Health Information Technology
The HITECH Act (Health Information Technology for Economic and Clinical Health Act), which was passed as part of the stimulus legislation in 2009, made a number of significant changes to HIPAA, strengthening privacy and security protections in a variety of ways. Perhaps most notably, HITECH expanded the scope of HIPAA and its Privacy and Security Rules to include all business associates and their subcontractors, and explicitly designated health information exchanges (HIEs) as business associates. Many of the HITECH-mandated changes to HIPAA were covered in a July 2010 Notice of Proposed Rulemaking, which is not yet final. Additional amendments are discussed below.
Regulations and Guidance
- HITECH provisions led to the 2009 Breach Notification Rule, which requires most doctors, hospitals, other health care providers, and health insurance companies to notify individuals of a “breach” if unsecured information is seen by someone who is not supposed to see it. (In the case of a breach affecting more than 500 individuals, covered entities must also notify the Secretary of Health and Human Services (HHS) and the media. For breaches affecting fewer than 500 individuals, each must be reported to the HHS Secretary on an annual basis.) The rule holds the covered entity responsible for such unauthorized access, in that its business associates must notify the covered entity of such breaches that occur under its contracts.
- HITECH also requires HHS to issue guidance on methods for de-identification of protected health information (PHI), as designated in HIPAA's Privacy Rule.
- HITECH amended the HIPAA requirements regarding covered entities’ obligation to account for disclosures of PHI, expanding the requirement to cover those disclosures related to treatment, payment and health care operations. In June 2011, HHS released a notice of proposed rulemaking implementing these particular HITECH provisions; this rule is not yet final.
- The Secretary of HHS is required by HITECH to issue guidance regarding HIPAA’s “minimum necessary” standard. This standard is based on sound current practice that only the minimum necessary protected health information (PHI) should be used or disclosed to satisfy a particular purpose or carry out a function. It requires covered entities to evaluate their practices and enhance safeguards as needed to limit unnecessary access to and disclosure of PHI.
- HITECH provisions substantially strengthened HHS’ enforcement authority. Under HIPAA, covered entities are now subject to increased civil penalties for HIPAA violations, and potentially criminal penalties as well.
- The law also vested enforcement authority with state attorneys general, and requires regulations to be released to guide the distribution of monetary penalties to people who are harmed by privacy violations.
- HITECH established the position of Chief Privacy Officer, whose job is to advise the National Coordinator on privacy, security and data stewardship of electronic health information, and to coordinate with other federal and state agencies, as well as foreign countries.
- The law further requires there to be privacy advisors in each regional HHS office to offer guidance and education to covered entities, business associates, and individuals on their rights and responsibilities related to federal privacy and security requirements for protected health information.