Economic Stimulus Package V4

The American Recovery and Reinvestment Act (ARRA) of 2009:

Privacy and Security Provisions and Impacts

Lisa A. Gallagher, BSEE, CISM, CPHIMS

Senior Director, Privacy and Security

HIMSS

Dixie B. Baker, Ph.D., FHIMSSSenior Vice President, Chief Technology Officer, Health Solutions SAIC

Introduction and Background• On February 17, 2009, President Obama signed into law the

American Recovery and Reinvestment Act of 2009 (ARRA), designated as H.R. 1.

• ARRA is a law, not a regulation – some provisions are directly effective, others require interpretation, regulation, and guidance

• Best to familiarize your organization with the new law now and assess potential impact

• Meanwhile, take advantage of the opportunity to provide input: – Track regulatory activity

– Express your views and concerns to the Department of Health and Human Services (HHS)

• Today’s presentation is based on what we know today – watch www.himss.org/EconomicStimulus for up-to-the-minute information

http://www.himss.org/EconomicStimulus

Fast Forward from HIPAA:Greater Threat, Bigger Target (1)

• Electronic administrative transactions are now standard practice• Electronic Health Records (EHRs) have been widely adopted by

large health systems and are now penetrating into private practices• Health Information Exchanges (HIEs) are springing up throughout

the country, facilitating EHR sharing, e-prescribing, public health surveillance, and other shared services

• Personal Health Records (PHRs) and health record banks have emerged – until now, completely outside the reach of the Health Insurance Portability and Accountability Act (HIPAA)

Fast Forward from HIPAA:Greater Threat, Bigger Target (2)

• Security risks are ubiquitous, and increasingly nefarious – Virtually everyone is targeted by spyware on a daily basis, and

many have been victimized by identity theft

– Both techno-savvy and not-so-savvy consumers now recognize that the use of computers introduces new risks to their health information and their personal privacy

• U.S. has experienced terrorist and bioterrorist attacks, and natural disasters requiring rapid medical containment and response

• Virtually no one has been penalized for HIPAA violations

What New Provisions Attempt to Do

• Encourage – and indeed enable – the realization of a National Health Information Network (NHIN) to improve the efficiency and quality of the U.S. healthcare system, and the health and safety of our people

• Broaden the scope of applicability for the HIPAA Privacy and Security Rules to encompass many large entities that handle large amounts of sensitive health information, but were previously excluded

• Provide transparency for breach victims• Strengthen enforcement and sanctions• Strengthen patients’ privacy rights

Business Associates (BAs): Before and After

• Pre-ARRA– BAs were outside direct HHS regulation, oversight and penalties

• Requirements contained in contracts with covered entities (CEs)

– Health Information Exchanges (HIEs, including RHIOs, ePrescribing networks, etc.) not involved in HIPAA transactions were excluded

• Post-ARRA– BAs – including HIEs – must implement the same HIPAA

administrative, physical, and technical security controls as CEs– BAs are subject to the same penalties as covered entities

ARRA = American Recovery and Reinvestment Act;; RHIOs = Regional Health Information Organizations

Business Associates (BAs): Impacts (1)

• Significantly enhances the security of protected health information (PHI) and the privacy of patients!

• Exposes technology vendors, practice management companies, transcription services, billing services, attorneys, accountants and many other types of BAs – including HIEs – to direct regulation, and civil and criminal penalties under HIPAA– Increases risk to entities previously outside HIPAA or obligated

only by contract – Decreases risk to covered entities by increasing assurance of

compliance– Risk translates into cost

HIEs = Health Information Exchanges

Lisa Gallagher

Business Associates (BAs): Impacts (2)

• Some existing BA agreements may need to be modified• BA agreements will need to be negotiated among

covered entities participating in HIEs• BAs will need to strengthen their security to assure

compliance • Annual guidance to be provided by HHS and aimed at

BAs should benefit both covered entities and BAs• Directive for HHS and FTC to study potential expansion

of HIPAA to other organizations should be interpreted as wake-up call for companies that are neither covered entities nor BAs

HIEs = Health Information Exchanges; HHS = Health and Human Services; FTC = Federal Trade Commission

Breach Notification:Before and After

• Pre-ARRA– HIPAA required covered entities to mitigate potentially

harmful effects of improper disclosures, but it did not expressly mandate notification

