The passage of the American Recovery and Reinvestment Act (“ARRA” or the “Act”) includes $19 billion in new funding for health information technology and additional responsibilities for health care entities that exchange electronic health information. Among other changes, the Act: (1) establishes the Office of National Coordinator in the Department of Health and Human Services to coordinate health information technology policies and programs; (2) creates approximately $29 billion in additional Medicare and Medicaid incentives, $2 billion in immediate discretionary funding for the Office of the National Coordinator, $300 million for health information exchanges, and an estimated $12 billion in savings; (3) extends the application of certain privacy and security standards under the Health Insurance Portability and Accountability Act (“HIPAA”) to “business associates;” and (4) improves enforcement and enhances penalties for privacy and security violations.
National Coordinator for Health Information Technology
The ARRA establishes the Office of the National Coordinator (“ONC”) in the Department of Health and Human Services (“DHHS”) and makes the National Coordinator responsible for the development of a nationwide health information technology infrastructure to allow the electronic exchange of health information. The National Coordinator’s statutory duties include the review and approval of standards, implementation specifications, and certification criteria for the electronic exchange of health information, the coordination of health information technology policy, and the development of voluntary compliance certification for health information technology. The ARRA gives the National Coordinator the authority to impose a nominal fee on health care providers that adopt the health information technology system developed by the ONC.
New Funding for Health Information Technology
The ARRA provides immediate funding in an unspecified amount to strengthen health information technology infrastructure. It also creates regional extension centers to provide health information technology implementation assistance and education to health care providers. A regional extension center may receive financial support from the ONC of up to 50 percent of its annual operating and maintenance funds for up to four years. The Act establishes planning and implementation grants to a state or “qualified state-designated entity” in an unspecified amount to facilitate and expand the movement and use of electronic health information among organizations that meet nationally recognized standards. The National Coordinator has the discretion to award competitive grants to states and Indian Tribes for the development of loan programs to facilitate the adoption of electronic health record technology. The ARRA offers financial incentive payments to physicians and hospitals to adopt electronic health records before 2017. The Act includes financial incentive payments of up to $44,000 for eligible physicians and their practices who become “meaningful users” of electronic health records. The ARRA also provides financial incentive payments of up to $16 million to hospitals that become “meaningful users” of electronic health records. Finally, the ARRA establishes Medicaid funding for Medicaid providers that adopt electronic medical records of up to eighty-five percent of the allowable cost of the technology.
Key Changes to the Privacy and Security of Health Information
Although the financial incentives in the ARRA have been widely reported, the Act also significantly expands the reach of HIPAA. The new law extends the application of certain privacy and security provisions of HIPAA to “business associates” (entities that receive protected health information and perform certain functions on behalf of “covered entities”). The Act requires covered entities and business associates to incorporate the new provisions of the Act relating to security into their existing business arrangements. The ARRA also includes specific notification of breach requirements and requires the notification within sixty days of discovery of such breach, specifies the content of the notification, and identifies acceptable methods of notification. Covered entities that transmit protected health information through an electronic health record are also required to provide an accounting of disclosures for treatment, payment and health care operations. The ARRA also requires covered entities to elect to provide an accounting of disclosures by their business associates or provide the patient with contact information for the business associate. Certain organizations that access electronic protected health information on a routine basis, such as health information exchanges and personal health record vendors, are now required to enter into business associate agreements. Finally, the law generally prohibits the sale of protected health information without patient authorization.
Improved Enforcement and Enhanced Penalties for Privacy and Security Violations
The Act allows state attorneys general to bring a civil action on behalf of residents of the state to enjoin HIPAA privacy violations or to obtain monetary damages on behalf of the residents of the state for such violations.The ARRA subjects a business associate to criminal and civil penalties for violations of certain security provisions of HIPAA. In addition, HIPAA violations may result in tiered civil monetary penalties based on whether the violation was made without knowledge, due to reasonable cause, or due to willful neglect. The ARRA also gives courts discretion to award attorney’s fees to the state in a successful action.
Practical Effect
The ARRA brings substantial new financial support to encourage the adoption of electronic health records. Health care providers would be well-advised to assess their current health information technology capabilities and devise a plan for moving their health information technology systems forward. Health care providers and health information technology vendors should also determine whether and what modifications need to be made to their current privacy and security practices. For example, health care providers may need to alter their accounting procedures and review their business associate agreements in order to meet their expanded responsibilities under the ARRA. Finally, the improved enforcement and enhanced penalties of the ARRA have raised the stakes for privacy and security compliance. This change may warrant a review of professional liability insurance policies and an increase in the amount of insurance coverage.
If you have questions about the health information technology provisions of the ARRA or would like additional information about its application, please contact Kate Healy at (207) 253-4710 or
khealy@verrilldana.com. The Health Technology Group at Verrill Dana regularly advises institutions, including hospitals and physician group practices, on transactional, licensing and regulatory compliance matters.
Verrill Dana’s Health Technology Group:
Brett D. Witham: bwitham@verrilldana.com
This newsletter is intended for general information purposes and as a service to clients and friends of Verrill Dana, LLP. This publication, which may be considered advertising under the ethical rules of certain jurisdictions, should not be construed as legal advice or a legal opinion on any specific facts or circumstances, nor does it create the attorney-client privilege.
P O R T L A N D • A U G U S T A • BOSTON • HARTFORD • WASHINGTON, D.C.