In February of 2009, Congress enacted the Health Information Technology for Economic and Clinical Health Act (“HITECH”), which amends the Health Insurance Portability and Accountability Act (“HIPAA”) by providing additional privacy measures for protected health information (“PHI”).
In February 2010, HHS began implementing key HITECH provisions. The following provides an overview of the new HITECH requirements, as well as recommendations to help ensure compliance with the new rules.
Improved Privacy and Security Measures
HITECH made three significant changes to HIPAA, effective February 17, 2010.
1. Direct Application to Business Associates. Under HITECH, HIPAA rules that previously applied indirectly to business associates now apply directly. For example:
- Business associates must now comply with HIPAA’s administrative, physical and technical safeguards, as well as new HITECH privacy requirements; and
- Penalties for HIPAA violations now apply to business associates in the same manner as such penalties apply to covered entities.
2. Additional Privacy Requirement. HITECH established new privacy requirements that apply to both covered entities and business associates, including:
- Minimum Necessary Disclosures – permitted disclosures of PHI must be confined to either a limited data set or to the minimum necessary information.
- Accounting of Disclosures – an individual has the right to request an accounting of any disclosures of their PHI made in the last three years that resulted from the use of electronic health records related to treatment, payment, or health care operations.
- Sale of PHI Prohibited – unless a valid authorization is obtained, neither a covered entity nor a business associate may receive remuneration, directly or indirectly, in exchange for PHI. Exceptions to this rule are made for specific activities, such as research and public health activities.
3. Breach Notification. Covered entities are responsible for providing notification of breaches of unsecured PHI to affected individuals, the Secretary of HHS, and, in certain circumstances, the media. Business associates are responsible for notifying their covered entities of breaches of unsecured PHI discovered by the business associate.
Breach Notification Regulations
In August 2009, HHS issued regulations implementing the HITECH provisions that require covered entities and business associates to report breaches of unsecured PHI (the “Rule”). Beginning February 22, 2010, HHS will impose sanctions for failure to comply with the Rule.
The Rule only applies to breaches of PHI that is “unsecured” (i.e., is not protected through the use of technology that renders the PHI “unusable, unreadable, or indecipherable to unauthorized individuals”). The following guidelines apply to determine if PHI is considered secure, and therefore within the safe harbor of the Rule, or unsecured and subject to the notification requirements:
- Electronic PHI is considered secure if the PHI is encrypted or the media on which it is stored is destroyed or purged. Firewalls and access controls may be used to limit the risk of a breach, but do not render the PHI itself “secured.”
- Paper, film, or hard copy PHI is considered secure if destroyed in such a way that it cannot be read or reconstructed, or is redacted to the point that the remaining information does not compromise the security or privacy of the individual.
A breach occurs if the disclosure or use of the PHI was “impermissible” and compromised the security and privacy of the PHI to such an extent that there is a significant risk of financial, reputational, or other harm to the individual.
Within 60 days of discovery of a breach, a covered entity must promptly notify: (i) the individual whose PHI was breached; and (ii) the Secretary of HHS. For breaches involving 500 or more persons, the Secretary must be notified immediately, as well as a prominent media outlet in the area.
HHS considers a breach to be “discovered” when the incident becomes known to the covered entity or would have been known through the exercise of reasonable diligence.
Below are some recommendations that covered entities may wish to consider:
- Amend your business associate agreements. Incorporate references to the HITECH requirements and include timeframes for reporting breaches of PHI.
- Update your HIPAA policies to reflect the new requirements, and implement a system to discover and report breaches of PHI. Ensure that workforce members and other agents are adequately trained and understand the new privacy and security obligations.
- Take reasonable measures to “secure” all PHI. If using encryption as your method of security, keep encryption keys on a separate device to ensure that the data cannot be breached.
- Keep accurate records of compliance with security and privacy policies. Take steps to ensure that, in the event of an HHS audit, all safeguards, risk assessments, notification procedures and disclosure accountings are adequately documented in writing.