left
nav
border
border
Home
Register
 
 
 



Massachusetts Backs Off Again on Information Security, While the Federal Stimulus Bill Rams Through Much More Stringent Standards

--   By Jon Neiditz, Cindy Hutto, Amanda Witt and Eli Poliakoff of Nelson Mullins

If you are trying to recover from that case of whiplash from trying to keep up with legislative and regulatory trends in this economic downturn; do not turn your attention to the area of information security. Massachusetts just delayed implementation of its stringent information security standards again, purportedly due to the economic downturn, just as the federal American Recovery and Reinvestment Act of 2009 imposed massive new information security burdens on all participants in the healthcare economy in response, of course, to the economic downturn. One imagines the bewigged gentlepeople of Massachusetts pausing in their debate on the niceties of their information security rules to turn their eyes upward from their cobblestone streets and watch the Godzilla of the federal stimulus package consume the entire issue for a large chunk of the US economy.

1. Massachusetts Backs Off…

Massachusetts just keeps backing off from the effective dates and some of the requirements of its information security standards to get more buy-in from the business community, but may not achieve that goal even now. The initial effective date of its information security regulations (201 CMR 17.00) was pushed back some months ago by the Office of Consumer Affairs and Business Regulation from January 1, 2009 to May 1, 2009 for most of the regulations. Now, as announced by the Office on February 12, 2009, businesses that hold personal information of Massachusetts residents (namely, a combination of a name along with a Social Security number, credit card number or bank account number) will have until January 1, 2010 before they must comply with the new regulations that require, among other things, the encryption of wireless transmissions of personal information and the encryption of personal information stored on portable devices carrying personal information such as laptops, flash drives and PDAs.

Besides delaying the effective date, the Massachusetts information security regulations have been revised to remove the requirements that third party service providers with access to personal information certify in writing that they have a written information security program that complies with the Massachusetts regulations and contractually commit to maintain those standards. The revisions also modify in ways that are proving confusing the former requirement that a business take reasonably steps to ensure that its third party service providers be capable of maintaining those safeguards for personal information. Now such third party service providers must have the capacity to protect personal information in accordance with the Massachusetts regulations and the owner of the personal information must take “all” reasonable steps to ensure that such third party service provider is applying safeguards at least as stringent as those imposed by the rules. A spokesperson for the Commonwealth indicates that the change was designed to make the standards more flexible for businesses of different sizes and risk profiles, but many believe that the courts may not see it that way.

Lastly, it appears that the regulations were corrected by limiting the requirement to encrypt all data transmitted wirelessly to requiring encryption of such data only if it contains personal information as defined by the regulations. Even with the revisions, it will likely be very difficult for small businesses to fully comply with these highly detailed and demanding regulations.

Please review our earlier article on the initial release of the Massachusetts regulations here for more information on its requirements.

2. …As the Feds Barrel In:  Information Security and HIPAA Provisions of the American Recovery and Reinvestment Act of 2009

As it did with the promulgation of rules under the “Administrative Simplification” provisions of HIPAA, the desire to save administrative costs in health care through electronic processes has resulted in major new information security and privacy protections in the American Recovery and Reinvestment Act of 2009 (”ARRA”).

Regulation of Business Associates
A very wide-ranging impact of ARRA in the information security area is in its application to all business associates of core requirements of HIPAA’s Security Rule - technical, administrative and physical safeguards and policies and documentation requirements - that previously applied only to covered health care providers, health plans and clearinghouses.  This provision effectively spreads specific HIPAA security requirements - rather than the vague requirements that until now governed business associates - throughout the healthcare economy.  Moreover, the impact of this expansion may be greatly magnified by a requirement that the Secretary of DHHS issue annual guidance on technical safeguards.

The requirements for covered entities under HIPAA’s Privacy Rule, on the other hand, are not made applicable to business associates.  However, both the privacy and security requirements of ARRA detailed below are made applicable to business associates as well as covered entities, and business associate agreements are required to be modified to include all such requirements.  We have already begun to see jokes about whether the requirement to contract for provisions that apply as a matter of law is viewed as economic stimulus; in any case, it is indeed worth remembering that the primary reason for the creation of business associates and business associate agreements was the limited jurisdiction of the HIPAA Administrative Simplification provisions to the three types of covered entities, and the consequent need to reach the many participants in health care that the statute could not reach through requirements placed on covered entities to contract with those participants.  Now that ARRA extends statutory authority to cover all business associates, one can only hope for regulatory relief regarding an obligation to impose the same requirements by contract.

