BankBryanCave

On February 17, 2010, many banks and financial institutions will, for the first time, become directly subject to the privacy and security provisions of the Health Insurance Portability and Accountability Act (“HIPAA”), and to the enforcement powers of the United States Department of Health and Human Services (“HHS”).  The Health Information Technology for Economic and Clinical Health Act (“HITECH Act”), passed as part of last year’s stimulus bill, extended HIPAA’s privacy and security provisions to business associates of covered entities.  Many banks and financial institutions will fall into this category by virtue of their provision of so-called medical lockboxes or medical banking services to healthcare providers or other covered entities under HIPAA that require them to handle personal health information (“PHI”).

The HITECH Act also established strict reporting requirements, allowed for increased enforcement by HHS and state attorneys general, and provided for enhanced civil and criminal penalties and statutory damages for breaches and disclosures of unprotected PHI.  A separate provision of the HITECH Act addresses entities that offer services to store individuals’ health information online, and places these “vendors” under the regulatory authority of the FTC.  Among other things, the new law’s provisions affecting business associates and covered entities:

1. Make clear that all privacy and security provisions of HIPAA and its implementing regulations apply to business associates to the same extent as to covered entities;
2. Require that all Business Associate Agreements (“BAAs”) be amended to incorporate HIPAA’s privacy and security rules;
3. Impose specific notification requirements in the event of a breach;
4. Require covered entities to provide notice to affected individuals within 60 days of discovery of a breach. In any case in which 500 or more person are affected by a breach, the covered entity must provide notices to HHS and to major local media outlets;
5. Require business associates to notify the covered entity of any breach of confidentiality of PHI acquired from that covered entity;
6. Subject both covered entities and business associates to enhanced civil penalties, and in some cases criminal penalties, for violation of the security regulations.  Civil penalties range from $100 to $50,000 per violation with maximum yearly penalties of up to $1.5 million.  Yearly maximums apply, however, only for violations of “identical requirement[s] or prohibition[s],” and in theory could be stacked where there are violations of multiple requirements or prohibitions;
7. Eliminates certain affirmative defenses to civil monetary penalties;
8. Give state attorneys general new civil enforcement authority to seek injunctions and statutory damages for violations of HIPAA on behalf of citizens of that state.  (The first such suit by a state attorney general has reportedly already been filed.  According to a report from AHA News Now, on January 20, 2010, the Connecticut Attorney General filed suit against Health Net of Connecticut, for failing to secure the PHI of approximately 446,000 plan members.) Significantly, the HITECH Act leaves in effect state laws allowing for enforcement by private attorneys general, opening the door to greater HIPAA scrutiny and enforcement;  and
9. Imposes stronger controls on the sale of PHI.

Under regulations announced by HHS on August 24, 2009, and effective February 22, 2010, there is a “risk of harm” threshold that triggers the breach notification provisions.  HHS guidance also indicates that where PHI is properly encrypted as specified by HHS, notification to affected individuals may not be required because such information would not be “unsecured.”

Read More »