Stimulus News

Stimulus Bill Imposes More Stringent HIPAA Requirements

By Christy Tinnes
02/19/2009

The American Recovery and Reinvestment Act, the new stimulus package signed by President Barack Obama on Feb. 17, 2009, imposes significant new Health Insurance Portability and Accountability Act (HIPAA) privacy and security requirements on health plans, business associates and other vendors of personal health records. The bill also includes appropriations for health information technology (HIT) and new HIT requirements for the government sector (or businesses who have government contracts). The HIT and HIPAA requirements fall under the Health Information Technology for Economic and Clinical Health (HITECH) Act.

Among the new requirements, described in more detail below, are a duty to notify each individual in the event of a security breach, the extension of direct penalties to business associates, additional access and accounting requirements, and stricter criminal and civil enforcement. Most of the HIPAA privacy and security requirements go into effect one year from enactment, although some provisions (as noted) have shorter or longer deadlines.

Below are the major new requirements of the legislation. (Note that references to “HIPAA” are to the HIPAA Privacy & Security Rules, 45 CFR Parts 160-164.)

Extension of HIPAA Rules to Business Associates

Under current law, the HIPAA privacy and security rules apply to covered entities, which are defined as health plans, health care providers and health care clearinghouses. If a health plan uses a service provider, such as a third party administrator, it must have a business associate contract with the service provider, but the business associate is not directly regulated by HIPAA or subject to HIPAA’s civil and criminal penalties (rather, it may be contractually liable through its business associate contract).

The new law applies the HIPAA privacy and security requirements to business associates in the same manner as they apply to covered entities. This means that a business associate would be subject to the same penalties as the covered entity. The new law also provides that business associate agreements must be revised to include any new privacy or security requirements of the legislation.

In addition, any entity that provides data transmission services to a covered entity is considered a business associate under the new law (and so directly liable under HIPAA as well). The statute indicates that this includes personal health record (PHR) vendors and health information exchanges.

These new requirements are effective 12 months after enactment.

Duty to Notify in Case of Breach

Currently, if there is a privacy or security breach, HIPAA requires a health plan to mitigate any harmful effect, which could include reviewing its privacy and security procedures, imposing sanctions on workforce members, or documenting its response to a complaint. There is no express requirement that the health plan notify individuals whose information may have been breached. (There are state duty-to-notify laws, but these generally do not apply to health plans.)

The new law requires a covered entity to notify each individual in the event the protected health information (PHI) was breached. The notification must be made within 60 days of discovery (or the date the breach reasonably should have been discovered) and must describe the circumstances of the breach, including the date of the breach and date of discovery, the type of PHI involved, steps individuals should take to protect themselves and steps the covered entity is taking to mitigate harm and protect against future breaches. If the breach is by a business associate, the business associate must notify the covered entity, including the identity of each individual involved.

The notice must be made by first class mail or electronic mail “if specified as a preference” by the individual. If more than 500 individuals in a state or jurisdiction are involved, the covered entity must provide notice to “prominent media outlets” serving the state or jurisdiction. The covered entity also must notify the secretary of health and human services immediately of breaches involving 500 or more individuals and on an annual basis for other breaches. The secretary will list breaches involving more than 500 individuals on its web site.

It appears that the duty to notify rule only will apply where the covered entity or business associate has “unsecured” PHI—that is, PHI that is not secured under standards to be set by the secretary. The new law does not specifically indicate that encryption is required in order for PHI to be considered “secure.” The law directs the secretary to issue guidance within 60 days of enactment specifying which technologies will be considered secure.

The secretary is required to issue interim final regulations governing the duty to notify within 180 days of enactment. The duty to notify requirement would apply to breaches discovered on or after 30 days of these regulations being issued.

A similar provision applies to vendors of PHRs. These vendors also are required to notify individuals or the media (if applicable) upon a breach of an unsecured PHR. The Fair Trade Commission is required to issue interim final regulations governing a PHR vendor’s duty to notify within 180 days of enactment. The duty to notify requirement would apply to breaches discovered on or after 30 days of these regulations being issued.