Application of HIPAA Enforcement Penalties to Business Associates

Of equally broad impact is expansion of civil and criminal penalties previously applicable to covered entities to all business associates.  Although the apparent intent of this expansion is to subject business associates to enforcement “in the same manner as” covered entities, the standards to be enforced will only be the same regarding security issues; with regard to privacy issues, the same civil and criminal enforcement penalties will apply to business associates as to covered entities, but the rules being so enforced for business associates will remain much broader and vaguer than the rules for covered entities.

Breach Notification Procedures for Business Associates and Covered Entities

ARRA requires a covered entity which discovers a breach of unsecured protected health information to notify each individual whose information has been, or is reasonably believed to have been, accessed, acquired, or disclosed as a result of the breach.   A business associate must notify the covered entity upon discovery of a breach of unsecured protected health information.

The ways in which these provisions interact with the forty-five (45) state breach notification laws will no doubt receive a great deal of analysis in the coming months.  It is important, however, to note that currently only six (6) of those state laws cover breaches involving only paper rather than electronic information, and all of them require notices only when a combination of elements deemed to create a risk of identity theft - such as name, address and social security number - is disclosed.

The remarkable effect of the choice of ARRA’s drafters to make breaches of unsecured protected health information (which can be generally described as any information that identifies a person and has been created or received by a covered entity) notice-triggering appears to make not only breaches of paper-based information but breaches of information through the spoken word potentially notice-triggering.  Requiring breach notification when conversations inadvertently disclose individual-identifying information is, needless to say, a major departure from all previous law in the area of security breaches.  As noted below, HIPAA’s provisions related to the preemption of state laws continue to apply.  However, in practice it may be difficult to determine whether certain ARRA breach standards are “more stringent than” state laws because of the entirely different analysis prescribed in the new federal and all state provisions.

The notification provisions are limited by ARRA’s definition of “breach,” and “unsecured protected health information.”  “Breach” is the unauthorized acquisition, access, use, or disclosure of protected health information which compromises the security or privacy of such information.  A breach does not include situations where a person would not reasonably be able to retain the information, or a variety of unintentional acquisitions or disclosures generally limited to access within the covered entity or business associate.  As such, certain disclosures of protected health information do not trigger notification requirements.

Similarly, the notification provisions apply only to “unsecured” protected health information, defined as information that is not secured through the use of a technology or methodology as specified by the Secretary.  Within 60 days after enactment of ARRA the Secretary is to issue guidance on the technologies and methodologies that render information “secured.”   If the Secretary does not issue guidance within that timeframe, the acceptable standards will include those that render protected health information unusable, unreadable, or indecipherable to unauthorized individuals and is developed or endorsed by a standards developing organization that is accredited by the American National Standards Institute.

Notice of the breach must be made within 60 days of discovery and provided by mail, e-mail (if specified as preference by the individual), phone (if imminent misuse expected) and/or notice on websites or in the media (in cases of insufficient contact information).  Notice must also be provided to the Secretary and “prominent” media outlets serving a particular area if more than 500 individuals in that area were impacted.  Breaches affecting less than 500 individuals must be reported in a log that is submitted annually to the Secretary.  Notably, the covered entity or business associate has the burden of demonstrating that all required notifications were made, including evidence demonstrating the necessity of any delay.    Additionally, the notice may be delayed if a law enforcement official determines that the notice would impede a criminal investigation.

The Secretary is to issue interim final regulations within 180 days of the enactment of ARRA.  The breach notification requirements will apply to breaches that are discovered on or after 30 days following the publication of the interim final regulations. Therefore, these breach notifications requirements will be effective no later than September 15, 2009 (approximately 210 days after February 17, 2009).

“Minimum Necessary” Provisions

The Bill adds that a covered entity may be treated as meeting the “minimum necessary” standard by limiting the protected health information to the limited data set as defined by HIPAA, and clarifies that the covered entity or business associate disclosing the protected health information - not the recipient - determines what constitutes the minimum necessary to meet existing HIPAA requirements. The Secretary must issue guidance as to what constitutes “minimum necessary” for purposes of the HIPAA Privacy Rule no later than 18 months after the enactment of the Bill. The provisions in the Bill identifying “minimum necessary” will sunset on the effective date of the Secretary’s Guidance. Covered entities, therefore, will be required to engage in additional regulatory analysis once the guidance is issued to ensure they remain in compliance with the “minimum necessary” standard.

