HHS Delays Enforcement of HITECH Act Business Associate Provisions

Posted on February 19, 2010 by Hunton & Williams LLP

We understand that yesterday Adam H. Greene (Office of the General Counsel, Civil Rights Division, U.S. Department of Health & Human Services), speaking at the ABA’s 11th Annual Conference on Emerging Issues in Healthcare Law, indicated that enforcement of the business associate provisions of the Health Information Technology for Economic and Clinical Health Act (the “HITECH Act”), which became effective on February 17, 2010, will be delayed until final rules addressing those provisions are published.  The HITECH Act’s business associate provisions require business associates to implement the information security safeguards specified by the HIPAA Security Rule, and comply with certain requirements of the HIPAA Privacy Rule.  Similarly, the HITECH Act requires covered entities to provide in their business associate agreements that all of the HITECH Act’s security requirements applicable to covered entities are also applicable to business associates.

The Office for Civil Rights (“OCR”), which enforces HIPAA’s Privacy and Security Rules, has stated publicly that it is carefully evaluating how to proceed with HIPAA enforcement.  For example, Section 13411 of the HITECH Act requires HHS to “provide for periodic audits to ensure that covered entities and business associates” are complying with the HITECH Act and its implementing regulations.  At the 18th Annual National HIPAA Summit in early February, Sue McAndrew, the OCR’s Deputy Director for Health Information Privacy, explained that there are “1,000 ways” to conduct HIPAA audits and that OCR is working with a HIPAA expert to “map out essentially the range of options” to determine how best to effectively conduct HIPAA audits.

Despite the delay in enforcement, covered entities and business associates should take necessary actions to comply with the HITECH Act’s requirements.  Please see our client alert on HITECH compliance for more information.
Tags: , , , , , , , , , , , ,

Privacy and Data Security Risks in Cloud Computing

Posted on February 5, 2010 by Hunton & Williams LLP

Cloud computing raises complex legal issues related to privacy and information security.  As legislators and regulators around the world grapple with the privacy and data security implications of cloud computing, companies seeking to implement cloud-based solutions should closely monitor this rapidly evolving legal landscape for developments.  In an article published on February 3, 2010, Lisa Sotto, Bridget Treacy and Melinda McLellan explore U.S. and EU legal requirements applicable to data stored by cloud providers, and highlight some of the risks associated with the use of cloud computing.

Tags: , , , , , , , , , , , , , , , , , , , , ,

Connecticut AG Files First HITECH Act Suit

Posted on January 15, 2010 by Hunton & Williams LLP

In a lawsuit he described as “[s]adly . . . historic,” Connecticut Attorney General Richard Blumenthal sued Health Net of Connecticut, Inc. for allegedly failing to secure private patient medical records and financial information involving hundreds of thousands of Connecticut enrollees and promptly notify consumers endangered by the security breach.  The case marks the first action by a state attorney general under the Health Information Technology for Economic and Clinical Health (“HITECH”) Act to enforce provisions of the Health Insurance Portability and Accountability Act (“HIPAA”).  The suit also alleges a violation of Connecticut’s breach notification statute.

The complaint, filed January 12, 2010, alleges that on or about May 14, 2009 Health Net learned that a portable disk drive had disappeared from one of its offices.  The disk contained unencrypted protected health information, social security numbers and bank account numbers for approximately 1.5 million past and present enrollees, including 446,000 Connecticut residents.  Health Net did not begin notifying affected individuals until November 2009.

On January 13, 2010, the Attorney General filed a motion for a preliminary injunction.  The proposed injunction mandates that Health Net and related defendants (i) comply with the privacy, security and other requirements of HIPAA; (ii) take corrective action and make “all efforts” to protect affected citizens against identity theft and other harm; and (iii) conduct “effective training of all members of their respective workforces (including independent contractors) on the policies and procedures with respect to protected health information, and personal information as defined under state law, regarding the requirements of federal and state law.”
Tags: , , , , , , , , , , ,

Interim Final Rule Implements Increased Penalties for HIPAA Violations

Posted on October 30, 2009 by Hunton & Williams LLP

The Department of Health and Human Services (“HHS”) released an interim final rule to incorporate the Health Information Technology for Economic and Clinical Health Act (“HITECH Act”) categories of violations and tiered civil penalty amounts.  The interim final rule is expected to be published in the Federal Register on October 30, 2009 and takes effect on November 30, 2009.  The rule applies to violations of the Health Insurance Portability and Accountability Act of 2003 (“HIPAA”) that occur on or after February 18, 2009.

The interim final rule amends HIPAA’s enforcement regulations.  Specifically, the rule incorporates the HITECH Act’s categories of violations, tiered ranges of civil penalty amounts, and revised limitations on the Secretary of HHS’s authority to impose civil penalties for violations of HIPAA's rules.  Pursuant to the interim final rule, covered entities may be subject to tiers of penalties as described below:

  • If a covered entity did not know and, by exercising reasonable diligence, would not have known that it was in violation, the minimum civil penalty is $100 per violation.
  • If a violation was the result of “reasonable cause” involving circumstances that would make it unreasonable for the covered entity (despite the exercise of ordinary business care and prudence) to comply, the minimum penalty is $1000 per violation.
  • The minimum penalty for a violation that is the result of willful neglect and subsequently corrected is $10,000.
  • The minimum penalty for a violation that is the result of willful neglect and is not corrected is $50,000.
  • The maximum penalty amount for multiple violations is set at $1.5 million per calendar year.

HHS will be accepting comments on the interim final rule until December 29, 2009.  Read our earlier blog posting for further information regarding the HITECH Act.

Access a copy of the interim final rule.
Tags: , , , , , , , , ,