Accounting for Disclosures

The HIPAA privacy rules currently allow an individual to request an accounting of disclosures of their PHI for the previous six years, subject to some exceptions. One of these exceptions is for routine disclosures for the purpose of treatment, payment or health care operations, which are defined terms under the regulations. Instead, the covered entity is required to issue a general privacy notice that explains what types of disclosures are made for these more routine purposes.

The new law requires a covered entity that maintains PHI electronically to include routine disclosures for treatment, payment, or health care operations (TPO) in its accounting list. The TPO accounting would be limited to three years (accounting for other disclosures would remain at six years, as under the current rule).

An "electronic health record" is defined as an electronic record of health-related information on an individual that is created, gathered, managed or consulted by authorized health care clinicians and staff. It is not clear how this definition and new requirement would apply to health plans, which typically do hold claims records that are created by health care providers, either who treat a participant or whom the plan has consulted in deciding a claim.

For electronic health records held by a covered entity as of Jan. 1, 2009, the TPO accounting requirement would apply to TPO disclosures on or after Jan. 1, 2014. For electronic health records acquired by a covered entity after Jan. 1, 2009, the TPO accounting requirement would apply to TPO disclosures on or after Jan. 1, 2011. The law provides that the secretary may delay these dates, but no later than 2016 and 2013, respectively.

Remuneration for Exchange of PHI

Currently, the HIPAA privacy rules require a covered entity to obtain an individual’s authorization for certain “marketing” purposes. The authorization must state whether the covered entity is receiving direct or indirect remuneration for the communication. The regulations define “marketing” as a communication that encourages the recipient to purchase or use a product or service and lists several exceptions that are not considered marketing (e.g., communications about other benefits under the health plan). However, if the communication falls under the definition of “health care operations,” rather than “marketing,” the covered entity is not required to obtain authorization or disclose possible remuneration.

The new law clarifies that, in order to fall under the definition of “health care operations” (so no authorization is required), the communication must meet the exceptions under the “marketing” definition, and the covered entity must not receive direct or indirect remuneration in connection with the communication. The law provides an exception where the communication describes only a drug or biologic that is currently being prescribed and any remuneration is "reasonable." This provision applies 12 months after enactment.

The new law also prohibits direct or indirect remuneration for any exchange of PHI (even under payment or health care operations), unless the individual has so authorized. The authorization must specify whether the covered entity may further exchange the PHI for remuneration. The new law provides exceptions where the PHI is exchanged for public health activities, research, treatment, the sale of the covered entity, services under a business associate contract, providing the individual with a copy of his or her PHI, or as determined by the secretary in regulations. The secretary is required to issue regulations on this rule within 18 months of enactment, and the new prohibition is effective six months following final regulations.

Access to Electronic PHI

HIPAA currently gives individuals the right to access their PHI from a covered entity. The covered entity generally must respond to the request within 60 days and may charge a cost-based fee for copying costs, labor, and postage.

The new law provides that, where the covered entity holds an "electronic health record" (as defined above), the individual must be able to request their information under the right to access requirement in electronic form. The covered entity only may charge labor costs. In addition, an individual may direct the covered entity to transmit a copy of his or her electronic health record directly to an entity or person designated by the individual. These provisions take effect 12 months after enactment.

Right to Restrict Disclosures

Currently, HIPAA allows individuals a right to request that a covered entity not disclose their PHI, even for purposes of routine treatment, payment or health care operations. However, the covered entity is not required to agree to the restriction.

The new law requires the covered entity to agree to the restriction when an individual requests to restrict disclosures to a health plan for payment and health care operations, where services for treatment have been paid out-of-pocket in full. This appears to mean that if an individual has paid out-of-pocket for a certain treatment, the provider or another plan would not be permitted to disclose this information to another health plan, if requested by the individual (e.g., for underwriting purposes).

