Changes in American Recovery and Reinvestment Act of 2009
Client Alert | 19 min read | 02.18.09
The American Recovery and Reinvestment Act of 2009 ("Stimulus Act" or "ARRA"), signed into law by President Obama on February 17th, contains a number of key health care-related provisions.
- Major changes in health information privacy and security breach requirements. Under the Stimulus Act, individuals must be notified when the security of the individual's personal health information has been breached, business associates will be accountable to the same degree that covered entities are, and criminal and civil enforcement of HIPAA and the expanded law is enhanced. More...
- Promotion of health information technology. Significant new federal enactments seeking to advance health information technology through the implementation of a health information technology framework and incentive payments to hospitals and physicians to adopt health information technology systems. More...
- COBRA subsidies. The Stimulus Act provides a subsidy to help unemployed workers and their families afford continuation health coverage. The subsidy comes with a potential for economic burden for employers, and also increases the complexity of COBRA administration. The COBRA amendments necessitate employer and plan action within the next few weeks in order to assure compliance with these new requirements. More...
- Support for comparative effectiveness research. The Stimulus Act provides over a billion dollars for comparative effectiveness research, both in the public and private sectors, and creates a new Federal Coordinating Council for Comparative Effectiveness Research. The Council does not have authority to establish guidelines for private or public plan payment or coverage. More...
Congress made significant changes to the administrative simplification provisions of the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), governing the privacy and security of protected health information, as part of H.R. 1 - The American Recovery and Reinvestment Act of 2009. These changes include the adoption of new definitions, the codification of certain regulatory and guidance principles previously issued by the Secretary of Health and Human Services, and new provisions addressing technological and industry developments affecting protected health information as well as ambiguities in the interpretation and enforcement of the existing privacy and security rules. Overall, the most notable developments are the strengthening of both criminal and civil enforcement, providing for individual notification where the security of the individual's information has been breached, and making business associates accountable to the same degree that covered entities are under the law.
Highlights of Changes to Security Standards
- Business Associates:
- Business associates are held to the same security standards as covered entities in the safeguarding of protected health information, including application of civil and criminal penalties, and including the new obligations that are enacted as part of the legislation.
- Business associates are also specifically required to notify covered entities of security breaches.
- Notification in Case of Breach
- "Breach" is added as a defined term. It is defined as "the unauthorized acquisition, access, use, or disclosure of protected health information which compromises the security or privacy of such information, except where an unauthorized person to whom such information is disclosed would not reasonably have been able to retain such information." Exceptions from this definition are made for:
- the unintentional acquisition, access, or use of protected health information by an employee or individual acting under the authority of a covered entity or business associate in circumstances where the access or use was made in good faith within the course and scope of the employment or other professional relationship, or
- the disclosure was inadvertent and made to someone who was otherwise authorized to access PHI (e.g., one covered entity to another); and
- in either case, the information is not further acquired, accessed, used, or disclosed by any person.
- A covered entity is now required to notify each individual whose unsecured protected health information has been, or is reasonably believed by the covered entity to have been, accessed, acquired, or disclosed as a result of a breach.
- Notification to individuals must be made without unreasonable delay and in no event more than 60 days after discovery of the breach.
- A covered entity (or business associate) has the burden of proving that it notified individuals in a timely manner, including proving the necessity of any delay.
- Standards for acceptable notice by first class mail where an address is known and by other means where it is not, are established.
- Notice must be provided to the media in a particular state if the breach involves the information of more than 500 residents of that state.
- Notice must be provided to the Secretary. Form and timing of notice depend on the nature and seriousness of the breach.
- Content of notification is prescribed in the law, including a requirement to describe the steps individuals should take to protect themselves from potential harm resulting from the breach and a brief description of what the covered entity is doing to investigate the breach, to mitigate losses, and to protect against any further breaches.
- "Breach" is added as a defined term. It is defined as "the unauthorized acquisition, access, use, or disclosure of protected health information which compromises the security or privacy of such information, except where an unauthorized person to whom such information is disclosed would not reasonably have been able to retain such information." Exceptions from this definition are made for:
- Technical Standards and Guidance
- HHS shall, in consultation with industry stakeholders, annually issue guidance on the most effective and appropriate technical safeguards for use in carrying out the security standards.
- Within 60 days of enactment of the law, the Secretary shall, after consultation with stakeholders, issue (and annually update) guidance specifying the technologies and methodologies that render protected health information unusable, unreadable, or indecipherable to unauthorized individuals, including use of standards developed under section 3002(b)(2)(B)(vi) of the Public Health Service Act, as added by section 4101.
