To celebrate its seventh birthday, HIPAA has planned quite a bash.

In April 2003, the privacy provisions of the Health Information Portability and Accountability Act became law. Contemplating the technological advances in medical record-keeping (electronic medical records, electronic protected health information, telemedicine, etc.), HIPAA was intended to accomplish two goals: first, to ensure that individuals' health information was properly protected while still allowing the unimpeded flow of information necessary for high-quality care, and second, to increase patient empowerment by generally allowing patients to obtain a copy of their own medical records and maintain some control over the release of their medical records.

In the seven years that have passed since, there has indeed been an explosion of electronically exchanged protected health information, and patient access and control of medical records has become a business driver. HIPAA has fueled a burgeoning market for storage and management systems for individual medical records. Physician practice groups have been able to capitalize on the wave of patient self-interest and accountability by providing online access to patient records as a value-added service. Further, the promotion of wellness and preventative medicine - goals that form the underpinning of some health-care-reform efforts - relies on individual patient accountability, requiring patient empowerment.

The advent of the HIPAA privacy rule seems like a long time ago. To reminisce for a moment, some health-care professionals worried that doctors' offices would have to adopt a "deli style" take-a-number system as opposed to calling out a patient's name. People were afraid they wouldn't be able to pick up prescriptions for their family members or significant others. Religious congregations worried about saying aloud the names of the ill for prayer.

Over time, people have become fairly complacent, if not truly comfortable, with HIPAA. However, multiple forces have converged, and just when you might be thinking "We get it," fasten your seatbelts, because along comes HITECH HIPAA - HIPAA's high-test, supercharged, reinvented and, some say, evil twin.

The Health Information Technology for Economic and Clinical Health Act (HITECH) was part of the American Recovery and Reinvestment Act (ARRA, commonly referred to as the stimulus bil) and amended both the privacy and security provisions of HIPAA. This article will highlight just some of the key changes wrought by the amendments. I have tried to keep a number of perspectives in mind - HIPAA as it affects us as consumers of health care, HIPAA as it applies to health-care providers, and HIPAA as it applies to "business associates" - a category that includes, in certain instances, attorneys.

The provisions highlighted in the overview that follows were selected because they provide good examples of how HITECH HIPAA affects us all. This article describes merely the tip of the iceberg. Try not to be the Titanic.

Changes for ‘business associates'

Before ARRA, "business associates" were not directly subject to governmental enforcement action. The only remedy available against a business associate was for a covered entity to sue for breach of contract. That has changed.

Prior to ARRA, HIPAA required that covered entities such as hospitals, physicians and health plans had to enter into contracts (known as "business associate agreements") with entities performing functions or providing services on their behalf, where those functions or services involved the use of or access to protected health information. Business associates can include attorneys, accountants, consultants and others, depending on the circumstances. The contracts had to require the business associates to use appropriate security safeguards to protect the health information sent from the covered entity. The business-associate agreements also set forth the permitted uses and disclosures of such health information.

Now under Section 13401 of ARRA, HIPAA's reach has expanded, and as of Feb. 17, 2010, business associates are required to comply directly with most provisions of the HIPAA Security Rule. With respect to the Privacy Rule, under Section 13404 of ARRA, business associates must comply with those Privacy Rule provisions that are made applicable to them by their business-associate agreement with the covered entity; they also must comply with any changes to the Privacy Rule that were part of ARRA, regardless of whether or not those provisions are in their business-associate agreements with covered entities. ARRA states that the privacy rule changes that were part of ARRA "shall be incorporated" into business-associate agreements (Section 13404). It is a subject of debate whether business-associate agreements need to be renegotiated to include these provisions or whether they are now incorporated into such agreements as a matter of law. The latest official word from the Office for Civil Rights, the HIPAA enforcement agency, is that it will issue a notice of proposed rulemaking regarding business associates - which can come none too soon.

Breach notification

Prior to ARRA, HIPAA did not require covered entities to notify individuals of breaches of their protected health information, although many states, including New York, have breach-notification requirements that are triggered by the unauthorized acquisition of certain information, including Social Security numbers.

Accordingly, in New York state there may be some overlapping breach-notification requirements between the breach-notification provisions of HIPAA and the New York State Information Security Breach Notification Act. What has changed is that with respect to HIPAA, ARRA Section 13402 requires that covered entities provide notification to individuals if their health information has been breached. Business associates must notify covered entities of any breaches, and the covered entity must then notify the individual per the requirements.

In determining whether notice is required, one must first determine whether the disclosure met the regulatory definition of a "breach" and then determine whether the information was properly protected by encryption technology approved by the secretary. Protection of data by appropriate encryption is key because even if the improper use or disclosure of information qualifies as a "breach," individuals are not required to be notified if the information was properly encrypted.

If the data is not properly encrypted and notice is required, ARRA includes specific provisions regarding the content, methods and timing of notification. Notice must be afforded no later than 60 days after the discovery of the breach. A breach is considered to be "discovered" when at least one employee of the entity (other than the person responsible for the breach) knows or reasonably should know of the breach. Notice is required to be provided to media outlets if the breach involves more than 500 individuals. Notice of all breaches also must be provided to the secretary - immediately, if the breach involves the information of more than 500 individuals, and in an annual log for breaches that do not trigger this threshold. The secretary is required to include a list on the U.S. Department of Health & Human Services (HHS) Web site of covered entities involved in breaches of more than 500 individuals' information (see hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/postedbreaches) and must annually report to Congress on the number and nature of any breaches that occurred during that year.

Right of electronic access

Under the Privacy Rule, individuals have had right to access and obtain a copy of their health records "in the form or format requested" - if it is "readily producible" in such form. The covered entity may impose a "reasonable fee," which in New York state is generally capped at $.75 per page.

As of Feb. 17, 2010, under Section 13405(e) of ARRA, covered entities using electronic health records must provide individuals with an electronic copy of the record, which must be transmitted directly to the entity or person specified by the individual, as long as that directive is clear, conspicuous and specific. Any fee charged for the record cannot be greater than the entity's labor costs in responding to the request.

Changes to HIPAA enforcement

The ARRA includes a number of changes to HIPAA's enforcement provisions:

• Authorization for enforcement by state attorneys general - Section 13410(e) of ARRA expressly authorizes all state attorneys general to enforce HIPAA in federal district court, which means that attorneys general in all states can enforce the law even if there is no state authorizing statute. The state must serve notice upon the secretary of HHS of its intent to enforce the law, and the secretary has the right to intervene in the action. The penalties imposed are limited to $25,000 annually for repeat violations of the same provision.
• Direct accountability for business associates - Sections 13401 and 13404 of ARRA provide that business associates can be held accountable by federal and state authorities for failure to comply with any applicable provisions of the Privacy and Security rules. Prior to Feb. 17, 2010, government authorities could not hold business associates accountable for failing to comply with their business associate agreements, and covered entities could only be held liable for the action of their business associates in limited circumstances.

While we can only guess whether HIPAA will be awkward and gangly or cool and uberhip in its adolescent years, the explosion of electronic medical record-keeping and the increased patient empowerment seem likely to ensure that a teenage HIPAA will be a force to be reckoned with.

Lisa McDougall is a partner in Phillips Lytle LLP, working in the law firm's corporate health care, health-care litigation and products-liability practices. She can be reached at lmcdougall@phillipslytle.com.