The HITECH Act addresses various aspects relating to the use of Health Information Technology (HIT), including providing for federal funding by way of grants and incentive payments in order to promote HIT implementation. The Subtitle D of the HITECH Act includes important provisions concerning the privacy and security of health information that will materially and directly affect more entities, businesses and individuals in more diverse ways than ever before. This article elaborates on changes and highlights certain prominent issues under the HITECH Act and is by no means a comprehensive review of this lengthy and complex Act.
The new CMP provisions are effective and applicable immediately to all violations occurring from and after the date of enactment of the HITECH Act. Also, within three years after the enactment of the HITECH Act (February 17, 2012), the Secretary of the federal Department of Health and Human Services (DHHS) is obligated to establish regulations that will allow individuals harmed by privacy and security violations to receive a percentage of any CMP or monetary settlement collected with respect to such offense.
The HITECH Act also authorizes each state attorney general (AG) for the first time to begin pursuing civil actions for HIPAA privacy and security violations that have threatened or adversely affected a resident of the AG's respective state. For any violation that occurs on or after February 17, 2009, state AGs are now authorized to obtain statutory damages on behalf of any such residents of their state in an amount equal to $100 for each violation of a single requirement, up to a total of $25,000 for violations of that requirement.
The HITECH Act now directly obligates business associates to comply with the HIPAA Security Rule's administrative, physical and technical safeguard requirements, including developing and implementing comprehensive written security policies and procedures with respect to the protected health information (PHI) that they handle. Failure by business associates to abide by such requirements can result in CMPs being assessed directly against them.
Any covered entity, that provides data transmission of PHI to such entity (or its business associate) and that requires access to PHI on a routine basis must now be treated as a business associate and enter into a HIPAA-compliant business associate agreement. For example entities like Health Information Exchange Organizations, Regional Health Information Organizations, or "any vendor that contracts with a covered entity to allow that covered entity to offer a personal health record to patients as part of its electronic health record." Where such entities would now be considered "business associates," they then are also required to directly comply with the HIPAA Security Rule provisions, which the HITECH Act made directly applicable to business associates.
At a minimum, affected entities that are already subject to HIPAA compliance should begin making the following changes:
Entities that have not yet been subject to HIPAA compliance or have had limited compliance requirements under HIPAA should examine the new scope of HIPAA, as it may be applicable to them under the HITECH Act in order not to unintentionally become non-compliant.
Press ESC or click the overlay to close