Accounting of Disclosures of Electronic Health Records

Under current law, an individual can receive an accounting of protected health information disclosed by a covered entity over the last six years, except for disclosures made to carry out treatment, payment and health care operations.  ARRA removes this exception for disclosures through an electronic health record and provides that an individual may receive an accounting of disclosures through an electronic health record for the prior three years.  In addition to addressing its own disclosures, covered entities must either provide an accounting of disclosures made by its business associate or identify the business associate, who must respond to direct requests when contacted by an individual.  Additional regulations will be issued on the method of tracking such disclosures. For covered entities that acquire electronic health records after January 1, 2009, these accounting provisions are effective the later of January 1, 2011; the date it acquires an electronic health record; or a later date set by the Secretary (but no later than 2013).

Limitations on Sale of Electronic Health Records or Protected Health Information

ARRA prohibits a covered entity or business associate from directly or indirectly receiving remuneration in exchange for any protected health information unless the individual to whom the information relates consents or an exception applies.  The exceptions include, but are not limited to, public health activities, research, the individual’s treatment or health care operations, or as otherwise addressed in regulations to be issued by the Secretary within 18 months of the enactment of ARRA.  These limitations apply to exchanges occurring on or after 6 months following the issuance of the final regulations.

Access to Information in Electronic Format

Existing HIPAA provisions permit individuals to obtain a copy of certain protected health information. ARRA amends this provision to permit individuals to obtain the information in electronic format and limits the fees imposed for providing the information to the labor costs incurred in responding to the request.

Limitations on disclosure pursuant to “Health Care Operations”

The Bill clarifies the existing HIPAA provisions that permit disclosure of protected health information for “health care operations” purposes, as defined by the HIPAA Privacy Rule, and the prohibition on disclosing protected health information for marketing purposes without authorization. The Bill clarifies that certain marketing communications by a covered entity or business associate about a service or product that encourages the recipient to purchase or use the service shall not be considered “health care operations” unless it generally relates to a health-care related product or service and certain other requirements are met.

Specifically, a covered entity cannot receive direct or indirect payment for making such a communication unless the payment is “reasonable in amount.”  The term “reasonable in amount” will be defined by the Secretary in regulation.  The communication must also pertain to a drug or biologic currently prescribed to the recipient to be considered “health care operations” instead of a “marketing” communication.

In the alternative, the covered entity may obtain an authorization from the recipient of the communication consistent with the current HIPAA authorization requirements.  Finally, the communication may be made by a business associate consistent with the business associate agreement.  Given that a business associate is not permitted to do anything under the HIPAA Privacy Rule that a covered entity is not permitted to do, any communications by a business associate under this section would be subject to the same limitations as a covered entity discussed above.  These requirements take effect 12 months after enactment of the Bill.

Examples of communications that appear to be subject to the new limitations include sending information to current patients on generic alternatives or new drug treatments because the drugs would not be currently prescribed to the recipient.  Other examples include recommending alternative treatments or therapies if the covered entity receives payment for the communication.  The covered entity could, however, obtain an authorization to permit such communications.  It will be important to continue to monitor this area as the new regulations and any additional guidance is issued by the Secretary.

Fundraising Communications

ARRA continues to permit fundraising activities by the provider using a patient’s protected health information so long as any written fundraising materials provide an opportunity to opt out of future fundraising communications. If the recipient chooses to opt out of future fundraising communications, that choice is treated as a revocation of authorization under existing provisions of the HIPAA Privacy Rule that guarantee rights for individuals who revoke such authorizations, including the right not to be denied treatment as a result of making that choice. These requirements take effect 12 months after enactment.

Breach Notification Procedures for Vendors and Service Providers

For those vendors of personal health records that are not also business associates, ARRA imposes parallel breach notification requirements.  Generally, notice must be provided to individuals and the FTC following the discovery of a security breach of information that is provided by, or on behalf of, the individual and can reasonably identify the individual. “Vendors” is defined as any entity, other than a covered entity, that offers or maintains a personal health record.  Similar notification requirements are imposed on third party service providers that provide service to vendors of personal health information.  Similar to the breach notification provisions for covered entities and business associates, the requirements on vendors and service providers apply only to “unsecured” information.  The method, content and time requirements for such notifications are also similar to those imposed on business associates and service providers.  Notably, a violation of the notification requirements under this section is considered an unfair or deceptive practice under the Federal Trade Commission Act.