– Encryption type or standard unspecified– No legal definitions of Electronic Health Record (EHR)

and Personal Health Record (PHR)– PHR vendors, information-providers, and marketers

were outside scope of HIPAA

ARRA = American Recovery and Reinvestment Act

• Post-ARRA– We finally have legal definitions of Electronic Health

Record (EHR) and Personal Health Record (PHR)!• EHR: an electronic record of health-related information on an

individual that is created, gathered, managed, and consulted by authorized health care clinicians and staff

• PHR: an electronic record of PHR identifiable health information on an individual that can be drawn from multiple sources and that is managed, shared, and controlled by or primarily for the individual


ARRA = American Recovery and Reinvestment Act

• Post-ARRA (cont.)– Protected health information “protection” requires

technology or method as specified by Secretary HHS/endorsed by ANSI-accredited Standards Development Organization (SDO)

– Covered entities must promptly (within 60 days) notify• Individuals affected by breach, • If more than 500 people are affected, must notify the media

and HHS


ARRA = American Recovery and Reinvestment Act; HHS = Health and Human Services

• Post-ARRA (cont.)– Comparable requirement imposed on “PHR-

entities” – including vendors, information providers, and marketers of products and services – except that they must report to the Federal Trade Commission (FTC) instead of HHS

– BAs (remember – this includes HIEs) must notify the covered entity


ARRA = American Recovery and Reinvestment Act; PHR = Personal Health Record; BAs = Business Associates; HIEs = Health Information Exchanges

Breach Notification: Impacts (1)• We have definitions, but many questions remain…

– Electronic Health Record (EHR) is created by an “authorized health care clinician or staff” member that may not be a “covered entity” – so a health record created by an insurance company is not an EHR, nor is a record that is created by a clinician but never consulted

– Where do the Personal Health Record (PHR) scope boundaries lie? Is a gym’s record of exercise, weight, diet, etc. a PHR?

– How is the primary purpose of a PHR determined? If a vendor provides a PHR for the business purpose of selling advertising, does that take the record outside the scope?

Breach Notification: Impacts (2)• For covered entities, increases cost and risk of adverse

publicity– CEs likely to contractually pass on breach notification

requirement to BAs – along with inherited cost and risk– For HIEs, may not be clear who is “at fault” -- especially within

allowed 60 days• New (likely unanticipated) cost and risk for “PHR-related

entities” – including vendors, information-providers, and marketers of products and services– Currently in denial – Ultimately will need to revisit business models to deal with

unanticipated regulation and heightened scrutiny from the FTC

CEs = Covered Entities; BAs = Business Associates; HIEs =Health Information Exchanges; PHR = Personal Health Record; FTC= Federal Trade Commission

Breach Notification: Impacts (3)

• Overlap with many state notification laws will require careful analysis in developing security breach notification action plans

• Other organizations should carefully monitor the future extension of HIPAA to a wider range of industry participants

• Pre-ARRA– No restrictions on payment for PHI within

HIPAA allowed exceptions– Many “marketing” communications were

considered “operations” under HIPAA and therefore did not require authorization

– “Minimum necessary” is determined by the CE

Restrictions on Use and Disclosure of PHI: Before and After

ARRA = American Recovery and Reinvestment Act; CEs = Covered Entities; PHI = Protected Health Information

• Post-ARRA– CE may not receive payment for PHI without the

individual’s authorization, except for disclosures for limited purposes such as public health, treatment or research

• Payment for research disclosures may not exceed the cost of preparing and transmitting the data

– Marketing exceptions no longer permitted without individual’s authorization if the CE receives payment from another party



• Post-ARRA (cont.)– If sufficient for intended purpose, CEs must use or

disclose only a “limited data set” that excludes names, street addresses, social security numbers and other identifiers but is not fully “de-identified”

• HHS to issue regulations providing guidance on “minimum necessary” within 18 months


PHI = Protected Health Information; ARRA = American Recovery and Reinvestment Act; CEs = Covered Entities; HHS = Health and Human Services

Restrictions on Use and Disclosure of PHI: Impacts

• Significantly stronger protection of PHI against commercial exploitation!

