A New HIPAA Era Emerges
Written by Kirk J. Nahra
Wiley Rein LLP
Sponsored by Zix Corporation
June 2009
A New HIPAA Era Emerges
A New HIPAA Era Emerges
(Executive Summary)
Written by Kirk J. Nahra
Sponsored by Zix Corporation
June 2009
The health care industry and its business partners face significant challenges over the next year
to meet the compliance requirements of the new federal health care privacy and security law. In
fact, this legislation now imposes the most significant set of new health care privacy and security
obligations since the initial adoption of the HIPAA Privacy Rule. These changes provide
substantial new authority for enforcement and significant additional penalties for HIPAA
violations, extend the effective reach of HIPAA coverage to business associates, change certain
use and disclosure rules, and create additional individual rights. They also will force companies
to re-evaluate their overall privacy compliance programs and implement more effective
information security practices, including encryption wherever possible.
Health care companies across the board and all of the companies that provide services to the
health care industry must pay close attention to these new rules, and must begin developing
strategies to meet these requirements and deal with a substantially stronger enforcement
environment.
Major Challenges
This legislation creates an entirely new environment for health care privacy and security.
Enforcement will be more significant and more substantial. Security breaches even those
without any discernible risk of harm will be more broadly publicized across the country. And
companies face a variety of new requirements that will affect their day-to-day operations. Four
challenges stand out from the rest:
Improving Security and Expanding Use of Encryption
Because of the breadth of the new security breach notification provision and the ongoing
pressure for effective security in the health care industry, all entities participating in the
healthcare industry whether as HIPAA covered entities or business associates must be re-
evaluating their overall security compliance program. This requires an effective understanding
of current security developments and an ongoing assessment of best practices. In addition,
because the notification provision applies only to breaches involving unsecured information,
companies should be evaluating an expansion of their current encryption capabilities to protect
not only against realistic breaches but also to avoid new and expensive obligations under these
reporting provisions.
-2-
A New HIPAA Era Emerges
Developing a Business Associate Contracting Strategy
The legislation dictates that all business associate agreements be amended to incorporate the new
requirements imposed by the legislation. Because of the volume of business associate contracts
in the health care industry, this is an enormous task. With the required addition of certain terms,
health care companies essentially must revisit and renegotiate their overall business associate
portfolio. Accordingly, it will be critical to promptly develop an overall strategy for revising
existing and establishing new business associate arrangements. In addition, business associates
themselves the service providers to the health care industry now for the first time face direct
compliance obligations under these rules.
Upgrading Overall Compliance
There are significant new requirements in this legislation. More importantly, however, we can
expect a significantly enhanced enforcement environment. Accordingly, health care companies
and their business associates need to focus attention on overall compliance because the
enforcement risks if something goes wrong are now much greater. Companies should be re-
evaluating their HIPAA privacy and security plans, focusing on high risk areas and other areas
where companies (including peers and competitors) have had problems. It may be critical to
look beyond a particular company s own activities to understand more broadly how particular
issues are being handled across the healthcare industry.
Developing a Broader Breach Notification Plan
Similarly, virtually all health care companies and their business partners have breaches that
will trigger notification under these new provisions. Many of these breaches cause no harm
and present no risk of harm. Under today s HIPAA rules, a covered entity is required to take
steps to mitigate potential harm, and evaluate whether changes need to be made to prevent future
problems, but often nothing significant is done in response to many minor breach events. Now
these breaches will require notification to patients, customers, the government and perhaps the
media. This places a much higher priority not only on effective security strategies to prevent
breaches, but also on an effective breach notification and mitigation plan.
Email remains the only viable method of electronic communication in the healthcare industry.
Email is the backbone of electronic information exchange and represents the only efficient
alternative when attempting to share information. The insecure nature of email combined with
its inherent high volume of traffic makes it particularly susceptible area for HIPAA related
exposures. Zix Corporation is the leader in email encryption services. ZixCorp s email
encryption service allows healthcare organizations to detect sensitive information in email and
encrypt in accordance with the most recent changes to HIPAA.
-3-
© 2009 Wiley Rein LLP | Washington, DC | Northern Virginia | www.wileyrein.com
A New HIPAA Era Emerges
A New HIPAA Era Emerges
By Kirk J. Nahra
June 2009
The health care industry and its business partners face significant challenges over the next year
to meet the compliance requirements of the new federal health care privacy and security law. In
fact, this legislation now imposes the most significant set of new privacy and security changes
for the health care industry and its business partners since the initial adoption of the HIPAA
Privacy Rule in 1996. These changes provide substantial new authority for enforcement and
significant additional penalties for HIPAA violations, extend the effective reach of HIPAA
coverage to business associates, change certain use and disclosure rules and create additional
individual rights. They also will force companies to re-evaluate their overall privacy compliance
programs and implement more effective information security practices, including encryption
wherever possible.