- Not later than six months after the date of the enactment of the legislation, the Secretary is required to designate an individual in each regional office of the Department of Health and Human Services to offer guidance and education to covered entities, business associates, and individuals on their rights and responsibilities related to Federal privacy and security requirements for protected health information.
Highlights of Changes to Privacy Standards
- Business Associates:
- Business associates are held to the same privacy standards as covered entities in the safeguarding, use and disclosure of protected health information, including application of civil and criminal penalties, and including the new obligations that are enacted as part of the legislation.
- Certain types of entities are expressly defined as business associates, including Health Information Exchange Organizations, Regional Health Information Organization, E-prescribing Gateways, and each vendor that contracts with a covered entity to allow that covered entity to offer a personal health record to patients as part of its electronic health record.
- Minimum Necessary: Until the Secretary issues further guidance under the law, an entity will be treated as being in compliance with the minimum necessary standard (which does not apply to treatment uses and disclosures) only if, to the extent practicable, it limits disclosure to a "limited data set" as defined under the Privacy Rule, or if necessary, to the "minimum necessary" data that is required to accomplish the intended purpose of the use or disclosure. The law appears to put an affirmative duty on covered entities and business associates to determine what information is minimally necessary if it contains more elements than a limited data set.
- Accounting and Disclosure to the Individual
- Current limitation on accounting for disclosures for purposes of treatment is abolished if the information was disclosed through an electronic health record, but period of mandated disclosure is limited to three, not six, years. (Requires Secretary to adopt regulations that take into account HIT provisions of 3002(b)(2)(B)(iv) regarding what information on disclosures needs to be collected with respect to standards adopted under that provision.)
- Provides individuals with the right to obtain their information in an electronic format or to have it sent to a third party at the individual's request, and limits provider charges for providing copies of electronic health records to individuals.
- Individuals are given the additional right to restrict the disclosure of information by a provider to a health plan if the patient pays in full the cost of the item or service.
- Limits on Marketing and Receipt of Remuneration for Certain Activities
- No sale of PHI: Unless specifically excepted, a covered entity or business associate shall not directly or indirectly receive remuneration in exchange for any protected health information of an individual unless the covered entity or business associate obtained from the individual a valid authorization that includes, in accordance with such section, a specification of whether the protected health information can be further exchanged for remuneration. Exceptions are made for:
- public health activities;
- research activities, so long as price reflects reasonable cost related to preparation of data for those purposes;
- treatment;
- in connection with a transaction that results in the sale of a covered entity;
- certain business associate arrangements;
- the provision of a copy of an individual's data to that individual; or
- as otherwise prescribed by the Secretary.
- Definition of Marketing is clarified: Clarifies that communicating about a product or services will not be considered marketing only if such communication meets one of the exceptions in the rule, which are:
- describing a health-related product or service that is provided by, or included in a plan of benefits of, the covered entity making the communication;
- for treatment of the individual; or
- for case management or care coordination for the individual, or to direct or recommend alternative treatments, therapies, health care providers, or settings of care to the individual.
- Limits payment of third parties for permitted communications. Limits the extent to which a covered entity or a business associate may receive compensation for making communications with exceptions for:
- communications that describe only a drug or biologic that is currently being pre scribed for the recipient of the communication and any payment received by such covered entity in exchange for making the communication is reasonable in amount (to be defined by the Secretary), so long as:
- the communication is made by the covered entity, and the covered entity making such communication obtains from the recipient of the communication, a valid authorization with respect to such communication, OR
- the communication is made by a business associate on behalf of the covered entity and the communication is consistent with the written contract between such business associate and covered entity.
- communications that describe only a drug or biologic that is currently being pre scribed for the recipient of the communication and any payment received by such covered entity in exchange for making the communication is reasonable in amount (to be defined by the Secretary), so long as:
- No sale of PHI: Unless specifically excepted, a covered entity or business associate shall not directly or indirectly receive remuneration in exchange for any protected health information of an individual unless the covered entity or business associate obtained from the individual a valid authorization that includes, in accordance with such section, a specification of whether the protected health information can be further exchanged for remuneration. Exceptions are made for:
- Opportunity to Opt Out of Fundraising: Individuals must be given the opportunity to opt out of having their information used for the purpose of fundraising on behalf of a covered entity.
- Curtailing Use of PHI for Health Care Operations by Increasing Use of De-identifed Information. Not later than 18 months after the date of enactment, the Secretary is required to promulgate regulations to eliminate from the definition of "health care operations" in the existing rule, those activities that can reasonably and efficiently be conducted through the use of information that is de-identified or that should require a valid authorization for use or disclosure.
