Eds Note: We use the phrase “covered law firm” as a shorthand to refer to law firms that receive protected health information from their healthcare industry clients and have agreed to meet HIPAA-related obligations through a business associate agreement. We talked about those agreements in our last post.
HITECH ActThe American Recovery and Reinvestment Act (ARRA) of 2009 signed into law by President Obama included the Health Information Technology for Economic and Clinical Health Act (HITECH Act). The HITECH Act was designed to promote the widespread adoption and standardization of health information technology but also included provisions which radically altered the regulation of professionals serving the health care industry, including lawyers.
Prior to the HITECH Act, the federal government could not fine “covered law firms” for violations of the HIPAA requirements. Covered entities would contractually obligate law firms to appropriately protect PHI in a business associate agreement, but the law firms themselves did not face regulatory fines for noncompliance. This changed under the HITECH Act. Civil and criminal penalties now apply directly to business associates, like law firms, for applicable HIPAA violations. The HITECH Act also increased the size of the penalties federal regulators could levy with up to $50,000 per individual violation and up to a total of 1.5 million dollars per year for violations of a single provision.
The requirements that business associates must meet to avoid those fines changed as well. The HITECH Act imposed compliance obligations for covered law firms by applying provisions of the Security Rule and the Privacy Rule directly to business associates for the first time. Prior to the HITECH Act, business associates agreements merely had to specify that law firms implement “reasonable and appropriate security.” The Security Rule represents a much more comprehensive set of security standards with more detailed safeguards grouped into three categories: Administrative, Physical, and Technical. Similarly, certain provisions of the HIPAA Privacy Rule now apply directly to law firms under HITECH. We will cover the requirements laid out by the Privacy Rule and the Security Rule in future posts. For now the point to keep in mind is that the requirements for covered law firms increased and became more prescriptive under the HITECH Act.
So if the HITECH Act was passed in 2009 and the relevant provisions took effect early in 2010, why is it important to discuss these changes now? In short, back in 2010 HHS agreed not to enforce the security and privacy rules against business associates until the release of a final set of rules (the so called “HIPAA Final Rule” or “HIPAA Omnibus Rule”). HHS believed that it would be a short wait for a final set of rules, but more than two years later the Final Rule has yet to be released.
While the Omnibus Rule remains under OMB review today, most commentators expect publication any time. Once published, enforcement of these statutory changes will commence 180 days later. At that point, law firms may well face the types of seven-figure fines recently handed down to a number of covered entities. As we’ll discuss in our next post, HHS has become increasingly serious about enforcement and has clearly stated that business associates (and thus by implication law firms), should not wait for the Final Rule to meet their compliance obligations.