In addition to funds to incentivize the use of Electronic Health Records (EHR)s by physicians, the stimulus bill also contains several provisions which are intended to “beef up” the HIPAA Privacy and Security Rules.  The following is a list of the amendments to HIPAA and a short summary of the difference between the amendment and the “old” version of HIPAA.

1. Business Associates Covered:   Under the new HIPAA amendments Business Associates are required to comply with the administrative, physical, and technical safeguards mandated by the HIPAA Security Rule, as well as the privacy protections of the Privacy Rule.  Additionally, Business Associates will need to have written policies and procedures just like covered entities and will be subject to the same civil and criminal penalties for violations.

Why this is different: Under the previous version of HIPAA, business associates were not technically bound by the law or subject to penalties, their only liability was to the covered entity for breach of contract.  This change has significant implications for any business entity that does business with “covered entities” which involves the use of or access to protected health information.

2. Annual Security Guidance by HHS:  HHS is required annually to issue guidance, in consultation with “industry stakeholders” on the most effective and appropriate technical safeguards for use in carrying out the HIPAA Security Rule requirements.

Why this is different: In the past, HHS maintained that the Security Rule was “technologically neutral” and refused to recommend specific technology for compliance.  One of the reasons for this position was the argument that technology becomes obsolete so quickly that they could never keep up with “best practices”.  Specific annual guidance will erase some of the uncertainty associated with compliance, but may require the development of costly new technology.

3.  Notifications to Individuals: If a breach occurs, the individual must be notified by mail, email (if a preference of the individual) or telephone (if use of the information is imminent).  If a business associate discovers a breach he or she must notify the covered entity.  If contact information for the individual is unavailable or outdated, and the breach involved more than 10 people, the covered entity must put a notice on its website or in the media with a toll-free number for information.

Why this is different: The previous HIPAA rule did not require entities to alert an individual whose protected health information was compromised.  There was a requirement to “mitigate harm” which arguably required notification, but the requirement in the amendment is much more direct and specific.

4. Media Notice and Posting to Public Website: For breaches affecting greater than 500 individuals, covered entities will be required to give notice to prominent media outlets and alert the Secretary of HHS.  The Secretary of HHS will then post the names of the covered entities on a public website.  Breaches involving less than 500 individuals will still need to be reported to the Secretary of HHS in the form of a log of breaches that is maintained continuously and reported annually.

Why this is different: This requirement is new, although complaints did need to be documented and maintained for six years.

5.  Regional Privacy Advisors: Individuals will be appointed in each regional office of the Department of Health and Human Services to provide guidance and education.

Why this is different: Currently guidance is provided by the Office of Civil Rights, the entity in charge of enforcing the HIPAA rules.  Although OCR has issued many guidance documents and a frequently asked questions database, it has been difficult for providers to get guidance on scenarios specific to their practice.  Hopefully a regional contact will be more accessible for more personalized guidance.

6.  National Education for the Public: the Office of Civil Rights of the Department of Health and Human Services will develop and maintain a “multifaceted national education initiative” on the permissible uses of protected health information and patient rights.

Why this is different: Currently OCR’s site is more geared toward providers than the public.  There is a lot of confusion among the public as to what the HIPAA rules entail and exactly what protections they provide.  Also, it is important that the public is educated on their rights under HIPAA.  Even though these rights are set forth in Privacy Notices that are handed out by covered entities, most people don’t read through these notices (and they are usually not written in a patient friendly manner, because of the extensive amount of information that is required to be included).   Many members of the public don’t understand their right to access information, get an accounting of disclosures, request restrictions, request amendments,  and request confidential communications.

7.  Requirement to Agree to Certain Restriction Requests: Requests that information not be disclosed to an insurance company must be honored if the disclosure is not for purposes of treatment and the services at issue have already been paid out of pocket in full.

Why this is different: Previously, patients had a right to request restrictions, but the covered entities did not have an obligation to comply with the request.  Disclosures could always be made for treatment, payment and healthcare operations without the patient’s permission.  This provision was likely placed to address problems associated with providers giving information to workers compensation insurers, etc. that patients did not want disclosed.

8.  Guidance on the Minimum Necessary Rule: The amendment requires the Secretary of HHS to issue guidance on the “minimum necessary” rule.