Health care companies across the board and all of the companies that provide services to the
health care industry must pay close attention to these new rules, and must begin developing
strategies to meet these requirements and deal with a substantially stronger enforcement
environment.
1. HIPAA Background
These new legislative provisions flow from the economic recovery legislation. Much like the
original HIPAA Privacy Rule (which developed as an offshoot of Congress goal in the 1996
Health Insurance Portability and Accountability Act effort to standardize electronic health care
transactions), these new privacy and security provisions derive from the implications of an
indirectly related goal the desire to broaden the use of electronic medical records.
As part of the American Recovery and Reinvestment Act of 2009, Congress has created a wide
range of new incentives for health care providers to develop and utilize electronic medical
records. While there had been a substantial debate about whether such incentives (or the use of
electronic medical records in general) required changes to the HIPAA privacy and security rules,
that debate has now ended. Through the HITECH statute incorporated into this legislation,
Congress has initiated a broad ranging set of changes for the health care privacy and security
environment through this stimulus program for the health care industry.
2. The Primary Requirements of this New Legislation
Enforcement Strengthened
It was widely anticipated that the Obama Administration would be more aggressive about
HIPAA privacy and security enforcement than its predecessor. Independent of this inclination,
the new HITECH legislation creates substantial new tools for aggressive enforcement of the
HIPAA rules. Over the course of the next few years, we can expect these changes to produce a
fundamental shift in the overall enforcement of the HIPAA Privacy and Security Rules.
-4-
A New HIPAA Era Emerges
First, the legislation increases substantially the penalties that may be imposed for violations of
the rules, from the current high of $25,000 to as much as $1.5 million per violation. Fines are
mandatory in situations involving willful neglect.
Second, state Attorneys General now have clear and explicit authority to enforce the HIPAA
rules. While state AGs have initiated HIPAA-related actions in the past, relying on their inherent
authority to act to protect citizens of a state, this new provision essentially creates a parallel
enforcement environment for violations. On the one hand, this enforcement is limited in
meaningful ways, mainly in terms of amounts that can be sought by the state AGs. On the other
hand, however, this approach creates realistic risks of differing standards and inconsistent action
from state to state. Moreover, while the HHS Office of Civil Rights is severely constrained by
the detailed procedures of the HIPAA enforcement rule, it is not at all clear that the State AGs
are bound by these procedural protections.
Third, correcting what many saw as an oversight in the current HIPAA provisions, the legislation
now permits enforcement actions against individuals employed by health care entities. Even
though the Department of Justice has pursued a limited number of criminal cases against
individual employees (mainly where identity theft, health care fraud or some other serious
criminal activity is combined with a HIPAA violation), the new legislation creates broader and
more explicit authority for enforcement against individuals.
For all health care entities and their business partners, there are increased overall risks from
enforcement of these rules. The enforcement changes from the HHS Office of Civil Rights are
likely to be incremental, but we can expect a substantially larger number of enforcement actions.
Also, for many companies, enforcement risks from state Attorneys General are likely to be
significant. For employees, who now face clear risks, health care companies may find additional
opportunities for training and expanded ability to stress to employees the importance of
following the overall privacy and security rules.
Security Breach Notification
At the same time that enforcement actions are given new strength, the legislation also creates a
new federal security breach notification requirement for the health care industry, with the
requirement that most breaches be reported not only to affected consumers but also to the
government, and even to the media in some situations.
This new breach reporting requirement becomes the first significant national security breach
reporting statute. It is much broader than virtually all of the state notification laws. This
provision creates a new notification standard for the health care industry whether the breach
has anything to do with an electronic health record or not. While there clearly are open questions
about details of the legislation, this provision is broader than most relevant state notification laws
(1) because it applies to breaches involving any kind of personal information held by health care
companies (rather than only specific categories such as Social Security Numbers), and (2) does
not include any risk of harm threshold. Therefore, this provision will require reporting of a
wide range of security breaches, regardless of the sensitivity of the information involved or the
degree of risk that harm will result from the breach.
There is a significant exception to this breach requirement: the breach notification obligations
apply only where information is unsecured. The term unsecured protected health
-5-
© 2009 Wiley Rein LLP | Washington, DC | Northern Virginia | www.wileyrein.com
A New HIPAA Era Emerges
information in the new notice provisions means protected health information that is not
secured through the use of a technology or methodology specified by the Secretary and
protected health information that is not secured by a technology standard that renders protected
health information unusable, unreadable, or indecipherable to unauthorized individuals and is
developed or endorsed by a standards developing organization that is accredited by the American
National Standards Institute. Presumably, this will include current encryption standards, and
will encourage a broader use of encryption in the health care industry. It also will include any
alternative approaches identified either by the HHS Secretary or through the other standard
setting processes identified by the law.
