Health law newsletter
January 2010
New Patient Privacy Rules Take Effect in 2010
The Health Information Technology for Economic and Clinical Health ("HITECH") Act, part of the American Recovery and Reinvestment Act of 2009 ("ARRA") was enacted on February 17, 2009. HITECH has profound implications related to the privacy and security of patient health information. HITECH directly imposes new privacy and security requirements, and modifies elements of the Health Information Portability and Accountability Act ("HIPAA").
In February of 2010, two significant requirements of HITECH will either become effective or begin to be enforced. The first is the Breach Notification requirement and the second is the application of HIPAA directly to Business Associates.
Breach Notification Requirements
The HITECH Breach Notification requirements apply to HIPAA covered entities and their business associates that access, maintain, retain, modify, record, store, destroy, or otherwise hold, use, or disclose unsecured protected health information. HITECH incorporates the definitions of "Covered Entity," "Business Associate," and "Protected Health Information" used in HIPAA. Under HIPAA, a Covered Entity is a health plan, health care clearinghouse, or health care provider that transmits any health information electronically in connection with a covered transaction, such as submitting health care claims to a health plan. Business Associate, are persons or entities that perform functions or activities on behalf of a Covered Entity that involve the use or disclosure of individually identifiable health information. HIPAA defines "Protected Health Information" as the individually identifiable health information held or transmitted in any form or medium by Covered Entities and Business Associates.
HITECH requires Covered Entities to provide notification to affected individuals and to the Secretary of HHS following the discovery of a breach of unsecured PHI. In addition, in some cases, HITECH requires Covered Entities to provide notification to the media of breaches. In the case of a breach of unsecured PHI by a Business Associate of a Covered Entity, HITECH requires the Business Associate to notify the Covered Entity of the Breach. Finally, HITECH requires the Secretary of Health and Human Services to post on the HHS Web site a list of covered entities that experience breaches of unsecured PHI involving more than 500 individuals.
The Breach Notification requirements became effective September 23, 2009, meaning that as of that date Covered Entities and their Business Associates were required to recognize, document, and report breaches of unsecured PHI. HHS exercised its enforcement discretion and established February 22, 2010 as the date upon which it will begin imposing sanctions for failure to provide the prescribed notifications.
Covered Entities and Business Associates are advised to create policies and procedures to recognize and report breaches of PHI. Although HITECH expands HIPAA privacy rules directly to Business Associates and creates a duty for Business Associates to report breaches to the Covered Entity from which it received PHI, the responsibility of reporting breaches to the individuals whose PHI has been disclosed and to HHS rests with the Covered Entity. Therefore, Covered Entities would be wise to develop breach notification procedures between themselves and their Business Associates.
Application of HIPAA to Business Associates and the Requirement to Amend Business Associate Agreements.
Prior to the enactment of HITECH Business Associates were only bound to the privacy and security rules of HIPAA through a business associate agreement ("BAA"). The BAA is a contract between a Covered Entity and a Business Associate which obligates the Business Associate to handle PHI in a manner agreed to by the parties. The BAA is a private contract, therefore, should the Business Associate violate a provision of HIPAA, the only recourse available to the Covered Entity is a breach of contract claim against the Business Associate. Effective February 17, 2010, many of the HIPAA standards will apply directly to Business Associates, and Business Associates will be subject to the same civil and criminal penalties that can be imposed against Covered Entities.
HITECH also mandates that HIPAA privacy and security requirements "shall be incorporated into the BAA between the Business Associate and the Covered Entity." This provision of HITECH possibly requires that all existing BAA be revised to incorporate the new requirements. At a minimum Covered Entities should place their respective Business Associates on notice that pursuant to HITECH that where HIPAA is more restrictive than any term in an existing BAA, the Business Associate is expected to comply with federal law.
Finally, a BAA should include the previously discussed Breach Notification requirements, and the obligation on the part of the Business Associate to notify the Covered Entity "without delay." It is also prudent for Covered Entities to insist that Business Associates indemnify the Covered Entity for any costs incurred by the Covered Entity resulting from a breach of PHI by the Business Associate.