Why this is different: Currently covered entities have a lot of leeway in determining what is “minimally necessary”, i.e., how much information they can disclose and who in their office needs access.  The guidance will likely be much more restrictive and specific.

9.  Accounting of Disclosures for Those With EHR: For covered entities that maintain an electronic health record, the “exception” for treatment, payment and operations disclosures will no longer apply.  If patients request to see an accounting of disclosures they must be given the previous three years information.  The specific information that must be disclosed will be set forth in regulations to be drafted by HHS within 18 months.

Why this is different: As stated above, the regulations previously gave individuals the right to request an “accounting of disclosures”, but there was an exception for treatment, payment and operations activities (because it would be too burdensome to track each disclosure made for these purposes).  Apparently this change is being made since an EHR would simplify the process.  Depending on what the corresponding regulations say, patients will likely be able to see a printout of exactly which office or hospital personnel accessed their medical record and when.

10.  Deidentification Required for Certain Uses Related to “Operations”: Regulations will be promulgated to set forth certain circumstances where information must be de-identified before being used for health care operations (e.g., compiling information for quality assurance purposes, etc.).

Why this is different: The HIPAA rules currently do not place restrictions such as this on disclosures for “healthcare operations.”

11.  Can’t Get Paid for Marketing “Exceptions”: The previous rule contained certain exceptions that did not fall within the definition of  “marketing”, including certain communications that were tailored to the patients needs and made in the course of treatment.  The new statute still allows for those exceptions, but requires that no remuneration be exchanged for such communications.  There is an exception for business associates who make the communications for a covered entity subject to a contract and for communications made subject to a HIPAA compliant authorization.

How this is different: This closes what some perceived to be a “loophole” in the HIPAA Privacy Rule.  It is still permissible to give patients information face-to-face if it relates to their treatment (e.g., names of medical supply companies), but the covered entity cannot get paid for providing this information (note that any such payments would likely have violated the Anti-kickback statute or the Stark regulations anyway).

12.  Fundraising Removed from Definition of “Operations”: Fundraising activities have been removed from the definition of health care operations.

Why this is different: Fundraising for the covered entity was previously considered a permissible use/disclosure of protected health information because it fell under the definition of “healthcare operations”

13.  Extension of Privacy Protection to Vendors of Personal Health Records: Vendors of personal health records will have to report breaches of identifiable health information in much the same way that covered entities are required.  This also extends to a third party service provider who provides services to a vendor (similar to what a business associate is to a covered entity).  This section will be enforced by the Federal Trade Commission and will be considered an “unfair and deceptive act” under the Federal Trade Commission Act.

Why this is different: PHR vendors, such as Google Health, etc. are not covered entities under HIPAA.  This has been concerning to many privacy advocates and this change will provide at least some of the protections and accountabilty of HIPAA.

14. Entities With Access to EHR Are Business Associates: Entities that regularly access a covered entity’s electronic health information will be considered “business associates”.  Examples are Health Information Exchange Organization, E-Prescribing Gateway, or a vendor who wishes to supply patients with a PHR.

Why this is different: The previous definition of business associate required entities to be doing something on “behalf” of the covered entity.  This clears up some confusion and provides protection where these entities are accessing protected health information from the covered entity.

15.  Increased Enforcement - “Willful Neglect”: A new category of enforcement was added for “willful neglect” , which can be punishable up to $1,500,000 for multiple violations in a calendar year.

Why this is different: Previously, strict penalties were reserved for people who disclosed information for “personal gain”.

16.  Enforcement by State Attorney Generals: Allows state Attorney Generals to bring civil actions on behalf of residents, up to an amount of $25,000 per year for identical violations (violation x$100 for each individual) and attorneys fees.

Why this is different: This is new and is one more avenue that patients can use to have breaches addressed.

17.  Periodic Audits: The Secretary of HHS is now required to conduct periodic audits to ensure compliance.

Why this is different: Previously OCR relied on a “complaint driven” process, although recently they announced that they would audit some hospitals.

18.  Harmed Individuals May Share in Civil Monetary Penalties: Within three years there will be a mechanism established by which individuals who were harmed by a disclosure will be able to share in civil monetary penalties collected by HHS.

Why this is different: Previously HIPAA did not provide for a private cause of action or injured persons getting any compensation for data breaches (outside of possible state law claims for common law causes of action).