This article explains what hospitals should know about the American Recovery and Reinvestment Act of 2009 ("ARRA") and HIPAA updates under the ARRA, as well as what hospitals should do when they face a HIPAA investigation and practical next steps to address all of these changes.
The ARRA passed and was signed into law in February 2009. The ARRA affects hospitals in two important ways. First, it provides hospitals and other health care providers with financial incentives for using electronic health record ("EHR") technology, as well as creates temporary, recession-related funding. The law specifically provides funding to establish: (1) Medicare incentives for meaningful EHR use; (2) Medicaid health information technology ("HIT") use payments; (3) loans to adopt certified EHR technology; and (4) temporary disproportionate share hospital ("DSH") payment and Medicaid matching rate increases.
Second, the ARRA makes significant changes to HIPAA. These changes are meant to expand its coverage and strengthen its protections. New requirements include: (1) extending HIPAA's requirements to business associates; (2) new notification obligations for unauthorized disclosures; (3) increased enforcement and penalties; (4) individuals' rights to make demands and limitations on their protected health information ("PHI"); and (5) other limitations.
II. Funding Provided by the ARRA
A. Medicare Incentives for Meaningful EHR Use
Eligible hospitals1 that adopt and use EHR technology within an EHR-reporting payment year will receive additional, incentive compensation from CMS. A hospital must be a meaningful EHR user to be eligible for the payments. A hospital will have to meet three criteria to HHS' satisfaction to be a meaningful EHR user: (1) "that during such period the hospital is using certified EHR technology in a meaningful manner"; (2) the certified EHR technology is connected to allow "for the electronic exchange of health information to improve the quality of care"; and (3) the hospital makes reports on clinical quality and other measures HHS chooses.2 HHS will further define these requirements and determine how a hospital will have to prove these meaningful use elements. The eligible hospital must already have EHR in place before it can receive any incentive payment.3
The incentive payment is calculated by multiplying a $2 million base rate plus an inpatient discharge rate times a Medicare share fraction and then times a transition factor.4 The discharge rate will vary, but larger hospitals will have larger discharge rates.5 The transition factor changes every year for four years to create a step-down incentive payment structure.6 Medicare will only make incentive payments to an eligible hospital for a maximum of four years. The transition factor after the fourth payment year is zero.7
An eligible hospital can begin to receive payments in fiscal year 2011, and CMS will end all incentive payments to all hospitals after 2015.8 CMS will also start to reduce market basket adjustments to eligible hospitals that have not adopted EHR technology after 2015.9 The law does not permit administrative and judicial review of payment methods, the determination of meaningful use, or the reporting periods.10
B. Medicaid Incentive Payments
The ARRA authorizes payments to the states in an effort encourage certain "Medicaid Providers" to adopt and use certified EHR technology.11 States will make the payments to the "Medicaid Providers," and the federal government will reimburse states for the full amount of these payments.12 A "Medicaid Provider," for purposes of this incentive payment, is either a children's hospital or an acute-care hospital with at least ten-percent Medicaid patient volume.13
The incentive payments will be calculated using a formula similar to the Medicare incentive payments.14 Medicaid incentives will not be paid beginning after 2016, unless the Medicaid Provider received a payment the year before, or for more than six years.15 The payments must be used to "adopt, implement, or upgrade certified EHR technology" during the first year of payment, unless the Medicaid Provider already has EHR.16 Providers who already have EHR, as well as those receiving payments after the first year, are only required to show meaningful use of the certified EHR technology.17 Medicaid will not reduce its payments if a hospital fails to implement EHR by a particular date, which differs from the Medicare incentive payment program.