For the health care industry at large, this breach notification requirement may be the single most
significant new requirement of this legislation and the one that is likely to affect a large
number of companies most quickly and publicly. Because the notice requirement applies only to
unsecured information, this legislation also may accelerate the movement towards encryption
of a wider range of health care data. Companies will want to move quickly to consider whether
to adopt a broader approach to the encryption of health care data, to reduce exposure under this
notification requirement.
This provision will be applicable for breaches that occur thirty days or more after the
implementing regulation is issued with the regulation required to be issued within 180 days of
passage of the law, likely in September 2009. So, this requirement will take effect before most
of the other provisions of the legislation, which will not become effective until February 2010.
Extension of HIPAA Requirements to Business Associates
Another requirement that will generate enormous challenges for the health care industry and
their business partners arises from a series of provisions that essentially extend compliance
responsibility for the HIPAA Privacy and Security Rules to the business associate category the
companies that provide services to the health care industry. Today, these vendors must sign a
contract with their health care client that extends certain HIPAA provisions by contract to the
business associate. The new provisions will obligate these business associates by law to follow
the HIPAA provisions, rather than just follow the terms of the contract. This requirement is not
limited to electronic health records. It clearly extends HIPAA coverage to most business
associates, whether they have anything to do with electronic health records or not.
Accordingly, coupled with the new enforcement provisions, the risks for business associates are
now magnified substantially. For health care covered entities, these rules also create a large
scale obligation the need to revise all existing business associate contracts to incorporate these
new requirements. Health care companies should promptly begin to develop model language
and an approach to overall modification of thousands of business associate contracts.
There are varying impacts from these provisions. Obviously, many companies in the health care
industry can be both covered entities and business associates. The new law appears to require
changes to existing business associates contracts to meet these new requirements, even if it is not
clear exactly what provisions need to be identified. It will be critical to develop an overall
contracting strategy, both for existing business associates contracts and for the situations where
the company is the business associate. This needs to include an identification of provisions that
must be amended as well as an evaluation of whether there are other provisions (such as the
-6-
A New HIPAA Era Emerges
security breach notification provisions) that justify new language even if there is no requirement
for this language.
For business associates, the challenge is even more dramatic. In addition to the requirement to
revise business associate contracts, business associates will now need to develop and implement
full-scale HIPAA compliance programs, for both privacy and security. The HIPAA Security
Rule will present particular compliance challenges for most business associates.
3. What Else Changes Under This New Legislation?
Beyond these primary challenges, which represent the most significant effects of the HITECH
legislation on the health care industry and its business partners, there are a variety of other
provisions that require new compliance efforts and that may present significant challenges in
some circumstances. It will be critical for every company involved in the health care industry to
review the full set of HITECH provisions and to develop a compliance program that effectively
incorporates all relevant new requirements. If these provisions are relevant to your company,
you will need to review the specific details of these requirements.
The Accounting and Access Rules
While most of the new HITECH provisions are not limited to electronic health records, there are
two specific components that are limited to situations in which an electronic health record is
used. The legislation expands both the HIPAA accounting rule and the HIPAA access rule, to
create new obligations when electronic health records are used.
Marketing Provisions
The legislation also cuts back on the scope of permitted marketing communications, by creating
a requirement for individual authorizations if a covered entity receives direct or indirect
payment for making a marketing communication.
Restrictions on Sharing Health Care Information for Self-Pay Situations
Another new provision permits individuals to request of their health care provider that the
provider not disclose information to an insurer for payment or health care operations purposes, if
the patient has paid for the service out of pocket.
Limited Data Sets and Minimum Necessary
The legislation (1) mandates that HIPAA covered entities examine to the extent practicable
whether a limited data set can be used for the disclosure of health care information and, where
not appropriate (2) the legislation mandates that the covered entity must follow the minimum
necessary rule, essentially requiring companies to re-evaluate their existing minimum necessary
policies. Also, the legislation also requires HHS to initiate rulemaking in the future including
an evaluation of whether there is a category of disclosures where a limited data set should be
required for a disclosure to be permitted without an authorization, and for the particular
information that is the minimum necessary in specific situations.
-7-
© 2009 Wiley Rein LLP | Washington, DC | Northern Virginia | www.wileyrein.com
A New HIPAA Era Emerges
Personal Health Records Issues
The legislation avoids one of the key HIPAA gaps that has emerged in the health care field in
recent years the role under HIPAA of personal health records and the vendors that offer
personal health records products, most of whom are outside the current HIPAA structure because
these records typically are offered directly to consumers. Rather than creating specific rules for
these entities, Congress has dictated a study of personal health records issues going forward, to
identify appropriate rules. It also created a temporary security breach notification standard for
these entities.