Enforcement

HIPAA currently allows the secretary of health and human services to impose a civil penalty of $100 per violation of the HIPAA privacy and security rules, with a maximum of $25,000 for violations of an identical requirement during a calendar year. The statute provides exceptions where the covered entity did not know of a violation or the failure was due to reasonable cause and corrected within 30 days. The secretary also has the authority to perform compliance reviews and investigate complaints. In addition, the U.S. Department of Justice (DOJ) has authority to bring criminal penalties ranging from $50,000 and one year of imprisonment for wrongful disclosure of PHI to $250,000 and 10 years of imprisonment for offenses committed for commercial gain.

Civil Penalties

The new law requires the secretary to periodically audit covered entities and to formally investigate a covered entity where a complaint has been received. The secretary is limited in when he or she can bring voluntary corrective action (as generally is the case now) to circumstances where the covered entity did not know of the violation (and by exercising due diligence would not have known).

The new law also increases the civil penalty amounts and distinguishes by type of violation, as follows:

· No Knowledge—Where a person does not know (and by exercising due diligence would not have known) of a violation, the minimum penalty is $100 per violation, with a cap of $25,000 for violations of an identical requirement during a calendar year; the maximum penalty is $50,000 per violation, with a cap of $1.5 million for violations of an identical requirement during a calendar year;

· Reasonable Cause—Where a violation is due to "reasonable cause," the minimum penalty is $1,000 per violation, with a cap of $100,000 for violations of an identical requirement during a calendar year; the maximum penalty is $50,000 per violation, with a cap of $1.5 million for violations of an identical requirement during a calendar year; and

· Willful Neglect—Where violation is due to "willful neglect," the minimum penalty is $10,000 per violation, with a cap of $250,000 for violations of an identical requirement during a calendar year; the maximum penalty is $50,000 per violation, with a cap of $1.5 million for violations of an identical requirement during a calendar year.

The law provides that these penalties may not apply if the violation is corrected within 30 days of the date the person knew of the violation (or should have known, by exercising reasonable diligence).

The new civil penalty amounts apply to violations after the date of enactment. The other procedural enforcement provisions apply to penalties imposed 24 months after enactment. The secretary is required to issue regulations related to these enforcement provisions within 18 months of enactment.

The new law also requires the GAO to study methodologies for allowing a percentage of civil penalties to be paid to harmed individuals. The U.S. Department of Health and Human Services must establish such a methodology within three years of enactment.

Criminal Penalties

Criminal penalty amounts remain the same, but the secretary has the authority to bring criminal actions, along with the DOJ. In addition, the new law clarifies that criminal action may be brought against any individual who wrongfully discloses PHI, not just the covered entity itself or employees of the covered entity.

Actions by State Attorneys General

In addition, state attorneys general will have authority to bring civil actions against a covered entity to enjoin violations and obtain damages on behalf of the residents of that state of up to $100 per violation, with a maximum of $25,000 for violations of an identical requirement during a calendar year. The action must be brought in federal district court and may not be brought if the secretary already has instituted action. This provision applies to violations occurring any time after the date of enactment.

Application to Business Associates

Since other provisions of the new law extend HIPAA directly to business associates, these new penalty provisions apply to business associates in the same manner as covered entities.

HIT Provisions

The new law also seeks to vastly expand use of HIT systems and appropriates $250 million for fiscal year 2009 for implementing the new HIT provisions. The law requires the secretary to appoint a national coordinator for the Office of the National Coordinator for Health Information Technology (ONCHIT). The national coordinator will be responsible for coordinating HIT policies and programs, developing a voluntary HIT certification program and setting milestones for utilization of Electronic Health Records (EHRs) for each person in the United States by 2014. The new law also provides a variety of incentives to promote use of EHRs, telemedicine and clinical data repositories.

The law requires federal agencies that implement, acquire or upgrade HIT systems to use systems and products that meet the standards adopted by the secretary. In addition, health care payers and providers that contract with the federal government must use HIT systems and products that meet the required standards as well. The new law expressly provides that these standards otherwise would be voluntary for private entities.

Christy Tinnes is an attorney with Groom Law Group in Washington, D.C. Republished with permission. © 2009 Group Law Group. All rights reserved.