C. State Competitive Grants to Make Loans for Certified EHR Adoption
The ARRA gives HHS the power to establish competitive grants that states may apply for. States must provide at least $1 to match each $5 of Federal money received.18 States then use the grants to make loans to health care providers. The loan funds are intended for: (1) buying certified EHR technology; (2) upgrading or improving the utilization of certified EHR technology; (3) training staff to use the EHR technology; or (4) improving "the secure electronic exchange of health information."19
Providers must agree to several requirements to receive a loan, including (1) presenting "reports on quality measures adopted by the Federal Government"; (2) proving to HHS that the certified EHR technology purchased or upgraded with loan money is "used to exchange health information in a manner that, in accordance with law and standards . . . improves the quality of health care"; (3) agreeing to fulfill other requirements that the State or HHS imposes; (4) providing a plan that explains how the provider will "maintain and support the certified EHR technology over time."20
D. Temporary State Allotment Increases
The ARRA provides money to states to increase disproportionate share hospital ("DSH") payments. The increase is in effect for two years.21 The increase is 2.5 percent in 2009 and an additional 2.5 percent above the 2009-rate in 2010.22 This applies unless a state's DSH allotment is already slated to grow more than 2.5 percent,23 or unless a state does not deplete its entire fiscal year 2009 DSH allotment.24
States will also acquire a 6.2 percentage point increase in federal medical assistance percentages (FMAP), effective October 1, 2008 through December 31, 2010.25 The State's FMAP amount may be increased further if it satisfies one of several criteria in a given quarter.26 The criteria mainly concern unemployment percentage increases.27 The law also requires states to apply practitioner prompt pay claim requirements to hospitals to be eligible for increased FMAP rates beginning June 1, 2009.28
III. HIPAA Updates Under the ARRA
A. HIPAA Applies to a Covered Entity's Business Associates
The ARRA now requires business associates to meet all of HIPAA's obligations. Formerly, business associates signed agreements with covered entities, but they were not liable for their unauthorized disclosures. A business associate that does not meet its HIPAA agreement requirements will face statutory liability for violating HIPAA security and privacy provisions in the same way a covered entity does.29 The penalties for such violations will be identical to covered entities' penalties.30 A business associate who knows that a covered entity is materially breaching the business associate agreement will be liable if it does not end its contract or report the breach to HHS.
B. New Unauthorized Disclosure Notifications
The ARRA imposes considerable new notification requirements on covered entities and business associates. A covered entity must now notify each individual whose "unsecured protected health information has been, or is reasonably believed . . . to have been accessed, acquired, or disclosed as a result of [a] breach."31 A business associate that discovers it made an unauthorized disclosure of unsecured PHI must notify the covered entity.32 Covered entities have an obligation to notify affected individuals "without unreasonable delay" and within at least 60 calendar days after the unauthorized disclosure is discovered.33
There are two potential forms of notice under the ARRA's changes. Written notice about the breach must be sent via first-class mail or e-mail (if it is the individual's documented preference).34 Additional notice must be provided immediately to the Secretary of HHS and to "prominent media outlets serving a State or jurisdiction" where the individuals affected reside, if the breach of unsecured PHI affected more than 500 individuals.35
C. Increase in Enforcement & Penalties and State Attorneys General Action
The ARRA imposes significantly more severe enforcement requirements, civil monetary penalties, and criminal liabilities on covered entities and business associates than before. The Secretary of HHS, for example, shall formally investigate and inflict penalties for violations due to willful neglect.36 Covered entities and business associates will also face periodic audits by HHS to ensure that they are complying with all HIPAA requirements.37
Civil monetary penalties will be increased and tiered based upon the person or covered entity's level of culpability. The lowest level occurs when a person did not know that he or she violated a provision and would not have known "by exercising reasonable diligence."38 The next level occurs when a person violates for a reasonable cause and not due to willful neglect.39 The highest level of culpability occurs when a person's violation is due to willful neglect.40
Penalties for unauthorized disclosures also increased. The civil monetary penalties for HIPAA violations now range from not more than $25,000 to not more than $1,500,000 in a calendar year, depending on the level of culpability discussed above.41 These penalty changes became effective on February 17, 2009 and apply to any violation taking place thereafter.42 Individuals will now potentially be personally and criminally liable for acquiring or disclosing PHI without authorization from a covered entity.43 No longer will covered entities only be prosecuted for violations.
