The Health Information Technology for Economic and Clinical Health Act (HITECH Act), enacted on February 17, 2009, provides for privacy and security of patient health information. Part of the American Recovery and Reinvestment Act of 2009 (ARRA) (Pub L 111-5, 123 Stat 115), the HITECH Act significantly modifies the Health Insurance Portability and Accountability Act of 1996 (HIPAA) (Pub L 104–191, 110 Stat 1936). HIPAA itself was an attempt to respond to the growing public concern over the protection of medical records by imposing regulations to address patient confidentiality, but the HITECH Act adds new requirements concerning privacy and security for health information that materially and directly affect many more entities, businesses, and individuals in more diverse ways than HIPAA. Specifically, the Act:
- Expands the definitions of “business associates.” “Business associates” are persons and organizations (typically subcontractors) that perform activities involving the use or disclosure of individually identifiable health information, such as claims processing, data analysis, quality assurance, billing, and benefit management, as well as those who provide legal, accounting, or administrative functions. 45 CFR §160.103. The HITECH Act adds as “business associates” organizations that transmit protected health information and require access on a routine basis to such information. See 42 USC §17938.
- Mandates that, effective February 17, 2010, HIPAA security standards that apply to health plans and health care providers will also apply directly to business associates. They will be subject to the administrative, physical, and technical security requirements of HIPAA, must implement appropriate policies and procedures, and must document their security activities. Penalties for violating these HIPAA procedures will apply to business associates, just as they now do to health plans and health care providers. 42 USC §17931.
- Establishes new security breach notice requirements. Effective in September, 2010 (see 42 USC §17932(j)), the HITECH Act will require a health plan or health care provider that accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses, or discloses unsecured protected health information and discovers a breach of the information to notify each individual whose health information has been, or is reasonably believed to have been, accessed, acquired, or disclosed as a result of the breach. 42 USC §17932(a). Business associates will also be required to give notice of such a data breach to the health plan or health care provider, and will need to identify each individual whose unsecured protected health information was illegally accessed, acquired, or disclosed. 42 USC §17932(b). The health plan, health care provider, or business associate will be required to give notice of the breach without unreasonable delay, and no later than 60 calendar days after its discovery. 42 USC §17932(d). Notice must be provided by first-class mail to individuals at their last known address, or, if specified by the individual, via e-mail. 42 USC §17932(e)(1).
- Entitles individuals to electronic copies of health information. Effective February 17, 2010, individuals are entitled to copies of their health information in electronic format from any health plan or health care provider that uses or maintains electronic health records. An individual will be able to direct the health plan or health care provider to transmit the copy directly to anyone he or she designates. Fees for providing this service must not be greater than the entity’s labor costs. 42 USC 17935(e).
- Calls for regulations regarding the sale of electronic health records and protected health information by mid-August, 2010. Effective six months after these regulations are enacted, with certain exceptions, the HITECH Act will prohibit a health plan, health care provider, or business associate from receiving payment for an individual’s protected health information without authorization from the individual. 42 USC §17935(d).
For guidance from CEB: