Some call it HIPAA on Steroids. Others simply call it HIPAA II. Technically, it's the Health Information Technology for Economic and Clinical Health Act. But however you label it, the HITECH Act spells out tougher data security requirements for all health care organizations as well as their business associates.
Although the Health Insurance Portability and Accountability Act of 1996 led to the creation of federal healthcare information privacy and security rules, the penalties for violations were relatively mild, and the enforcement was nearly nonexistent. But that's all changing thanks to the HITECH Act. The Act was one of dozens of provisions tucked into the economic stimulus package, known as the American Recovery and Reinvestment Act, in February 2009. It's also known as Title XIII of ARRA.
Congress included the beefed-up security provisions in tandem with incentive funds from Medicare and Medicaid to help pay for adoption of electronic health records at hospitals and physician group practices. The intent was to help ensure that as more information is digitized it will remain secure.
Enforcement of perhaps the most significant security provision of HITECH, the security breach notification rule, is slated to kick in on Feb. 22, 2010. An Aug. 24, 2009, Interim Final Rule from the U.S. Department of Health and Human Services spells out security breach notification requirements in more detail.
Following is a summary of the major data security components of the HITECH Act:
Business associates
The HIPAA privacy and security rules, and penalties, now apply directly to business associates, such as banks, claims clearinghouses, billing firms, health information exchanges and software companies, as though they were healthcare organizations. Previously, the rules only applied to "covered entities," including such healthcare organizations as hospitals, physician group practices and health insurers. Now, the rules apply to any organization that has access to "protected health information."
Breach notification rule
More audits
Although healthcare organizations can determine on their own whether a breach should be reported, HITECH provides funding for periodic audits by federal regulators of both healthcare organizations and their business associates to ensure they are, in fact, complying with all privacy and security rules.
Enforcement
The Office of Civil Rights within the U.S. Department of Health and Human Services has enforcement authority for the breach notification rule. State attorneys general can bring a civil action in federal court for violations of healthcare security and privacy rules. Victims can receive compensation from fines levied against individuals and organizations.
Tougher fines
Penalties now can be levied against individuals within a healthcare organization as well as the organization itself. Penalties for breaches of personal healthcare information or other HIPAA violations range up to $1.5 million per violation. This is separate from any criminal penalties that might apply.
Accountability
Individuals can request that healthcare organizations account for all disclosures of their protected health information from electronic health records systems. This includes information used for treatment, payment and operations. A covered entity may impose a fee for such accounting that's no greater than its cost. The effective date is dependent on when the EHR system was installed.
Copies of records
Individuals now have the right to receive an electronic copy of their personal health information that's stored in an electronic health record. Healthcare organizations can charge a fee that covers their labor costs for producing the copy.
"Minimum necessary" disclosures
The HITECH Act specifies that covered entities should limit uses and disclosures of personal health information to the "minimum necessary" to conduct a particular function. The U.S. Department of Health and Human Services is expected to issue regulations this year governing the "minimum necessary" provisions.
Marketing restrictions
Under the HIPAA privacy rule, when healthcare organizations were paid by companies to send communications to patients about new products and services, they were considered part of the organization's operations, and, thus, were permissible. Under the HITECH Act, these are considered marketing activities and are subject to regulations that will be issued later this year. An exception is permitted if the communication is about a currently prescribed drug and the company's payment to the healthcare organization is "reasonable."