Casting a wider HIPAA net. The revisions don’t affect all employers, but a significant number in the healthcare sector. Covered are health plans (such as insurers), healthcare providers, and healthcare clearinghouses (defined as entities that provide billing or other processing services, acting as liaisons between providers and plans or plans and payers). We asked Jennifer N. Willcox, an attorney with Pullman & Comley at the firm’s Bridgeport, Connecticut, office, to discuss the changes with us.

A specialist in healthcare law, she notes that Title XIII of ARRA, known as the HITECH Act, is the source of these dozens of HIPAA revisions. The most sweeping change, she believes, is to the obligations of “business associates.” These are organizations under contract to health plans, providers, or clearinghouses to perform various outsourced functions that involve access to private health information. When the HITECH Act becomes effective, in February 2010, these associates will be subject, for the first time, to the same civil and criminal penalties that can now be assessed against plans and providers for HIPAA violations.

In the past, “business associate agreements” were crafted to ensure that vendors and contractors protected private health information, so Willcox thinks plans and providers may have to inventory all their agreements to make them compliant with HITECH. And here’s another wrinkle: “Business associates will now have an express obligation to ‘rat out’ [plans or providers] … if they have knowledge that a … customer is violating the regulations,” she says.

Security breaches must be disclosed. Although many state laws require that people whose personal information is stolen must be notified by the company from which it was stolen, the HITECH Act adds a federal obligation to those laws—“a significantly more onerous” one, says Willcox. “Covered entities”—HIPAA jargon for plans and providers—must tell individuals, within no more than 60 days, if their personal information has been acquired or used without authority. The Act also dictates the content of such notices. And, if the data on 500 or more people are breached, the covered entity from which it was taken must report the incident to the Secretary of Health and Human Services (HHS); HHS will post such breaches on its website.

Meanwhile, all covered entities must report annually breaches involving fewer than 500 people. But there is a safe harbor for personal health information that is secured through a recognized encryption or similar method.

Individual rights have more teeth. Willcox notes that the original HIPAA rule gave individuals the right to request that the disclosure of their private health information be restricted. But covered entities (plans, providers, and so on) did not have to honor that request. Once the HITECH Act is in effect, such a request must be honored if the information is related to an item or service for which the patient paid out of pocket.

Here’s an example: An individual wants a genetic test and pays for it him- or herself in order to prevent the health plan from seeing the result of the test—which might lead to a premium increase if the person appears vulnerable to disease or disorder. The covered entity, usually the healthcare provider in this case, must act to ensure that the test results are not disclosed.

Willcox predicts that complying with this rule could be burdensome for providers, as they must segregate certain information from the rest of an individual’s records. Further, some disclosures of private health information must be tracked by covered entities, and individuals can ask for an accounting of those disclosures—on the theory that patients may be able to identify the source of a breach of their data. Under HITECH, any covered entity that uses electronic health records will have to account for all disclosures on request. Willcox reports that many providers and information technology consultants believe that will be harder to achieve than Congress apparently thought it would be; electronic record systems may not be as efficient as legislators thought.

And enforcement will be stronger.Congress also apparently felt that HIPAA enforcement was often lax, so legislators beefed it up. For example, criminal penalties will apply not only to covered entities that violate privacy rules but also to those organizations’ individual employees. And, not only have civil penalties been increased but they can be shared with harmed individuals. Most important, HITECH gives state attorneys general the power to enforce HIPAA rules. That “will undoubtedly mean greater attention to enforcement at the state level,” says Willcox.