HITECH Act Modifies HIPAA Privacy and Security Rules
Stimulus legislation changes the way we’re used to doing business.
By David Behinfar, J.D., LL.M, CHC, CIPP
In the face of an economic crisis, the Obama administration has seized an opportunity to strengthen the medical record privacy landscape for all Americans by making significant modifications to the privacy and security regulations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). These modifications were drafted in the Health Information Technology for Economic and Clinical Health Act (HITECH Act), passed as part of the American Recovery and Reinvestment Act of 2009 (ARRA), signed into law by President Obama on Feb. 17.
The HITECH Act was designed to facilitate the widespread adoption of health information technology (HIT) for a variety of purposes, including the electronic use and accurate exchange of medical information.
Throughout the HITECH Act, it has been clear that the nation is well on the path to adopting a national framework of electronic medical records (EMRs). It has also been broadly accepted that to establish a national HIT infrastructure, the privacy and security features protecting medical records must be rooted firmly within this framework. The HIPAA Privacy and Security regulations, which have been in effect for most covered entities since April 2003 and April 2005, respectively, have made great strides in this effort. The HITECH Act takes what should be the final step at plugging many of the perceived holes and inadequacies of HIPAA Privacy and Security regulations.
The provisions of the HITECH Act that modify the HIPAA Privacy and Security regulations are as follows.
Business Associates and HIPAA
Traditionally, business associates (entities such as record copying services, collection agencies, attorneys, consultants, and outside auditors) were not subject to HIPAA Privacy or Security regulations. Now, as a result of the HITECH Act, business associates are directly subject to the HIPAA Security regulations, including civil and criminal penalty provisions. Business associates are also directly responsible for compliance with the HIPAA Security Rule provisions requiring administrative, physical, and technical safeguards must be in place to protect electronic patient information. Business associates are required to take certain administrative actions, such as appointing a designated security official, drafting written policies, addressing electronic protected health information they create, store, or transmit, as well as conducting employee training on information security policies.
The long-awaited federal regulation on breach notification is here. All but a handful of states have existing legislation on breach notification that is fairly consistent in regard to the fundamental notice requirements (for example, written notice is required for patient electronic medical information breaches). The HITECH Act offers no shocking deviations from the breach notification legislation most of the states have already enacted; the only exception is an expanded notice requirement to the U.S. Department of Health and Human Services (HHS) and to media outlets in certain instances. If a breach involves 500 or more persons in a particular state or jurisdiction, in addition to the notice that must be sent to the affected individuals, the covered entity must also notify prominent media outlets in the state or jurisdiction where the individuals reside. The covered entity must also notify HHS immediately, so the notice can be posted on the HHS Web site. For breaches that involve less than 500 patients, covered entities may notify HHS by submitting a log, listing all of the covered entity’s breaches involving less than 500 patients. If state breach notification laws are more stringent than the provisions contained in the HITECH Act, the state’s laws will continue to apply.
The HITECH Act also expands the scope of entities subject to security breach reporting provisions and requires personal health record (PHR) vendors such as Google and Microsoft to issue breach notices. The Federal Trade Commission (FTC) has been recruited to enforce these rules on PHR vendors. A PHR vendor’s failure to comply is considered an unfair and deceptive act or practice under the FTC Act.
Patient Requests for PHI Disclosure Restriction
Under the current HIPAA Privacy Rules, a covered entity is not required to approve any requests by a patient for disclosure restrictions of he or she’s protected health information (PHI). Now, if a disclosure of PHI is to a health plan, is not for treatment related purposes, and pertains solely to an item or service the provider has received full payment for, then the covered entity is required to approve the restriction.
Accounting of Disclosures from Electronic Record Systems
If a covered entity uses or maintains an electronic health record (EHR), an individual has the right to receive accounting of disclosures from this EHR. Under the current HIPAA Privacy Rules, covered entities do not need to track PHI disclosures for treatment, payment, and health care operations. Now, under the HITECH Act, the EHR disclosure must be recorded even if it is for treatment, payment, or health care operations. The covered entity must maintain accounting of the disclosure and provide a copy to the patient upon request. Because most disclosures of PHI are typically for treatment, payment, and health care operations, this new requirement will likely result in an exponential increase in covered entities’ accounting responsibilities. The endeavor will be extremely challenging and, very likely, costly for covered entities to implement logging mechanisms (both automated and manual) across their EHRs.
If the EHR was acquired and/or put into use on or before Jan. 1 this year, Jan. 1, 2014 is this provision’s effective date. For covered entities acquiring an EHR after Jan. 1, the requirement will be effective Jan. 1, 2011 or the date the EHR is acquired.
Prohibition on Sale of PHI Electronic Records
Subject to a limited exceptions’ list, the sale of PHI for remuneration now is prohibited unless written authorization is first obtained from the patient.
Right to Obtain Copies of PHI in Electronic Format
Where PHI is kept in electronic format, individuals can now request copies of that PHI in electronic format.
The Minimum Necessary Standard
Covered entities are required to apply the minimum necessary standard to certain PHI disclosures. Previously, covered entities could rely on the party requesting the information to define the minimum amount of information necessary for the disclosure. Now, covered entities are required to make that determination themselves. The HITECH Act requires HHS to provide additional guidance on the minimum necessary standard to further define what constitutes “minimum necessary” and how covered entities may implement this requirement.
State Attorney General Enforcement
Now through the HITECH Act, state attorney generals have authority to bring suit against any individual for HIPAA Privacy and Security Rule violations. HHS also has the option to intervene in the suit. This should certainly spur enforcement activity in this area.
The HITECH Act has developed a four-tiered penalty system for HIPAA Privacy and Security violations:
|Minimum Penalty||Maximum Penalty|
|Person did not know of violation and by exercising reasonable diligence would not have known of violation.||$100 for each violation||Not to exceed $50,000 per calendar year|
|Violation due to reasonable cause
(not willful neglect)
|$1,000 for each violation||Not to exceed $100,000 per calendar year|
|Violation due to willful neglect||$10,000 for each violation||Not to exceed $250,000 per calendar year|
|Violation is due to willful neglect and is not corrected within 30 days of the first date the person liable for the penalty knew or should have known that the
|$50,000 for each violation||Not to exceed $1,500,000 per calendar year|
HHS Periodic Audits
Lastly, HHS will now be responsible for performing periodic audits to ensure that covered entities and business associates are in compliance with the HIPAA regulations.
Many of the HITECH Act provisions’ effective dates vary; however, the tiered enforcement penalties take effect immediately. Certainly, most covered entities need considerable time to plan for these changes. As regulations are finalized for many of these provisions, the precise requirements and expectations will become clearer. It is evident, though, that the role of compliance professionals who work in this area will be instrumental in meeting our new national electronic health information framework requirements.
You can download the operating plan for the HITECH Act provisions the Office of the National Coordinator for Health Information Technology released mid-May.
David Behinfar, J.D., LL.M, CHC, CIPP, is HIPAA compliance manager for the University of Florida College of Medicine – Jacksonville (UFCOM-J), and is responsible for UFCOM-J campus and UFCOM-J satellite clinics’ privacy and security of patient information. He holds a Master of Law (LL.M) in health law, is certified in health care compliance (CHC), and has also earned a certification as a Certified Information Privacy Professional (CIPP). David has also been admitted to practice law in Florida, Illinois, Texas, and Arizona.