Viewing ‘HITECH ACT’ Category

The HITECH Act expands the legal obligations and liabilities related to safeguarding health records to entities which are neither covered entities nor business associates under HIPAA. The affected entities are personal health record vendors (PHR Vendors) and entities that: (i) offer products and services through the website of a PHR Vendor, (ii) are not covered by HIPAA and offer products or services through the websites of covered entities that offer individuals PHR; and (iii) are not covered entities and that access information in a PHR or send information to a PHR (each a “PHR Management Service”). A third party service provider which provides services to PHR Vendors and PHR Management Services in connection with PHR Records and “accesses, maintains, retains, modifies, records, stores, destroys or otherwise holds, uses, or discloses unsecured PHR identifiable health information in such a record as a result of such services.”

The new obligations created by the HITECH Act require such entities to provide notification in the event of a breach of security resulting in the acquisition of unsecured PHR identifiable health information without the authorization of the affected individuals. The PHR Vendor, PHR Management Services and their respective third party servicers are required to provide notifications to each affected individual and the FTC. The FTC is then required to provide notice to the HHS. The third party servicers must also provide notice to PHR Vendors and PHR Management Services of any breach that it discovers and such notice must identify each affected individual.

Each breach is considered to be a violation of Federal Trade Commission Act on unfair and deceptive acts or practices and subject to civil penalties of up to $16,000 per breach. Pursuant to the HITECH Act, the FTC has adopted the Health Breach Notification Rule and stated that an unauthorized acquisition will be presumed to include unauthorized access to unsecured PHR identifiable health information (the FTC Rule). However, the presumption is a rebuttable one, provided the PHR Vendor, PHR Management Service or respective third party servicer that experienced the breach has reliable evidence showing there has not been, or could not reasonably have been, any unauthorized acquisition of such information. The FTC has decided that the FTC Rule ‘‘does not apply to HIPAA-covered entities, or to any other entity to the extent that it engages in activities as a business associate of a HIPAA-covered entity.’’

The notification requirements for breaches set forth in the FTC Rule are similar to the requirements of the HITECH Act. The FTC Rule essentially places the same notification obligations on PHR Vendors, PHR Management Services and their third party servicers that the HITECH Act places on covered entities and business associates. The enforcement of the FTC Rule commenced on February 22, 2010 and the FTC has already posted incidents of breaches and the names of the entities involved.

The HITECH Act and the FTC Rule have upped the ante for entities not subject to HIPAA and require any businesses which deal with PHR to evaluate their operations to ensure compliance. The HITECH Act and the FTC Rule also create additional complexity for entities which may be covered by HIPAA and then alternatively may be subject to the FTC Rule.

Passed on February 17, 2009, the Health Information Technology for Economic and Clinical Health Act (“HITECH Act”) requires entities covered by HIPAA and their business associates to notify each individual “whose unsecured PHI (protected health information) has been, or is reasonably believed by the covered entity to have been, accessed, acquired, or disclosed” due to a breach. Protected health information is deemed to be secured when it has been encrypted or destroyed in accordance with the standards of the National Institute of Standards and Technology.

A breach is defined under the HITECH Act as “the unauthorized acquisition, access, use, or disclosure of protected health information which compromises the security or privacy of such information, except where an unauthorized person to whom such information is disclosed would not reasonably have been able to retain such information.” The HITECH Act also sets forth two exceptions to reporting a breach when (1) an employee or authorized individual of a covered entity or a business associate has unauthorized acquisition, access, or use made in good faith within the course and scope of employment or other professional relationship and no further acquisition, access, use, or disclosure of the PHI takes place; or (2) an individual authorized to access the PHI at a facility operated by a covered entity or business associate inadvertently discloses the PHI to a similarly situated individual at the same facility and no further acquisition, access, use, or disclosure of the PHI takes place.

Written notification of a breach must take place without unreasonable delay i.e., no later than 60 calendar days after the circumstances of the breach is known by the covered entity or business associate’s employee, officer, or other agent, exclusive of the individual causing the breach. Notifications can be provided in electronic format if that preference is expressed and if the contact information is out of date or nonexistent then alternative notice must be provided via the website or major media outlets. The alternative notice methods must include a toll free number. If a large number of individuals in a state or jurisdiction are affected by the breach (i.e. 500 or more) then in addition to the usual notification methods, then notice must be provided via prominent media outlets. The notices must set forth the nature of the breach, the description of the PHI disclosed, the steps individuals have to take to protect themselves, the actions taken by the covered entity or business associate and contact procedures.

HITECH Act clarified an ambiguity under HIPAA and stated that the criminal penalties of HIPAA apply to persons other than covered entities. Thus business associates and other third parties which obtain or disclose PHI without authorization are subject to criminal penalties for disclosure of PHI. The civil penalties for failure to comply with HIPAA have been increased under the HITECH Act. HITECH Act implemented tiered penalties the severity of which depended on the nature of the violation. Violations due to willful neglect are now subject to civil money penalties and the Secretary of the Department of Health and Human Resources will be required to investigate such violations based on a complaint starting in 2011. There are four tiers of violations under the HITECH Act amendments. The penalties are escalated from $100 per violation at the lowest level to $50,000.00 per violation at the highest and the overall penalties for a calendar year can range from $25,000 to $1,500,000.

This summary only covers the salient points of the HITECH Act for the lay person. The details of
other provisions will be covered in other postings in this series.