What You Need to Know and How to be Prepared 

The Health Information Technology for Economic and Clinical Health Act (HITECH), a part of American Recovery and Reinvestment Act of 2009 (ARRA), advances health information technology by incentivizing the use of electronic health records (EHR).  More importantly, however, it increases the protection afforded to electronic protected health information (PHI) by strengthening and expanding HIPAA.

Through the questions and answers below, this article provides an overview of HITECH and explains some of its most notable provisions.  It also provides some recommendations for compliance.  Although the act is still in its infancy and many of its provisions remain unclear, this article seeks to shed some light on this new and important legislation.

1. To Whom Does HITECH Apply?

Like HIPAA, HITECH applies to “covered entities.”  For purposes of HITECH, however, covered entities are those that electronically transmit any health information in connection with a HIPAA-covered transaction.

2. What are the Major Changes Seen in HITECH?

HITECH imposes new obligations on covered entities in the case of a breach, changes the security obligations of business associates, and strengthens enforcement of the HIPAA provisions with steeper penalties.

3. What is the Breach Notification Rule and When Does it Apply?

The Breach Notification Rule requires covered entities to notify individuals when their “unsecured” PHI is breached.  PHI is “secured” when it is rendered unusable, unreadable, or indecipherable to unauthorized individuals through either encryption or destruction.  Destruction can occur by shredding or destroying paper, film, or other hard copy media, or by clearing, purging, or destroying electronic media.  Therefore, if PHI has not been encrypted or destroyed, it is considered “unsecured” PHI.

Next, ARRA defines a breach as “the unauthorized acquisition, access, use, or disclosure of protected health information which compromises the security or privacy of such information.”  The security or privacy of PHI is compromised when the potential breach poses a significant risk of reputational, financial, or other harm to the affected individual.  In determining whether such a risk exists, a doctor should consider several factors.  For example, a doctor should look at who acquired, accessed, used, or disclosed the PHI, and to whom the PHI was disclosed.  Next, a doctor should evaluate whether any steps have been taken to mitigate the potential breach.  Another consideration is whether the PHI was recovered before it was accessed.  Finally, the type and amount of unsecured PHI involved in the potential breach should be considered.  Disclosure of a patient’s name may not result in a breach, but if the disclosure also includes the patient’s social security number, it is more likely to constitute a breach.

Even if the potential breach does compromise the security or privacy of the PHI, it may nevertheless fall within one of three exceptions.  Under the first exception, if there is a disclosure of unsecured PHI to an unauthorized person, there is no breach if the covered entity believes that person would have been unable to retain the information.  Next, if an employee or an individual acting under the authority of a covered entity unintentionally acquires or uses PHI, there is no breach if the access or use was made in good faith and within the scope of the individual’s employment or authority, and the information is not further accessed or used.  A breach also does not occur if an individual who is authorized to access PHI inadvertently discloses that PHI to someone who is authorized to access it any way.

4. How Does HITECH Affect Business Associates?

HITECH imposes direct liability on business associates - third party contractors who provide billing, legal, financial, or other services which require them to electronically transmit health information - for any breach.  Business associates must now comply with the HIPAA Security Rule requirements in the same manner as covered entities, but in the case of a breach, they are only required to notify the covered entity, not the affected individual.  Business associates are also subject to the same penalties as covered entities for failure to follow any of these requirements.  The additional protections provided by HITECH relating to business associates must be incorporated into business associate agreements.

5. How Does HITECH Strengthen HIPAA Enforcement?

HITECH requires the Secretary of HHS to periodically audit covered entities and business associates and to formally investigate any complaint if a preliminary investigation of the facts indicates a possible violation due to willful neglect.  If a violation is found, the Secretary is required to impose a penalty.

More importantly, HITECH provides steeper penalties for violations, with a maximum penalty of $1.5 million for identical violations during a calendar year.  HITECH provides four tiers of civil penalties ranging from $100 to $50,000.  If a covered entity was not aware of the violation, the penalty will be on the lower end.  Conversely, if the violation was due to willful neglect and the covered entity failed to correct the violation within thirty days, the penalty will be $50,000.

HITECH also provides certain criminal penalties for violations.  If a person knowingly and without authorization uses, obtains, or discloses PHI maintained by a covered entity, he can be subject of a fine up to $50,000 and/or imprisonment for up to one year.

6. Does HITECH Allow Individuals to Sue?

HITECH authorizes state attorney generals to enforce HIPAA, but it does not provide a private right to sue.

7. What are Some Recommendations for Complying with HITECH?

  1. Establish or strengthen your HIPAA compliance program:  Include a training program for workforce members, institute sanctions for HIPAA violations, provide periodic training updates, and draft written policies and procedures that address compliance.  Be sure to keep all logs current, including logs of training sessions, workforce sanctions, suspected breaches, and breach notifications.  Finally, always document your compliance.
  2. Make sure PHI is “secured” and protected.
  3. Make sure to incorporate the expanded HIPAA protections into your business associate agreements.
  4. Look at your state law requirements: State law requirements could be more restrictive, and if this is the case, HITECH does not preempt state law.  Just because you are HIPAA compliant under federal law does not mean you are compliant with state law.
  5. Visit the HHS website for updates and examples of breaches: The HHS website provides a list of case examples of breaches and the actions taken to remedy such breaches.

HITECH demonstrates a clear shift toward health care provider accountability.  There are many informative resources on the internet, including the HHS website, to help doctors understand HITECH and what is required of them.  All doctors can be HIPAA/HITECH compliant by keeping up with new developments and erring on the side of caution.

For more information please see our list of attorneys under our professional liability practice at www.neildymott.com.