Stimulus Bill Extends TARP Limits on Executive Compensation

By John R. Cornell et al., of Jones Day
02/18/2009

The American Recovery and Reinvestment Act of 2009 (ARRA), widely described as the stimulus bill, was signed into law by President Obama on Feb. 17, 2009. ARRA significantly expands the executive compensation requirements previously imposed under the Emergency Economic Stabilization Act of 2008 (EESA), which established the Troubled Assets Relief Program (TARP).

ARRA's executive compensation restrictions apply to any entity that has received or will receive financial assistance under TARP (a "TARP recipient"), and generally will continue to apply for as long as any obligation arising from financial assistance provided under TARP remains outstanding (the "TARP assistance period"). The TARP assistance period does not include any period during which the federal government only holds warrants to purchase a TARP recipient's common stock.

Section 7001 of ARRA amends Section 111 of EESA in its entirety. Under EESA, Section 111 created different executive compensation restrictions depending on the nature of the assistance received by a TARP recipient and provided broad, general rules that were fleshed out in subsequent guidance issued by the Secretary of the Treasury and the secretary's delegates.

As amended by ARRA, Section 111 provides a more comprehensive, uniform set of rules for all TARP recipients. Yet more agency guidance is a certainty. ARRA left in place EESA's tax deductibility and excise tax provisions.

EESA's executive compensation requirements represent an amalgamation of EESA's prior executive compensation requirements, a number of the proposed executive compensation guidelines announced by the Treasury on Feb. 4, 2009 and a number of the expansive executive compensation requirements contained in the initial U.S. Senate version of the stimulus bill.

It remains to be seen what role or impact the Treasury guidelines will have now that ARRA has become law. For example, the $500,000 annual compensation limit under the Treasury guidelines was not included in ARRA. Treasury may impose that limit, or other limits, on future TARP recipients as a condition to the receipt of further TARP assistance using the ARRA restrictions as a baseline.

The revised executive compensation requirements are summarized as follows:

General Standards

TARP recipients must implement and comply with the following executive compensation and corporate governance standards during the TARP assistance period:

• Limits on compensation that exclude incentives for senior executive officers to take unnecessary and excessive risks that threaten the value of the TARP recipient.

• A provision for the recovery by the TARP recipient of any bonus, retention award, or incentive compensation paid to a senior executive officer and any of its next 20 most highly compensated employees based on statements of earnings, revenues, gains, or other criteria that are later found to be materially inaccurate. A TARP recipient's "senior executive officers" are its five most highly paid executives whose compensation is required to be disclosed pursuant to the Securities Exchange Act of 1934 and its regulations (or, for nonpublic companies, comparable employees).

• A prohibition on the TARP recipient making any golden parachute payment to a senior executive officer or any of its next five most highly compensated employees. A "golden parachute payment" is any payment to a senior executive officer for departure from a company for any reason, except for payments for services performed or benefits accrued.

• A prohibition on any compensation plan that would encourage manipulation of the reported earnings of the TARP recipient to enhance the compensation of any of its employees.

Bonus, Retention Award, and Incentive Compensation Prohibition

During the TARP assistance period, TARP recipients are prohibited from paying or accruing any bonus, retention award, or incentive compensation. This bonus/incentive prohibition does not apply to the payment or accrual of long-term restricted stock that meets all these conditions:

• It does not fully vest during the TARP assistance period.

• It has a value not greater than one-third of the total amount of annual compensation of the employee receiving the stock.

• It is subject to such other terms and conditions as the Treasury secretary may determine are in the public interest.

The bonus/incentive prohibition applies to TARP recipients in four tiers based on the amount of financial assistance they receive under TARP:

• Tier One: The bonus/incentive prohibition applies to only the most highly compensated employee of a financial institution that received less than $25 million in financial assistance.

• Tier Two: The bonus/incentive prohibition applies to at least the five most highly compensated employees of a financial institution that received at least $25 million but less than $250 million in financial assistance (or such higher number of employees as the Treasury secretary determines is in the public interest with respect to any TARP recipient).