State Law and Privileges
The legislation does nothing to alter the current preemption status of the HIPAA Rules.
Essentially, state laws will continue to govern if they are more stringent than the relevant
HIPAA provision.
Effective Dates
Most of the provisions of this legislation take effect 12 months following enactment (in February
2010); however, the increased penalties for HIPAA violations essentially are effective with the
enactment of the statute, for violations occurring after February, 2009. There also are various
requirements for the issuance of new regulations on specified time tables, often with separate
effective dates depending on when a regulation is issued. The breach notification provision is
effective for breaches that take place thirty days or more after the issuance of the HHS
implementing rule, which is required to be issued within 180 days of passage of the legislation
(likely in September 2009).
4. Major Challenges
This legislation creates an entirely new environment for health care privacy and security.
Enforcement will be more significant and more substantial. Security breaches even those
without any discernible risk of harm will be more broadly publicized across the country. And
companies face a variety of new requirements that will affect their day to day operations. Four
challenges stand out from the rest.
Improving Security and Expanding Use of Encryption
Because of the breadth of the new security breach notification provision and the ongoing
pressure for effective security in the health care industry, all entities participating in the
healthcare industry whether HIPAA covered entities or business associates must be re-
evaluating their overall security compliance program. This requires an effective understanding
of current security developments and an ongoing assessment of best practices. In addition,
because the notification provision applies only to breaches involving unsecured information,
companies should be evaluating an expansion of their current encryption capabilities to protect
not only against realistic breaches but also to avoid new and expensive obligations under these
reporting provisions.
-8-
A New HIPAA Era Emerges
Developing a Business Associate Contracting Strategy
Without any articulated rationale, the legislation appears to require that all business associate
agreements be amended to incorporate the new requirements imposed by the legislation. As
those who went through the 2003 business associate contracting process may remember, this was
an enormous task, where volume concerns often predominated over substance. Here, with the
required addition of certain terms, health care companies essentially must revisit and renegotiate
their overall business associate portfolio. Accordingly, it will be critical to promptly develop an
overall strategy for revising existing and establishing new business associate arrangements.
Upgrading Overall Compliance
The next challenge is more contextual. There are significant new requirements in this
legislation. More importantly, however, we can expect a significantly enhanced enforcement
environment. Accordingly, health care companies and their business associates need to focus
attention on overall compliance because the enforcement risks if something goes wrong are
now much greater. Companies should be re-evaluating their HIPAA privacy and security plans,
focusing on high risk areas and other areas where companies (including peers and competitors)
have had problems. It may be critical to look beyond a particular company s own activities to
understand more broadly how particular issues are being handled across the healthcare industry.
Developing a Broader Breach Notification Plan
Similarly, virtually all health care companies have breaches that will trigger notification under
these new provisions. Many of these breaches cause no harm and present no risk of harm.
Under today s HIPAA rules, a covered entity is required to take steps to mitigate potential harm,
and evaluate whether changes need to be made to prevent future problems, but often nothing
significant is done in response to many minor breach events. Now, these breaches will require
notification to members, customers, the government and perhaps the media. This places a
much higher priority not only on effective security strategies to prevent breaches, but also on an
effective breach notification and mitigation plan.
Conclusions
The new legislation is only a first step and lots of questions still remain unanswered but it is
clear that these new provisions have significantly altered the overall health care privacy and
security environment. Health care companies and their business partners need to begin studying
these provisions promptly, and developing appropriate strategies to ensure compliance and
mitigate the growing risk of security and privacy enforcement. Health care companies can
expect to be a high profile target of both complaints and enforcement investigations as soon as
these rules go into effect.
* * * * * * *
Email remains the only viable method of electronic communication in the healthcare industry.
Email is the backbone of electronic information exchange and represents the only efficient
alternative when attempting to share information. The insecure nature of email combined with
its inherent high volume of traffic makes it particularly susceptible area for HIPAA related
exposures. Zix Corporation is the leader in email encryption services. ZixCorp s email
-9-
© 2009 Wiley Rein LLP | Washington, DC | Northern Virginia | www.wileyrein.com
A New HIPAA Era Emerges
encryption service allows healthcare organizations to detect sensitive information in email and
encrypt in accordance with the most recent changes to HIPAA.
Kirk J. Nahra is a partner with Wiley Rein LLP in Washington, DC, where he specializes in
privacy and information security litigation and counseling. He is chair of the firm s Privacy
Practice, serves on the IAPP Board of Directors, and is the editor of Privacy Advisor. He is also
the Chair of the American Health Information Community s Confidentiality, Privacy and
Security Workgroup. For questions on any aspect of the new health care privacy and security
legislation, or for assistance in understanding and meeting its requirements, please contact him at
202.719.7335 or knahra@wileyrein.com.
- 10 -