The Health Information Technology for Economic and Clinical Health Act (the “HITECH Act”) makes significant changes to the privacy and security requirements of the Health Insurance Portability and Accountability Act of 1996, as amended (“HIPAA”). HIPAA generally restricts the use and disclosure of individuals’ protected health information (“PHI”) by group health plans, health care providers, and health care clearinghouses (referred to as “covered entities”) and persons who perform certain functions or activities on behalf of the covered entity (referred to as “business associates”). The HITECH Act amends HIPAA to require notification in the event of a breach of unsecured PHI, enhances individual privacy rights, restricts the sale and marketing of PHI, strengthens enforcement mechanisms, and applies portions of HIPAA’s privacy and security rules directly to business associates.
Group health plans and other covered entities must comply with the HITECH Act by February 17, 2010. Because the HITECH Act imposes the privacy and security requirements of HIPAA directly to business associates, business associates must also comply with the HITECH Act by February 17, 2010. To comply with the HITECH Act, covered entities and business associates must:
- Update their HIPAA policies, procedures and forms;
- Distribute a revised HIPAA privacy notice to all persons covered by the group health plan;
- Identify all service providers and determine whether a business associate agreement is required;
- Update all existing business associate agreements; and
- Train employees regarding the changes required by the HITECH Act.
Failure to comply with HIPAA, as revised by the HITECH Act, may result in a penalty of $100 for each violation up to a maximum of $25,000 per violation of a single standard in a single calendar year. This penalty substantially increases if the failure is due to reasonable cause or willful neglect.