State attorneys general also receive civil action enforcement power if he or she "has reason to believe that an interest of one or more of the residents of that State has been or is threatened or adversely affected by any person who violates a provision."44 The Secretary of HHS also has the right to intervene and be involved in a civil action originally brought by a State attorney general.45
D. An Individual's Right to Place Demands and Limitations on PHI
The ARRA grants individuals more control over their PHI. An individual has a right to ask a covered entity to limit disclosures of his or her PHI to a health plan to pay for or carry out health care operations, and the covered entity must conform to the request.46 The individual must, however, pay in full, out-of-pocket for the health care item or service.47
An individual can also request an accounting of his or her PHI disclosures by a covered entity in the past three years, if the covered entity made the disclosures using EHR technology.48 A covered entity that had EHR as of January 1, 2009 must account for disclosures made on or after January 1, 2014.49 Those covered entities that do not have EHR must account for disclosures made on or after January 1, 2011 or the date that they implement EHR, whichever is later.50 The Secretary of HHS will issue regulations regarding what must "be collected about each disclosure."51
An individual also has the right to receive a copy of his or her PHI electronically, if the covered entity uses EHR.52 This includes the right to direct the covered entity to transmit a copy of the information to a person that the individual specifically designates.53
E. Other Limitations
A covered entity cannot sell an individual's PHI without his or her authorization, unless one of seven exceptions applies.54 The ARRA also places limitations on a covered entity or business associate's marketing if the covered entity or business associate receives "direct or indirect payment in exchange for making such communications," unless one of the three exceptions apply.55
IV. What Hospitals Should Do if They are Investigated for HIPAA Violations
A. Contact Legal Counsel
A hospital should immediately contact its legal counsel if it faces a HIPAA violation investigation. HIPAA penalties have increased significantly, and the law has become more complex and expansive under the ARRA. Legal counsel's experience will be extremely helpful in responding to and resolving an investigation.
B. Contact the Investigator Assigned to the Complaint
HHS' Office for Civil Rights ("OCR") enforces violations of HIPAA's Privacy Rule, while CMS is responsible for enforcing the Security Rule.56 A hospital that receives a notification letter about a complaint needs to contact the investigator assigned to the complaint right away, even if the letter states the investigator will be in contact.57 The hospital should try to obtain the details of the allegations during this conversation.58
C. Notify the Appropriate Individuals Internally
Certain individuals within the organization should be told, often by the privacy officer, after the hospital receives notification of a complaint. These individuals may include the providers involved, the CEO or president's office, the hospital's general counsel, the risk management office, and the hospital's insurer, though the particular individuals will depend on each hospital's situation.59 This allows the appropriate people to become aware of and involved in the process from the beginning.
D. Conduct an Investigation
The hospital must conduct its own internal investigation after receiving notification of a complaint. This requires the hospital to gather all of the necessary documents.60 The hospital should collect all documents under the assumption that the OCR does not have anything, including documents to support the covered entity's version of events.61 This process will be easier if the hospital meticulously documents its actions with respect to HIPAA before any complaint of violation. Each step of the investigation process should also be documented.62
E. Draft and File the Formal Response Within the Time Frame
The hospital should cooperate as much as possible and provide the OCR with the entire story in its formal response.63 It is helpful, as noted above, to attach evidence to the formal response to support the covered entity's story, including pertinent policies and procedures and other documents.64 Being specific and forthcoming is helpful to the investigator.65
The hospital should propose corrective measures that it will implement, if the covered entity determines it was at fault.66 This may include making policy changes, updating patient forms, or other actions, showing that the hospital is addressing the problem so that it will not happen again.67 Affirm the hospital's intent to fully cooperate with the OCR in the formal response and provide the OCR with a contact person at the hospital for questions or additional information.68 Then timely file the response with the OCR.
F. Be Humble and Cooperative
The OCR's goal is to resolve HIPAA violation complaints through voluntary compliance, so it is in a hospital's interests to be humble and cooperative.69 Provide the OCR access to "facilities, records and other information at any time during normal business hours."70 Respond specifically to demands for data and additional information.71 This shows the OCR that the hospital is also committed to voluntary compliance with HIPAA provisions.
V. Practical Guidance — Hospitals' Next Steps
A. Reassess HIPAA Compliance
Penalties under the ARRA's changes to HIPAA are severe, up to $25,000 in civil monetary penalties per calendar year if the violations are done without knowledge and potential individual criminal liability for unauthorized disclosures. It is important, then, to ensure that all HIPAA policies and procedures are up-to-date and the hospital is compliant.
Other actions should include implementing unauthorized disclosure and notification policies, updating privacy policy materials for patient distribution, putting policies in place to deal with individuals' new PHI demand and limitation rights, and being aware of new HHS regulations as they are promulgated. Re-training staff on the new requirements is another important action, including providing information about the potential consequences to the entity and individual criminal penalties. Document the implementation of each of these steps in case of any future complaints.
B. Adopt EHR to Get the Most Out of the Incentives
Hospitals that do not currently have EHR, wish to upgrade their EHR, want to train staff on EHR, or want to improve their PHI exchange security should determine whether their states receive some of the government's competitive grant money slated for EHR implementation loans.72 Hospitals must be prepared to explain how they will pay for the future EHR costs, among other requirements.73 Earlier implementation is better, at least by fiscal year 2011, since CMS will no longer make incentive payments for meaningful EHR use after 2015. CMS will, in fact, begin to reduce market basket incentives to eligible hospitals without EHR after 2015.
