On February 17, 2010, many banks and financial institutions will, for the first time, become directly subject to the privacy and security provisions of the Health Insurance Portability and Accountability Act (“HIPAA”), and to the enforcement powers of the United States Department of Health and Human Services (“HHS”).  The Health Information Technology for Economic and Clinical Health Act (“HITECH Act”), passed as part of last year’s stimulus bill, extended HIPAA’s privacy and security provisions to business associates of covered entities.  Many banks and financial institutions will fall into this category by virtue of their provision of so-called medical lockboxes or medical banking services to healthcare providers or other covered entities under HIPAA that require them to handle personal health information (“PHI”).

The HITECH Act also established strict reporting requirements, allowed for increased enforcement by HHS and state attorneys general, and provided for enhanced civil and criminal penalties and statutory damages for breaches and disclosures of unprotected PHI.  A separate provision of the HITECH Act addresses entities that offer services to store individuals’ health information online, and places these “vendors” under the regulatory authority of the FTC.  Among other things, the new law’s provisions affecting business associates and covered entities:

  1. Make clear that all privacy and security provisions of HIPAA and its implementing regulations apply to business associates to the same extent as to covered entities;
  2. Require that all Business Associate Agreements (“BAAs”) be amended to incorporate HIPAA’s privacy and security rules;
  3. Impose specific notification requirements in the event of a breach;
  4. Require covered entities to provide notice to affected individuals within 60 days of discovery of a breach. In any case in which 500 or more person are affected by a breach, the covered entity must provide notices to HHS and to major local media outlets;
  5. Require business associates to notify the covered entity of any breach of confidentiality of PHI acquired from that covered entity;
  6. Subject both covered entities and business associates to enhanced civil penalties, and in some cases criminal penalties, for violation of the security regulations.  Civil penalties range from $100 to $50,000 per violation with maximum yearly penalties of up to $1.5 million.  Yearly maximums apply, however, only for violations of “identical requirement[s] or prohibition[s],” and in theory could be stacked where there are violations of multiple requirements or prohibitions;
  7. Eliminates certain affirmative defenses to civil monetary penalties;
  8. Give state attorneys general new civil enforcement authority to seek injunctions and statutory damages for violations of HIPAA on behalf of citizens of that state.  (The first such suit by a state attorney general has reportedly already been filed.  According to a report from AHA News Now, on January 20, 2010, the Connecticut Attorney General filed suit against Health Net of Connecticut, for failing to secure the PHI of approximately 446,000 plan members.) Significantly, the HITECH Act leaves in effect state laws allowing for enforcement by private attorneys general, opening the door to greater HIPAA scrutiny and enforcement;  and
  9. Imposes stronger controls on the sale of PHI.

Under regulations announced by HHS on August 24, 2009, and effective February 22, 2010, there is a “risk of harm” threshold that triggers the breach notification provisions.  HHS guidance also indicates that where PHI is properly encrypted as specified by HHS, notification to affected individuals may not be required because such information would not be “unsecured.”

With the HITECH’s business associate provisions set to go into effect February 17, 2010, banks involved in medical banking should have their compliance efforts well underway.  To the extent such compliance efforts are not yet complete, banks and other business associates should begin immediately taking steps to ensure compliance, including but not limited to:

  • Implementing physical and technological barriers to protect PHI;
  • Complying with access, amendment and accounting provisions of the Privacy Rule;
  • Developing a proper breach notification compliance program;
  • Implementing a security and privacy awareness and training program;
  • Reviewing and amending any BAAs that have not already been amended;
  • Developing methodologies to allow HHS to audit compliance;
  • Developing methodologies to allow individuals to restrict access to certain PHI as provided for in the statute; and
  • Developing appropriate risk assessment guidelines to assist in determining when the “risk threshold” has been reached, triggering notification obligations under the law.

These are just a few of the actions that should be taken as part of a program of best practices to comply with HIPAA and the HITECH Act.   It is also important for banks to understand that outsourcing or sending certain services offshore will not relieve them of the responsibility of securing PHI in compliance with the law.

Bryan Cave has attorneys with backgrounds in financial institutions, health care, data security and commercial litigation ready to assist financial institutions with concerns about HIPAA’s application to medical banking.