• Eliminates source of revenue for covered entities – will need to revise business models

• Eliminates marketing channel for companies offering medical products and services

• CEs may need to modify existing data sharing arrangements that no longer are permissible

PHI = Protected Health Information; CEs = Covered Entities

Patient Rights:Before and After

• Pre-ARRA– If patient requests that information not be shared with health plan,

entity must process request, but is not obligated to honor it

– Patient has right to inspect and copy PHI

– Disclosures for treatment, payment and healthcare operations (TPO) are exempt from HIPAA’s Accounting of Disclosures requirement

– CE must include in any fundraising materials it sends to individuals a description of how to opt out of receiving any further fundraising communications, and must make reasonable efforts to comply to opt-out requests


Patient Rights:Before and After

• Post-ARRA– If patient requests that information not be shared with health plan,

and pays full bill, CE must honor request

– CEs that maintain EHRs must provide copies in electronic form, and at individual’s request, must transmit copies to named third parties

– CEs that maintain EHRs must, at an individual’s request, provide an accounting of all PHI disclosures from that system, including for treatment, payment and healthcare operations (TPO), during the prior three years

– Fundraising materials must provide a “clear and conspicuous” opportunity to opt-out, and choice to opt-out must be treated as a “revocation of authorization”

ARRA = American Recovery and Reinvestment Act; CEs = Covered Entities; EHRs = Electronic Health Records

Patient Rights: Impacts (1)

• Strengthens patient privacy and accountability rights, and right to anonymous care

• Withholding health information from health plans presents significant implementation challenges– Does it refer to a visit, an encounter, a procedure? If a withheld

procedure results in adverse reaction that requires follow-on treatment, is that a separate instance? What if the patient wants the follow-on treatment billed to insurance?

– Will require changes to both administrative and clinical systems

– How is the withheld information reflected in a longitudinal record?

Patient Rights: Impacts (2)

• Covered entities (CEs) may charge labor costs for providing electronic copy of record – likely to be improvement over charges for paper copies

• Requires CE to account for its own disclosures – and provides options for accounting for PHI disclosures from systems operated by BAs– Each BA agreement must address the expectation regarding

accounting for disclosures

PHI = Protected Health Information; BAs = Business Associates

Enhanced Enforcement and Penalties:Before and After

• Pre-ARRA– Department of Justice (DOJ) interpretation

exempted individuals from civil and criminal prosecution – only “Covered Entities” could be prosecuted

– HHS could not impose civil penalty on anyone subject to a criminal offense – even if the DOJ did not prosecute

ARRA = American Recovery and Reinvestment Act; HHS = Health and Human Services

Enhanced Enforcement and Penalties:Before and After

• Post-ARRA– Any person who obtains PHI without authorization may be

prosecuted

– HHS cannot impose civil penalty on anyone who is convicted of criminal offense

– Incorporates notion of “willful neglect” – for which HHS must impose a penalty

– New tiered civil penalties that consider degree of knowledge and culpability

– State Attorneys General may bring civil actions on behalf of residents damaged by HIPAA violations

– HHS Secretary required to perform periodic compliance audits

ARRA = American Recovery and Reinvestment Actt; PHI = Protected Health Information’ HHS = Health and Human Services

Enhanced Enforcement and Penalties:Impacts

• Strengthened penalties, enforcement mechanisms, and penalties should increase assurance that individual privacy will be protected

• Changes send HHS a clear message that Congress is unhappy with the current state of virtual non-enforcement – sure to see changes

• Individual violators likely to be singled out

• Heightened enforcement increases risk to CEs and BAs – will need to implement stronger enforcement within their organizations, increasing cost and assurance of compliance

HHS = Health and Human Services; CEs = Covered Entities; BAs = Business Associates

Resources• “One-stop Shop” on the ARRA:

himss.org/EconomicStimulus

• Summary himss.org/content/files/HIMSSSummaryOfARRA.pdf

• Analysis himss.org/EconomicStimulus

• FAQshimss.org/EconomicStimulus/docs/HIMSS_FAQs_ARRA.pdf

• HIMSS09 Sessions on ARRAhimssconference.org/education/ESPSessions.aspx

• HIMSS P&S Toolkit http://www.himss.org/ASP/privacySecurityTree.asp?faid=78&tid=4

Economic Stimulus Package V4

Health & Medicine

Transcript of Economic Stimulus Package V4