Hospitals also must become meaningful users of EHR technology, which is broadly defined in the ARRA and will be more fully defined in subsequent regulations, to qualify for the Medicare or Medicaid incentive payments.
C. Review and Update Business Associate Agreements
Agreements with business associates need to be updated to reflect the business associate's additional liability under HIPAA. The updates should at least include a reference to the business associate's new privacy obligations. Business associates will need to ascertain whether their practices comply with HIPAA's demands. New policies and procedures will be necessary if current practices are insufficient to assure compliance.
D. Review "Minimum Necessary" Requirements
Current law requires covered entities to limit PHI disclosures to the "minimum necessary" to achieve the disclosure's purpose. Hospitals should be aware of new regulations from HHS that will guide covered entities on what constitutes "minimum necessary" disclosures. These regulations may entail removing identifying information from PHI before any disclosures, a process that hospitals may want to begin addressing.
E. Reevaluate the Way Patient Complaints are Handled
The ARRA wants harmed individuals to share in a portion of the civil monetary penalties imposed on a covered entity for HIPAA violations. This will take effect within three years after the ARRA's February 2009 enactment. This could increase the number of complaints alleged after HHS implements the regulations. Hospitals should ensure that there is an express way to handle patient complaints, that they investigate all patient complaints, and that they document all actions taken.
Anna Timmerman (anna-timmerman@uiowa.edu) is a 3L at the University of Iowa. She worked as a 2009 summer associate at McGuireWoods.
Notes:
1An eligible hospital means a "subsection (d) hospital" under the Social Security Act. An eligible hospital must be located in one of the fifty states or the District of Columbia. It does not include psychiatric hospitals, rehabilitation hospitals, hospitals with inpatients mainly under the age of 18, hospitals with an average inpatient length of stay greater than 25 days, or hospitals designated as cancer centers or clinical cancer research centers. 42 U.S.C. 1395ww(d)(1)(B) (2007).
2Id. 123 Stat. 479–80.
3American Recovery and Reinvestment Act of 2009 ("ARRA"), Pub. L. No. 111-5, § 4102(a)(1), 123 Stat. 477.
4Id. Critical access hospitals will use a different formula. See id. at § 4102(a)(2), 123 Stat. 483.
5Id. at 123 Stat. 478. Hospitals will receive $200 per discharge for their 1,150th to 23,000th discharge. This suggests that the maximum discharge rate would be approximately $4.37 million.
6Id. at 123 Stat. 478–79. The transition factor is 1 for the first payment year, ¾ for the second payment year, ½ for the third payment year, and ¼ for the fourth payment year.
7Id. at 123 Stat. 479.
8Id. Fiscal year 2011 begins October 1, 2010. The ARRA specifies that if an eligible hospital's first payment year falls after 2015, its transition factor is zero.
9Health & Human Servs., Health Information Technology Recovery Plan (May 14, 2009), http://www.recovery.gov/?q=content/program-plan&program_id=7607. See also H.R. Rep. No. 111-007, at 85 (2009), available at http://thomas.loc.gov/cgi-bin/cpquery/7?&sid=ITLUMQinVc&l_f=1&l_file=list/cp111ch.lst&hd_count=50&l_t=12&refer=&r_n=hr007p1.111&db_id=111&item=7&sel=TOC_377659&.
10ARRA, Pub. L. No. 111-5, § 4102(a)(1), 123 Stat. 481 (2009).
11ARRA, Pub. L. No. 111-5, § 4201(a)(2), 123 Stat. 489 (2009). It is unlikely that a hospital will be able to receive both Medicare and Medicaid incentive payments, though HHS has not yet issued its regulations.
12Id. See also
13Id. at 123 Stat. 490.
14Id. at 123 Stat. 492.
15Id. at 123 Stat. 493. This suggests that payments will end by 2021.
16Id.
17Id.
18Id. at 123 Stat. 256.
19ARRA, Pub. L. No. 111-5, § 13101, 123 Stat. 253–54 (2009).
20Id. at 123 Stat. 253.
21ARRA, Pub. L. No. 111-5, § 5002(2), 123 Stat. 502 (2009).
22Id.
23Id. at 123 Stat. 503.
