The Health Information Technology for Economic and Clinical Health Act (“HITECH Act” or the “Act”) included in the “Stimulus Bill” significantly expands HIPAA privacy and security provisions. Health care organizations and providers may be interested in some of the critical aspects of the HIPAA privacy and security portions as follows:
• Required Notification for Information Breaches:
Effective 30 days after the Secretary of the Department of Health and Human Services (“HHS”) publishes interim final regulations (which regulations are due within 180 days from the enactment of the legislation), covered entities and business associates will be required to follow certain notification protocols when a person’s unsecured protected health information has been breached. This includes individual notification to consumers and, depending on the number of individuals whose information is involved, media notification. Notification must also be made to the Department of HHS immediately if the breach involves 500 or more individuals. If the breach involves less than 500 individuals, the provider can maintain such information on a log, which must be provided annually to HHS.
• Required Accounting of Disclosures Involving Electronic Health Records:
As many providers are aware, under the current HIPAA regulations providers need not provide individuals with an accounting of disclosures of their health information if the disclosure is related to treatment, payment activities or health care operations (“TPO”) of the provider. Although the implementation date is set into the future, under the HITECH Act, providers who use or maintain electronic health records will be required to account for TPO disclosures. In such cases however, the accounting period is limited to three (3) years prior to the date on which the accounting is requested. The Act directs the Secretary of HHS to implement regulations on what information has to be collected about each disclosure. The effective dates for this new requirement are dependent upon whether the provider acquired an electronic record as of January 1, 2009 or after January 1, 2009.
• The Minimum Necessary Rule:
With regard to non-treatment situations, the current HIPAA regulations require providers to only use and disclose the minimum amount of PHI necessary to accomplish a permitted task. Until the government issues guidance on the meaning of minimum necessary, the HITECH Act includes a provision that in order for a provider to be in compliance with the minimum necessary rule; (1) to the extent practical, uses and disclosures must be limited to the “limited data set”; or (2) if needed by such entity, to the minimum necessary to accomplish the intended purpose. Note that the current exceptions to the minimum necessary rule would still apply (e.g., treatment purposes).
• The Stakes Are Raised – Increased Enforcement:
The Act contains provisions so that penalties that apply to covered entities for violations also apply to business associates. Additionally, the HITECH Act revises and expands the current penalty provisions. Of particular importance, the Act also includes a provision authorizing enforcement by State Attorney General offices if the attorney general of a State has reason to believe that an interest of one or more residents of that State has been or is threatened or adversely affected. In such cases, the Attorney General can bring a civil action on behalf of the state residents to enjoin any continuing violation or to obtain damages on behalf of the residents.
• Business Associates:
The HITECH Act extended certain HIPAA requirements to business associates. Specifically, the Act applies the administrative, physical and technical safeguard requirements of the HIPAA security regulations to business associates. It also imposes obligations related to policies, procedures and documentation requirements.
• Access to Information In Electronic Format:
With regard to the current regulation allowing individuals access to their records, in the case that a covered entity uses or maintains an electronic health record, the individual has the right to obtain such information in electronic format.
For more information regarding HIPAA Privacy and Security, please call Abby Pendleton, Esq. or Jessica L. Gustafson, Esq. at (248) 996-8510, visit The HLP website’s Compliance and HIPAA page, or visit The HLP website.