- Definitions and Standards for Vendors of Personal Health Records:
- Vendors of personal health records (both newly defined terms) and their third party service providers are subject to notification requirements in the event that security or privacy of records is compromised, regardless of whether the vendors are considered to be covered entities.
- Failure to provide required notice will be deemed to be an unfair and deceptive trade practice under the Federal Trade Commission Act.
- The standards set forth in this section are temporary and set to expire upon issuance of regulations on the same subject matter by the Secretary and the Federal Trade Commission.
- Vendors of personal health records (both newly defined terms) and their third party service providers are subject to notification requirements in the event that security or privacy of records is compromised, regardless of whether the vendors are considered to be covered entities.
- Criminal Enforcement Provisions Apply to Employees and Other Individuals, not just Covered Entities: The criminal enforcement provision of 42 U.S.C. § 1320d-6(a) is amended to add the following new sentence: "For purposes of the previous sentence, a person (including an employee or other individual) shall be considered to have obtained or disclosed individually identifiable health information in violation of this part if the information is maintained by a covered entity . . . and the individual obtained or disclosed such information without authorization." This addition effectively revokes the DOJ memorandum limiting criminal enforcement to covered entities.
- Civil Enforcement Provisions Are Strengthened:
- Gives the Secretary authority to utilize civil enforcement even if the action might have violated the criminal provisions of 42 U.S.C. § 1320d-6(a), so long as there has been no criminal conviction associated with the same conduct.
- Requires the Secretary to impose civil penalties if a violation is due to willful neglect.
- Requires the Secretary to formally investigate any complaint of a violation if a preliminary investigation of the facts of the complaint indicate such a possible violation is due to willful neglect.
- Provides that civil monetary penalties (CMPs) shall be available to the Secretary for the purpose of funding further enforcement.
- Commissions a GAO report to determine a reasonable methodology for compensating individuals who have been harmed by a violation, and requires the Secretary to issue rules to implement such a methodology (which will be based on a percentage of CMPs collected by the Secretary).
- Sets out tiered penalty provisions that provide for increasing penalties based on the culpability of the entity (e.g., willful neglect).
- Provides that Secretary may impose penalties (albeit at the lowest level) in cases in which "it is established that the person did not know (and by exercising reasonable diligence would not have known) that such person violated such provision."
- Enforcement without penalties to be reserved for lowest level of infractions: Adds following language to penalty provisions:
- "Nothing in this section shall be construed as preventing the Office for Civil Rights of the Department of Health and Human Services from continuing, in its discretion, to use corrective action without a penalty in cases where the person did not know (and by exercising reasonable diligence would not have known) of the violation involved."
- Permits parens patriae civil enforcement of HIPAA provisions by state attorney generals on behalf of state residents to obtain injunctive relief and damages, as well as attorney fees, but requires notice to Secretary and allows Secretary to intervene. State may not bring an action under this provision if a federal action is pending.
- Gives the Secretary authority to utilize civil enforcement even if the action might have violated the criminal provisions of 42 U.S.C. § 1320d-6(a), so long as there has been no criminal conviction associated with the same conduct.
- Authorizes the Secretary to Conduct Audits of Both Covered Entities and Business Associates.
- Effective Dates Vary
- Unless otherwise specified, the effective date for the HIPAA provisions is one year after final enactment of the law.
- Numerous provisions provide for alternative effective dates. For example, where an individual requests an accounting of treatment disclosures that were made through an electronic medical record, the effective date for entities that currently have electronic medical record systems is January 1, 2014. For entities that begin using electronic medical record systems after January 1, 2009, the effective date is the later of January 1, 2011, or the date upon which they begin using such systems. These dates can also be changed by the Secretary through regulation, but in no event can they be later than 2016 or 2013 (two years later than specified by statute).
- In many cases, the effective (or sunset) date of a provision is triggered by the issuance of additional guidance or regulations by the Secretary.
For more information, please contact: Christine C. Rinn, Barbara H. Ryland, Robin B. Campbell, or your regular Crowell & Moring contact.
Highlights of Health Information Technology Provisions
The American Recovery and Reinvestment Act promotes the adoption of health information technology ("HIT") systems that are intended to save money, reduce medical error and improve the quality of patient care. The Act provides an expansive framework for the adoption of HIT and also provides incentives for hospitals and physicians to adopt new systems.
- Office of the National Coordinator for Health Information Technology
- Codifies the Office of the National Coordinator for Health Information Technology. The office is headed by a National Coordinator who is appointed by and reports to the Secretary of Health and Human Services.
- The National Coordinator shall perform his or her duties in a manner consistent with the development of a nationwide health information technology infrastructure that allows for electronic use and exchange of health information.