24Health & Human Servs., Medicaid Increased DSH Allotments Recovery Plan (May 15, 2009), http://www.recovery.gov/?q=content/program-plan&program_id=7622.
25ARRA, Pub. L. No. 111-5, § 5001(b), (h)(3), 123 Stat. 497, 502 (2009).
26Id. at 123 Stat. 497.
27Id.
28Id. at 123 Stat. 500–01.
29ARRA, Pub. L. No. 111-5, § 13401(a), § 13404(a), 123 Stat. 260, 264 (2009) (to be codified at 42 U.S.C. § 17931, § 17934).
30Id. at § 13401(b), § 13404(c).
31ARRA, Pub. L. No. 111-5, § 13402(a), 123 Stat. 260 (2009) (to be codified at 42 U.S.C. § 17932).
32Id. at § 13402(b), 123 Stat. 260.
33Id. at § 13402(d)(1), 123 Stat. 261.
34Id. at § 13402(e)(1)(A), 123 Stat. 261.
35Id. at § 13402(e)(2)–(3), 123 Stat. 262–63.
36ARRA, Pub. L. No. 111-5, § 13410(a)(1)(B), 123 Stat. 271 (2009) (to be codified at 42 U.S.C. § 17939).
37ARRA, Pub. L. No. 111-5, § 13411, 123 Stat. 276 (2009) (to be codified at 42 U.S.C. § 17940).
38Id. at § 13410(d)(1), 123 Stat. 272–73 (to be codified at 42 U.S.C. § 17939).
39Id.
40Id. There are two forms of violation due to willful neglect, corrected and uncorrected, and each impose different maximum penalties.
41Id. at § 13410(d)(2), 123 Stat. 273.
42Id. at § 13410(d)(4), 123 Stat. 274.
43ARRA, Pub. L. No. 111-5, § 13409 (2009) (codified as amending 42 U.S.C. § 1320d–6(a)).
44ARRA, Pub. L. No. 111-5, § 13410(e), 123 Stat. 274 (2009) (to be codified at 42 U.S.C. § 17939).
45Id.
46ARRA, Pub. L. No. 111-5, § 13405(a), 123 Stat. 264 (2009) (to be codified at 42 U.S.C. § 17935).
47Id.
48Id. at § 13405(c), 123 Stat. 265.
49Id. at 123 Stat. 266.
50Id.
51Id. at 123 Stat. 265.
52Id. at 123 Stat. 268.
53Id.
54ARRA, Pub. L. No. 111-5, § 13405(d)(1)–(2), 123 Stat. 266–67 (2009) (to be codified at 42 U.S.C. § 17935).
55ARRA, Pub. L. No. 111-5, § 13406(d)(1) – (2), 123 Stat. 268–69 (2009) (to be codified at 42 U.S.C. § 17936).
56Health & Human Servs., How OCR Enforces the Privacy Rule, http://www.hhs.gov/ocr/privacy/hipaa/enforcement/process/howocrenforces.html (last visited June 5, 2009).
57Office for Civil Rights, Update: Enforcement of the HIPAA Privacy Rule, Address at the HIPAA Summit (Aug. 19, 2008), available at www.ehcca.com/presentations/HIPAA16/sanches_1_1.ppt.
58Mark Rogers, The Rogers Law Firm, Presentation (copies available with McGuireWoods).
59Id.
60Id.
61Id.
62Id.
63Id.
64Id.
65Office for Civil Rights, Update: Enforcement of the HIPAA Privacy Rule, Address at the HIPAA Summit (Aug. 19, 2008), available at www.ehcca.com/presentations/HIPAA16/sanches_1_1.ppt.
66Mark Rogers, The Rogers Law Firm, Presentation (copies available with McGuireWoods).
67Id.
68Id.
69Office for Civil Rights, Update: Enforcement of the HIPAA Privacy Rule, Address at the HIPAA Summit (Aug. 19, 2008), available at www.ehcca.com/presentations/HIPAA16/sanches_1_1.ppt.
70Mark Rogers, The Rogers Law Firm, Presentation (copies available with McGuireWoods).
71Office for Civil Rights, Update: Enforcement of the HIPAA Privacy Rule, Address at the HIPAA Summit (Aug. 19, 2008), available at www.ehcca.com/presentations/HIPAA16/sanches_1_1.ppt.
72ARRA, Pub. L. No. 111-5, § 13101, 123 Stat. 253–54 (2009).
73Id. at 123 Stat. 253.