Maximize IT

emids Insight

Impact Analysis Tool

The HITECH Act addresses various aspects relating to the use of Health Information Technology (HIT), including providing for federal funding by way of grants and incentive payments in order to promote HIT implementation. The Subtitle D of the HITECH Act includes important provisions concerning the privacy and security of health information that will materially and directly affect more entities, businesses and individuals in more diverse ways than ever before. This article elaborates on changes and highlights certain prominent issues under the HITECH Act and is by no means a comprehensive review of this lengthy and complex Act.

Enforcement and Civil Monetary Policies

The new CMP provisions are effective and applicable immediately to all violations occurring from and after the date of enactment of the HITECH Act. Also, within three years after the enactment of the HITECH Act (February 17, 2012), the Secretary of the federal Department of Health and Human Services (DHHS) is obligated to establish regulations that will allow individuals harmed by privacy and security violations to receive a percentage of any CMP or monetary settlement collected with respect to such offense.

The HITECH Act also authorizes each state attorney general (AG) for the first time to begin pursuing civil actions for HIPAA privacy and security violations that have threatened or adversely affected a resident of the AG's respective state. For any violation that occurs on or after February 17, 2009, state AGs are now authorized to obtain statutory damages on behalf of any such residents of their state in an amount equal to $100 for each violation of a single requirement, up to a total of $25,000 for violations of that requirement.

Applicability

The HITECH Act now directly obligates business associates to comply with the HIPAA Security Rule's administrative, physical and technical safeguard requirements, including developing and implementing comprehensive written security policies and procedures with respect to the protected health information (PHI) that they handle. Failure by business associates to abide by such requirements can result in CMPs being assessed directly against them.

Any covered entity, that provides data transmission of PHI to such entity (or its business associate) and that requires access to PHI on a routine basis must now be treated as a business associate and enter into a HIPAA-compliant business associate agreement. For example entities like Health Information Exchange Organizations, Regional Health Information Organizations, or "any vendor that contracts with a covered entity to allow that covered entity to offer a personal health record to patients as part of its electronic health record." Where such entities would now be considered "business associates," they then are also required to directly comply with the HIPAA Security Rule provisions, which the HITECH Act made directly applicable to business associates.

New Privacy and Security Requirements

• Covered entities, business associates and vendors who handle personal health records are required to abide by breach notification requirements. Violations of this requirement by vendors would be treated as an unfair and deceptive act or practice in violation of the Federal Trade Commission Act. If a breach affects more than 500 individuals of a particular state, notice also must be provided to prominent media outlets following the discovery of the breach.
• Within 18 months after the date of enactment of the HITECH Act (August 17, 2010), new guidance shall be issued governing what constitutes the "minimum necessary" for purposes of disclosures under the privacy rule. Covered entities must, when otherwise permitted, disclose only the "minimum necessary" to accomplish the intended purpose for such disclosure.
• Covered entities that use and disclose PHI through electronic health records (EHRs) are required to provide individuals with an accounting, when requested, for the prior three-year period. The HIPAA Privacy Rule is amended to give individuals the right to obtain access to their PHI in electronic format, if they request.
• The definition of "health care operations" will be reviewed by the Secretary of DHHS by August 17, 2010, and narrowed or clarified.
• Covered entities and business associates are prohibited from directly or indirectly receiving any remuneration in exchange for any PHI of an individual unless a valid authorization is obtained from the individual, except in a very limited number of circumstances, including research, public health activities, treatment of the individual, and in connection with the sale of a covered entity to a buyer of the business. Unless otherwise specified, the effective date of all provisions is one year from the date of enactment of the HITECH Act, or February 17, 2010.

Next Steps for Entities

At a minimum, affected entities that are already subject to HIPAA compliance should begin making the following changes:

• Update Notice of Privacy Practices to reflect changes in privacy and security policies
• Update HIPAA privacy and security policies accordingly
• Develop a detailed Breach Notification Policy that complies with HITECH and any state law counterpart to the new federal breach notification provisions
• Expand business associate lists to include vendors and others
• Update Business Associate Agreements to include expanded new requirements

Entities that have not yet been subject to HIPAA compliance or have had limited compliance requirements under HIPAA should examine the new scope of HIPAA, as it may be applicable to them under the HITECH Act in order not to unintentionally become non-compliant.