On February 17, 2010, many banks and financial institutions will, for the first time, become directly subject to the privacy and security provisions of the Health Insurance Portability and Accountability Act (“HIPAA”), and to the enforcement powers of the United States Department of Health and Human Services (“HHS”). The Health Information Technology for Economic and Clinical Health Act (“HITECH Act”), passed as part of last year’s stimulus bill, extended HIPAA’s privacy and security provisions to business associates of covered entities. Many banks and financial institutions will fall into this category by virtue of their provision of so-called medical lockboxes or medical banking services to healthcare providers or other covered entities under HIPAA that require them to handle personal health information (“PHI”).
The HITECH Act also established strict reporting requirements, allowed for increased enforcement by HHS and state attorneys general, and provided for enhanced civil and criminal penalties and statutory damages for breaches and disclosures of unprotected PHI. A separate provision of the HITECH Act addresses entities that offer services to store individuals’ health information online, and places these “vendors” under the regulatory authority of the FTC. Among other things, the new law’s provisions affecting business associates and covered entities:
- Make clear that all privacy and security provisions of HIPAA and its implementing regulations apply to business associates to the same extent as to covered entities;
- Require that all Business Associate Agreements (“BAAs”) be amended to incorporate HIPAA’s privacy and security rules;
- Impose specific notification requirements in the event of a breach;
- Require covered entities to provide notice to affected individuals within 60 days of discovery of a breach. In any case in which 500 or more person are affected by a breach, the covered entity must provide notices to HHS and to major local media outlets;
- Require business associates to notify the covered entity of any breach of confidentiality of PHI acquired from that covered entity;
- Subject both covered entities and business associates to enhanced civil penalties, and in some cases criminal penalties, for violation of the security regulations. Civil penalties range from $100 to $50,000 per violation with maximum yearly penalties of up to $1.5 million. Yearly maximums apply, however, only for violations of “identical requirement[s] or prohibition[s],” and in theory could be stacked where there are violations of multiple requirements or prohibitions;
- Eliminates certain affirmative defenses to civil monetary penalties;
- Give state attorneys general new civil enforcement authority to seek injunctions and statutory damages for violations of HIPAA on behalf of citizens of that state. (The first such suit by a state attorney general has reportedly already been filed. According to a report from AHA News Now, on January 20, 2010, the Connecticut Attorney General filed suit against Health Net of Connecticut, for failing to secure the PHI of approximately 446,000 plan members.) Significantly, the HITECH Act leaves in effect state laws allowing for enforcement by private attorneys general, opening the door to greater HIPAA scrutiny and enforcement; and
- Imposes stronger controls on the sale of PHI.
Under regulations announced by HHS on August 24, 2009, and effective February 22, 2010, there is a “risk of harm” threshold that triggers the breach notification provisions. HHS guidance also indicates that where PHI is properly encrypted as specified by HHS, notification to affected individuals may not be required because such information would not be “unsecured.”


Regulators Issue Statement on Lending to Creditworthy Small Businesses
On February 5, 2010, the federal banking regulators and the Conference of State Bank Supervisors issued an Interagency Statement on the Credit Needs of Creditworthy Small Business Borrowers. The Statement builds upon principles set forth in the October 2009 Policy Statement on Prudent Commercial Real Estate Loan Workouts. After noting the overall decline in loans to small businesses and the reasons for that decline the regulators suggested that lenders may have become overly cautious with respect to small business lending. They encourage lenders to engage in prudent small business lending and that that examiners will not criticize lenders for working in prudent and constructive manner with small businesses.
The decline in small business lending has many reasons, not the least of which is that loan demand is actually down. Lenders are also naturally cautious of lending to those businesses that are reliant solely on cash flow that has slowed due to the slowdown in consumer spending and the decline ion the personal wealth of the owners of the businesses. Despite the assertions to the contrary by the regulators, lenders are concerned that there is a disconnect between statements from Washington, DC and what actually happens in the field when examiners are onsite at financial institutions. Our experience seems to show that local federal regulators do not see any upside in being flexible when faced with making decisions about how to rate credits. Lenders are therefore naturally reluctant to maker decisions based on guidance until they see it actually implemented on the ground.