- The National Coordinator's responsibilities include review and endorsement of HIT standards, specifications, and certification criteria.
- HIT Policy Committee
- Establishes the HIT Policy Committee to make policy recommendations to the National Coordinator, including implementation of the strategic plan.
- The HIT Policy Committee shall recommend the areas in which standards, implementation specifications, and certification criteria are needed for the electronic exchange and use of health information. The standards and implementation specifications shall include named standards, architectures, and software schemes for authentication and security.
- The HIT Policy Committee shall make recommendations, including: the technologies that protect the privacy and security of health information in a qualified electronic health record; technologies that allow individually identifiable health information to be rendered unusable, unreadable, or indecipherable to unauthorized individuals; the use of electronic systems to ensure the comprehensive collection of patient demographic data; and technologies that address the needs of children and other vulnerable populations.
- The Secretary shall, through the rule making process, adopt an initial set of standards, implementation specifications, and certification criteria no later than December 31, 2009.
- HIT Standards Committee
- Establishes the HIT Standards Committee to recommend to the National Coordinator standards, implementation specifications, and certification criteria for the electronic exchange and use of health information.
- The HIT Standards Committee shall, as appropriate, provide for the testing of standards and specifications by the National Institute for Standards and Technology.
- The HIT Standards Committee shall serve as a forum for participation by stakeholders to provide input on development, harmonization, and recognition of standards, implementation specifications, and certification criteria.
- The HIT Standards Committee shall develop a schedule for the assessment of policy recommendations developed by the HIT Policy Committee. The HIT Standards Committee shall conduct open public meetings to allow for public comments on the schedule. The schedule shall be updated annually.
- Federal Health Information Technology
- The National Coordinator shall make available qualified electronic health record technology unless the Secretary determines through a needs assessment that the needs and demands of providers are being met through the marketplace.
- The National Coordinator may impose a nominal fee. The fee shall take into account the financial circumstances of smaller providers, low income providers, and providers located in rural or other medically underserved communities.
- Application and Use of Adopted Health Information Technology Standards
- Federal agencies shall require in contracts with health care providers, health plans, and health insurance issuers, that the contractor implements, acquires, or upgrades health information technology systems, that it shall utilize health information technology systems and products that meet adopted standards and implementation specifications.
- Research and Development Programs
- The Director of the National Institute of Standards and Technology, in consultation with the Director of National Science Foundation and other appropriate agencies, shall establish a program of assistance to institutions of higher education of consortia to establish a multidisciplinary Centers for Health Care Information Enterprise Integration.
- Immediate Funding to Strengthen the Health Information Technology Infrastructure
- The Secretary shall invest in the infrastructure necessary to allow for and promote the electronic exchange and use of health information consistent with the goals outlined in the strategic plan.
- Funds shall be invested through appropriate agencies, such as the Centers for Medicare and Medicaid Services.
- Health Information Technology Implementation Assistance
- The National Coordinator shall establish a health information technology extension program to provide technology assistance to assist health care providers to adopt, implement, and effectively use certified electronic health record (EHR) technology.
- The Secretary shall create a Health Information Technology Research Center to provide technical assistance and develop or recognize best practices. The centers are intended to provide a forum for the sharing of information and best practices.
- The Secretary shall provide assistance with the creation and support of regional Health Information Technology Research Centers.
- State Grants to Promote Health Information Technology
- The Secretary may award a grant to a State or qualified State-designated entity to facilitate and expand the electronic movement and use of health information.
- Competitive Grants to States and Indian Tribes for the Development of Loan Programs to Facilitate the Widespread Adoption of Certified HER Technology
- The National Coordinator may award competitive grants to entities to establish programs for loans to health care providers to purchase certified EHR technology.
- Demonstration Program to Integrate Information Technology Into Clinical Education
- The Secretary may award grants to carry out demonstration projects to develop academic curricula integrating certified EHR technology in the clinical education of health professionals.
- The entity must submit to the Secretary an application that includes a strategic plan for integrating EHR technology into the clinical education of health professionals to reduce medical errors, increase access to prevention, reduce chronic diseases, and enhance health care quality.
- Medicare Payments to Hospitals
- Beginning in FY 2011, CMS will make payment under Part A for hospitals that are "meaningful users" of health information technology. A meaningful user is a hospital that uses a certified HER system during the reporting year.
- Payments are phased-down over four years to eligible hospitals.
- Hospitals that are not meaningful users by FY 2015 are subject to payment adjustments.
- Medicare Payments to Physicians
- Beginning in CY 2011, CMS will make incentive payments under Part B to physicians that are "meaningful users" of health information technology. A meaningful user is a physician that uses certified EHR technology with e-prescribing, information exchange, and reporting on quality measures.