New Obligations for Employers under COBRA
BY: Daniel B. Frier, Esq. and Mohamed H. Nabulsi, Esq.*
The American Recovery and Reinvestment Act of 2009 (the "Act"), which was signed into law by President Barack Obama on February 17, 2009, and amended by the Department of Defense Appropriations Act, 2010, creates new obligations for employers with respect to the post-termination continuation of former-employees' health insurance coverage. Specifically, the Act prescribes an Insurance Premium Reduction mechanism by which beneficiaries, who are qualified to receive benefits under the Consolidated Omnibus Budget Reconciliation Act ("COBRA") and who were involuntarily terminated between September 1, 2008 and February 28, 2010, may pay only thirty-five percent of their COBRA premiums to continue their health insurance coverage under COBRA.The remaining sixty-five percent is payable by employers covered under COBRA (i.e., employers who employ twenty or more employees), if the employers continue to offer a group health plan after the termination of their employees. This payment is reimbursable to employers as a tax credit. The Premium Reduction ends upon the earliest of: (i) the date on which a former-employee becomes eligible for other group coverage (or Medicare); (ii) 15 months of the reduction, or (iii) the date on which the former-employee's COBRA coverage expires.
Employers who are not covered under COBRA (i.e., employers who do not employ at least twenty employees) must comply with their state's version[1] of COBRA (commonly known as "Mini-COBRA"), which, generally, apply to employers of less than twenty employees. State Mini-COBRAs may mirror the requirements of ARRA to the extent that they deem a qualified former-employee's payment of thirty-five percent of his or her health insurance premiums as payment-in-full. However, certain states' Mini-COBRAs (e.g., NJ and NY) differ from ARRA in that, among other things, they require that the health insurers, not the employers, pay sixty-five percent of the former-employees health insurance premiums.
As briefly discussed above, employers have significant responsibilities under ARRA concerning the post-termination continuation of former-employees' health insurance coverage. These responsibilities may vary depending on, among other factors, the number of employees employed by the employer and the state in which the employer is located. Aside from the monetary contribution requirements, employers are required to comply with certain notice and disclosure requirements that are critical to compliance with ARRA. Failure to comply with such notice and disclosure requirements may result in the employer's incurring penalties of up to $100 per day for each violation.
Please contact our office for guidance on how to comply with ARRA's Insurance Premium Reduction provisions.
[1] New Jersey and New York are among the states that have enacted Mini-COBRAs. Not all states have enacted Mini-COBRAs.
REMINDER FOR SURGICAL PRACTICES IN NEW JERSEY
Registration Deadline
· Surgical Practice Deadline:
If you operated a one operating room surgical suite ("Surgical Practice") on March 21, 2009, you must register the Surgical Practice with the New Jersey Department of Health and Senior Services ("DHSS") before March 22, 2010. As a condition to registration, you must obtain either Medicare certification or ambulatory care accreditation from a Medicare-approved accrediting organization (e.g., Joint Commission). Please be advised that the DHSS has not yet prescribed the form and manner in which Surgical Practices must be registered. As such, at this juncture, it is not clear what the registration requirement will entail. Additionally, it is questionable whether the DHSS will strictly enforce the March 22, 2010 deadline given the lack of a compliance mechanism. However, technically speaking, the law does not create an exception where the Surgical Practice's non-compliance is due to the DHSS' failure to prescribe a compliance mechanism. To help clients preserve their ability to register their Surgical Practice with the DHSS, our practice has been to submit a letter to the DHSS advising the DHSS of the client's readiness to comply with the law, and asking for guidance about the registration process. The letter is not designed to initiate the registration process or comply with the registration requirement; rather, the sole purpose of the letter is to establish a record of our client's readiness to comply with the law, notwithstanding the lack of a compliance mechanism.
· Ambulatory Surgery Center Deadline:
If you have a multiple operating room surgery center, which seeks licensure from the DHSSS, you must obtain ambulatory care accreditation from a Medicare-approved accrediting organization as a condition of licensure. If you have a licensedmultiple operating room surgery center, you must obtain you must obtain ambulatory care accreditation from a Medicare-approved accrediting organization before March 22, 2010.
· Radiation Therapy Facility Deadline:
If you are considering owning and referring patients to an ambulatory care facility that provides radiation therapy, you must finalize your purchase of the interests in such facility before March 1, 2010. You should be aware that missing the deadline does not mean that you will be prohibited from becoming an owner of a radiation therapy facility; rather, it means that, if you become an owner of such facility are March 1, 2010, you will be prohibited from referring patients to the facility.
It would be wise to submit all relevant paperwork to the DHSS at least twenty days prior to the applicable deadlines, so as to reserve some time to address any issues that may arise after submission. Please contact us with any questions regarding the foregoing deadlines.
About Our Law Firm
The attorneys at Frier Levitt represent a broad range of clients in healthcare law, transactional and regulatory matters, pharmacy law, internet law, matrimonial law, real estate and corporate representation tailored to the needs of business and individual clients.
Frier & Levitt, LLC
84 Bloomfield Avenue
Pine Brook, New Jersey 07058
973-618-1660