Prior to the HITECH (Health Information Technology for Economic and Clinical Health) Act, there were many cases in which patients’ private and confidential information was compromised without knowledge of the health care provider. These data breaches led to legal complications, damage to the brand image and loss of clientele.
What is the HITECH Act?
Enacted on February 17, 2009, the HITECH Act ensures the privacy and security of patient health information. As part of the American Recovery and Reinvestment Act (ARRA) of 2009, the HITECH Act made significant changes to the Health Insurance Portability and Accountability Act (HIPAA) of 1996. Particularly, the HITECH Act creates new requirements concerning privacy and security for health information that both materially and directly affect more entities, businesses and individuals in various ways not covered by the HIPAA.
The HITECH Act makes the following specific changes to the HIPAA of 1996:
- The definition of “business associates” is expanded to include persons and organizations (e.g. subcontractors) that perform activities which involve the use or disclosure of personally identifiable health information (e.g. claims processing, data analysis, quality assurance, billing, benefit management, and other legal, accounting or administrative functions). In the HITECH Act, “business associates” also includes organizations that transmit protected health information and those that require access on a routine basis to such information.
- As of February 17, 2010, HIPAA security standards that apply to health plans and health care providers will directly apply to business associates. This means that they will also be subject to the administrative, physical and technical security requirements of HIPAA. They must also implement the necessary policies and procedures for documenting security activities. Any penalties for violating HIPAA procedures will also apply to “business associates.”
- The HITECH Act also establishes new security breach notice requirements. As of September 2010, health plans and health care providers that access, maintain, retain, modify, record, store, destroy or otherwise hold, use or disclose unsecured protected health information and discovers a breach must notify each individual who has been affected by the breach. Business associates will also need to give notice of such data breaches. According to the Act, notices must be provided by first-class mail to individuals at their last known address, or if specified by the individual, by e-mail.
- As of February 17, 2010, individuals are entitled to electronic copies of their health information from any health plan or health care provider that uses or maintains electronic health records. Individuals should be able to direct the health plan or health care provider to transmit the copy directly to a designated individual. Fees for this service should also be kept to a minimum.
- Six months after such regulations have been enacted, the HITECH Act prohibits a health plan, health care provider or business associate from receiving payment for an individual’s protected health information, without prior authorization from the individual.
HITECH Act Breach Notifications
The HITECH Act includes notable breach notification regulations that require health care providers and other HIPAA-covered entities to notify affected individuals of a data security breach, as promptly as possible. In addition, the Department of Health and Human Services (HHS) Secretary and the media must also be notified if the breach affects more than 500 individuals. Breaches that affect less than 500 individuals will be reported to the HHS secretary annually.
According to Robinsue Frohboese, the Acting Director and Principal Deputy Director of OCR,
“This new federal law ensures that covered entities and business associates are accountable to the Department and to individuals for proper safeguarding of the private information entrusted to their care. These protections will be a cornerstone of maintaining consumer trust as we move forward with meaningful use of electronic health records and electronic exchange of health information.”
HITECH Act-Compliance Checklist
According to Adam Greene, former HIPAA enforcer, there are a number of elements that an entity must secure in order to be HITECH-compliant:
- Have you formally designated a person/position as your organization’s privacy and security officer?
- Do you have documented privacy and information security policies and procedures?
- Have they been reviewed and updated, where appropriate, within the last six months?
- Have the privacy and information security policies and procedures been communicated to all personnel, and made available for them to review at any time?
- Do you provide regular training and ongoing awareness communications for information security and privacy for all your workers?
- Have you done a formal information security risk assessment in the last twelve months?
- Do you regularly make backups of business information and have documented disaster recovery and business continuity plans?
- Do you require all types of sensitive information, including personal information and health information, to be encrypted when it is sent through public networks and when it is stored on mobile computers and mobile storage devices?
- Do you require information (in all forms) to be disposed of through secure methods?
- Do you have a documented breach response and notification plan, as well as a team equipped to support the plan?
This article takes a look at the HITECH (Health Information Technology for Economic and Clinical Health) Act of 2009, which made significant changes to the HIPAA (Health Insurance Portability and Accountability Act) of 1996. Notably, the HITECH Act made mandated specific procedures for responding to data security breaches, including particular breach notification procedures. The article includes a list of significant changes made by the Act, as well as a compliance checklist for covered entities.
CIPP Exam Preparation
In preparation for the Certified Information Privacy Professional/US Government (CIPP/G) exam, a privacy professional should be comfortable with topics related to this post, including:
- Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH) (I.B.a.ii.)