Feb. 17, 2010, marks the first anniversary of Title XIII of the American Recovery and Reinvestment Act of 2009, creatively known as the Health Information Technology for Economic and Clinical Health (HITECH) Act. Several key provisions of the HITECH Act go into effect as we celebrate this anniversary, including important provisions affecting business associates.

Covered entities and business associates need to:

  • Understand their obligations under the HITECH Act;
  • Make sure that they have appropriate policies and procedures in place, which may require the amendment of existing policies and procedures, as well as the development of new ones;
  • Train their workforces;
  • Verify whether any notices of privacy practices reflect the updated policies, procedures and processes; and
  • Keep watching for new developments, which are right around the corner.

Business associates

Prior to the HITECH Act, business associates were not directly required to comply with HIPAA. Instead, the legal obligations of business associates were based solely on the terms and conditions of business associate contracts with covered entities; breaches of the business associate contracts could result in the termination of the contracts and, perhaps, contractual damages. Although business associates were required to adopt reasonable safeguards to protect health information, the standards were not detailed or explicit. Now, under the HITECH Act, business associates’ obligations will be broader, and the stakes will be higher.

First, business associates that handle electronic health information for covered entities will have to comply directly with most of the standards in the HIPAA Security Rule as if they are covered entities. Business associates will be subject to the same penalties as covered entities for failing to comply. Compliance will entail performing and documenting risk analyses and risk management processes and ensuring that appropriate policies, procedures and processes are in place. Second, business associates that violate the core privacy terms of their business associate contracts—for example, by using protected health information for purposes not permitted by their business associate contracts—will be in violation of HIPAA. Lastly, business associates must also now comply with the additional privacy and security requirements of the HITECH Act, some of which are noted below.

Must covered entities amend their business associate contracts to include these changes? The jury still is out. The HITECH Act states that the privacy and security requirements “shall be incorporated” into business associate contracts. Some believe this language is a mandate for amendments; others take the position that the HITECH Act itself incorporates the requirements into business associate contracts. Most agree that amending existing business associate contracts would be a cost-intensive and resource-intensive exercise. The health care industry has been calling for clarification from the Department of Health and Human Services (HHS).

Withholding information from health plans

HIPAA previously allowed a patient to ask a covered entity to withhold information from the patient’s health plan, but did not require the covered entity to comply. Now, a patient who pays out of pocket in full for an item or service may require the covered entity to withhold information about the item or service from a health plan for payment or health care operations purposes, which presumably would be the primary purposes for which a health plan would need the information. A covered entity will not, however, be required to comply with the patient’s request if the health plan needs the information for treatment purposes.

Obtaining a copy of electronic health information

Individuals will have the right to obtain a copy of their health information from a covered entity in an electronic format, if the covered entity maintains an electronic health record. The individual may direct the covered entity to transmit an electronic copy directly to someone else. The covered entity may charge a fee for the electronic copy, which shall not exceed the covered entity’s labor costs in responding to the request.

Restrictions on marketing

HIPAA has permitted a covered entity to communicate with individuals concerning treatment, care coordination and health-related products and services provided by the covered entity, and HIPAA has allowed the covered entity to receive remuneration from third parties for making these communications. With some exceptions, the HITECH Act now prohibits a covered entity from receiving payment for these communications.

Restrictions on fundraising

The HIPAA Privacy Rule requires written fundraising communications to provide recipients with the opportunity to opt out of receiving future communications in a clear and conspicuous manner. The HITECH Act also provides that when an individual opts out, the opt-out will be treated as a revocation of authorization under the Privacy Rule. The impact (and precise meaning) of this provision remains unclear.

Minimum necessary use and disclosure

The Privacy Rule requires a covered entity to make reasonable efforts to limit its use of, disclosure of, or request for protected health information, to the minimum necessary. The Privacy Rule does not say what constitutes the minimum necessary protected health information; that determination is left to the covered entity to establish by policies and procedures. The HITECH Act now requires a covered entity to limit its uses, disclosures and requests “to the extent practicable, to the limited data set . . . or if needed by such entity, to the minimum necessary to accomplish the intended purpose of such use, disclosure, or request.” It is unclear how this modifies the current rule, if at all.

The HITECH Act provides that a covered entity or business associate disclosing protected health information must determine what constitutes the minimum necessary to accomplish the intended purpose of the disclosure. This appears to be a modification of the HIPAA Privacy Rule, which has permitted a covered entity to rely on the requestor’s determination when disclosing protected health information to public officials, other covered entities and professionals providing services to the covered entity. Again, the full impact of this provision is uncertain. The HITECH Act requires HHS to issue guidance on what constitutes “minimum necessary” by August of this year, which may resolve the confusion.

Data breach reporting

On Feb. 22, 2010, HHS will begin enforcing the new HITECH Act data breach notification requirements.