The Federal Trade Commission (”FTC”) must issue interim final regulations for such notifications within 180 days of the enactment of ARRA.  The breach notification requirements will apply to breaches that are discovered on or after 30 days following the publication of the interim final regulations. Therefore, these breach notifications requirements will be effective no later than September 15, 2009 (approximately 210 days following February 17, 2009).  These regulations will sunset if Congress enacts new legislation for notification that applies to entities that are not covered entities or business associates.

Business Associate Contracts for Health Information Exchanges

ARRA requires organizations that contract with covered entities or their business associates for the purpose of exchanging electronic health information, such as Health Information Exchanges and Regional Health Information Organizations, and PHR vendors that offer their products through or for a provider or health plan, to have business associate contracts with those providers or health plans.  Similarly, such entities are to be treated as business associates, thus imposing the breach notification provisions and other requirements.

Criminal Penalties for Employees and Other Individuals

ARRA clarifies that criminal penalties for wrongful disclosure of PHI apply to individuals who without authorization obtain or disclose such information maintained by a covered entity, whether they are employees or not.  The amendment reverses prior legal direction by the Justice Department.

Enhanced Enforcement and Civil Penalties

ARRA significantly enhances the government’s enforcement capabilities and penalties.

ARRA amends HIPAA to permit the Office of Civil Rights (”OCR”) to pursue an investigation and the imposition of civil monetary penalties against any individual for an alleged criminal violation of the HIPAA Privacy and Security Rule if the Justice Department had not prosecuted the individual. In addition, the bill amends HIPAA to require a formal investigation of complaints and the imposition of civil monetary penalties for violations due to willful neglect (existing law requires a higher knowledge threshold). The Secretary is required to issue regulations within 18 months to implement those amendments, which shall apply to penalties imposed on or after 24 months following enactment. Notably, the civil penalties collected are to be transferred to OCR for use in enforcing HIPAA privacy and security standards.

Additionally, within 18 months of enactment, the General Accounting Office (”GAO”) must submit recommendations for giving a percentage of any civil monetary penalties collected to the individuals harmed.  Based on those recommendations, the Secretary, within three years of enactment, must establish a methodology to distribute a percentage of any collected penalties to harmed individuals.

ARRA also increases and tiers the penalties for HIPAA violations, effective upon the date of enactment.

Actions by State Attorneys General

Most significantly, and in a clear break from prior law, ARRA permits State Attorneys General to bring civil actions in federal district court against individuals who violate the HIPAA privacy and security standards in order to enjoin further violations and obtain damages up to $100 per violation, capped at $25,000 annually, for all violations of an identical requirement or prohibition.  The court has discretion to award costs and reasonable attorneys’ fees for successful actions. A state action is not permitted if a federal civil action is pending.  This provision is effective upon enactment.

Periodic Audits

ARRA requires the Secretary to perform periodic audits of covered entities and business associates to ensure compliance with the Privacy and Security Rule promulgated pursuant to HIPAA and the requirements of this subtitle.

Relationship to Other Laws

The existing preemption principles of HIPAA apply to the requirements of ARRA.  To the extent that ARRA is inconsistent with HIPAA, the Secretary will make HIPAA rules conform to ARRA.  Finally, a puzzling construction note indicates that nothing in ARRA constitutes a waiver of “any privilege” otherwise applicable regarding protected health information, apparently encouraging creativity regarding the multitude of privileges that may be available.

Studies, Reports and Guidance

ARRA requires the Secretary to submit annually a number of reports, including but not limited to the number and nature of complaints of alleged violations and their resolution; civil fines imposed; and the number of audits and summaries of the findings.  The Secretary must also, in concert with the FTC, study the application of health information privacy and security requirements on non-HIPAA covered entities, including PHR vendors and related entities, and determine which federal agency is best equipped to enforce new requirements for non-HIPAA covered entities.

Effective Date

Unless otherwise specified, the effective date of these provisions is 12 months following enactment.



 
  UserID:  
   
  Password:  
   
 
 
  Available to registered users. Register now.  

Virus Alert
Global Hacker Attack Map

Internet Storm Graphic

Watch the latest update on Internet Storm

Source: sans.org & incidents.org

 

 
 
© Copyright 2007 eRisk Hub. All rights reserved.
footer
Site Designed and Maintained by xkast.com