- Incentive payments may be up to $18,000 per physician in the first year, on a decreasing scale in subsequent years.
- Medicare Advantage organizations that are organized as a health maintenance organization are eligible for incentive payments if:
- Physicians are employed by the Medicare Advantage organization; or.
- Physicians are employed by or partners of an entity that contracts with a Medicare Advantage organization and furnishes at least 80% of the entity's Medicare patient services to enrollees of the Medicare Advantage organization; and
- The physician provides at least 80% of the professional services to enrollees of the Medicare Advantage organization; and
- The physician furnishes, on average, at least 20 hours per week of patient care services.
- The qualifying Medicare Advantage organization must submit an attestation as part of the bid submission process.
- The Secretary shall conduct a study and submit a report to Congress no later than 120 days after the enactment of this law concerning payment incentives and adjustments that could be made to professionals who are not eligible for HIT incentive payments and receive payments for Medicare patient services nearly-exclusively through contractual arrangements with Medicare Advantage organizations or an intermediary. The study shall assess approaches for measuring meaningful use of qualified HER technology and mechanisms for delivering incentives
- Fee schedules will be reduced for physicians that do not implement by 2015. Fee schedules are reduced 1% per year (1% in 2015, 2% in 2016 and 3% in 2017).
For more information, please contact: Bruce O. Tavel, or your regular Crowell & Moring contact.
Stimulus Act Provides COBRA Subsidies and New COBRA Election and Disclosure Requirements
The American Recovery and Reinvestment Act of 2009 ("Stimulus Act" or "ARRA"), signed into law by President Obama on February 17th, provides a temporary COBRA subsidy intended to help unemployed workers and their families afford continuation health coverage. This subsidy, however, comes with a potential economic burden for employers, and also increases the complexity of COBRA administration. The amendments to COBRA necessitate employer and plan action within the next few weeks in order to assure compliance with these new requirements.
A discrete portion of the ARRA (referred to as the Health Insurance Assistance for the Unemployed Act of 2009) provides temporary monetary subsidies to help unemployed workers and their beneficiaries pay their COBRA premiums, and thereby help them afford continuation health care coverage during period of unemployment. In concert with this premium assistance, ARRA also requires a new special election period for qualified individuals who, prior to the enactment of ARRA, did not elect COBRA, as well as imposing new COBRA notice requirements. The COBRA subsidies are first effective for the month of coverage beginning after ARRA's enactment date, which for most plans will mean that the subsidies, and the administrative duties they entail, will be applicable on March 1, 2009.
The COBRA provisions of ARRA apply to an "assistance eligible individual," i.e., any employee who is otherwise eligible for COBRA coverage, who elects such coverage, and who was involuntarily terminated from employment at any time on or between September 1, 2008 and December 31, 2009. An assistance eligible individual may also be any qualified beneficiary associated with the relevant covered employee, and such qualified beneficiary can independently elect COBRA (as provided under present law COBRA rules). ARRA provides that each assistance eligible individual will, beginning March 1, 2009, only need to pay 35% of the applicable COBRA premium, with the other 65% being provided as a subsidy by the federal government. The availability of this subsidy is, however, subject to certain income thresholds on such assistance eligible individuals, and will not be paid directly to the assistance eligible individual. Rather, the subsidy amount will have to first be paid by the "person to whom premiums are payable under COBRA continuation coverage."
The statute is not entirely clear as to how the mechanics of this subsidy will actually work. In particular, while the employer is the primary focus of this portion of the statute, the statute and the Conference Report indicate that the insurance company providing coverage in an insured arrangement may be respon
Contacts
Insights
Client Alert | 3 min read | 12.13.24
New FTC Telemarketing Sales Rule Amendments
The Federal Trade Commission (“FTC”) recently announced that it approved final amendments to its Telemarketing Sales Rule (“TSR”), broadening the rule’s coverage to inbound calls for technical support (“Tech Support”) services. For example, if a Tech Support company presents a pop-up alert (such as one that claims consumers’ computers or other devices are infected with malware or other problems) or uses a direct mail solicitation to induce consumers to call about Tech Support services, that conduct would violate the amended TSR.
Client Alert | 3 min read | 12.10.24
Fast Lane to the Future: FCC Greenlights Smarter, Safer Cars
Client Alert | 6 min read | 12.09.24
Eleven States Sue Asset Managers Alleging ESG Conspiracy to Restrict Coal Production
Client Alert | 3 min read | 12.09.24
New York Department of Labor Issues Guidance Regarding Paid Prenatal Leave, Taking Effect January 1