for HIPAA Entities.  In April, HHS published proposed guidance that provides methodologies and technologies to render PHI unusable and unreadable for unauthorized users.  The two methods specified in the guidance are encryption and destruction, although HHS still encourages HIPAA Entities to de-identify PHI so it neither identifies nor provides a reasonable basis to identify an individual.  HIPAA Entities are not required to follow the guidance, but if they do, it will provide them with a safe harbor from complying with the breach notification requirements.  Despite this safe harbor, HIPAA Entities will still be required to comply with any other federal or state obligations following a breach of personal information.  The HHS guidance will apply to breaches occurring on or after September 17, 2009. 

Kara Dowal is an Attorney in the Corporate Department of McLane, Graf, Raulerson & Middleton, Professional Association.  Kara can be reached at 603-628-1178 or  The McLane Law Firm is the largest law firm in the State of New Hampshire, with offices in Concord, Manchester, Portsmouth, as well as Woburn, Massachusetts.