• Tier Three: The bonus/incentive prohibition applies to the senior executive officers and at least the 10 next most highly compensated employees of a financial institution that received at least $250 million but less than $500 million in financial assistance (or such higher number of employees as the Treasury secretary determines is in the public interest with respect to any TARP recipient).

• Tier Four: The bonus/incentive prohibition applies to the senior executive officers and at least the 20 next most highly compensated employees of a financial institution that received $500 million or more in financial assistance (or such higher number of employees as the Treasury secretary determines is in the public interest with respect to any TARP recipient).

In the case of all TARP recipients, the bonus/incentive prohibition does not prohibit any bonus payment required to be paid pursuant to a written employment contract executed on or before Feb. 11, 2009; the Treasury secretary or his designee are empowered to determine the validity of such employment contracts.

Board Compensation Committee

TARP recipients must establish a board compensation committee that:

• Is composed entirely of independent directors.

• Meets at least semiannually to discuss and evaluate employee compensation plans in light of an assessment of any risk posed to the TARP recipient from such plans.

If the TARP recipient's common or preferred stock is not registered under the Exchange Act, and the TARP recipient has received $25 million or less in financial assistance under TARP, these responsibilities are to be carried out by the TARP recipient's board of directors.

Luxury Expenditures Limitation Policy

Each TARP recipient's board of directors must have in place a company-wide policy regarding excessive or luxury expenditures, as identified by the Treasury secretary. The expenditures may relate to:

• Entertainment or events.

• Office and facility renovations.

• Aviation or other transportation services.

• Other activities or events that are not reasonable expenditures for staff development, reasonable performance incentives, or other similar measures conducted in the TARP recipient's normal course of business operations.

Nonbinding Shareholder Votes on Executive Compensation

Each TARP recipient must permit a separate shareholder vote to approve the TARP recipient's executive compensation, as disclosed in the TARP recipient's Compensation Discussion and Analysis, related compensation tables and other related material under the Securities and Exchange Commission's (SEC) compensation disclosure rules, in any proxy, or consent or authorization for an annual or other meeting of its shareholders during the TARP assistance period (a "say on pay vote"). The say on pay vote will not be binding on or overrule any decisions by the TARP recipient's board of directors, will not create or imply any additional fiduciary duty on the part of the board, and will not restrict or limit the ability of the TARP recipient's shareholders to make proposals for inclusion in proxy materials related to executive compensation.

The SEC is to issue any required final rules and regulations related to the say on pay vote requirement not later than one year after the date of enactment of ARRA.

Review of Prior Payments to Executives

The Treasury secretary is directed by Congress to review bonuses, retention awards, and other compensation paid to the senior executive officers and the next 20 most highly compensated employees of each entity receiving TARP assistance before the date of enactment of ARRA to determine whether any such payments were inconsistent with the purposes of the revised executive compensation requirements or TARP, or were otherwise contrary to the public interest. If the Treasury secretary makes such a determination, he is directed to seek to negotiate with the TARP recipient and the subject employee for appropriate reimbursements to the federal government with respect to compensation or bonuses.

Certification of Compliance with Revised Requirements

Each TARP recipient's chief executive officer and chief financial officer (or their equivalents) must provide a written certification of the TARP recipient's compliance with the requirements of revised Section 111 of EESA to the SEC in its annual filings required under the securities laws (or, in the case of a nonpublicly traded company, to the Treasury secretary).

Other Provisions

There is an easier mechanism for TARP recipients to repay any assistance they have previously received under TARP and withdraw from TARP without replacing TARP funds.

Effectiveness

There is no stated effective date for ARRA's executive compensation requirements. However, the Treasury secretary is directed to promulgate regulations to implement the revised executive compensation requirements. 

Originally published by Jones Day. Reposted with permission.

This article was written by John R. Cornell, Daniel C. Hagen, Dennis B. Drapkin, Louis Rorimer, Rory D. Lyons, Manan Shah, Stephen P. Coolbaugh, attorneys with the national law firm Jones Day. This article originally appeared as a Jones Day Commentary.

This publication should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information purposes only.