What is HITECH?
Title XIII of the American Recovery and Reinvestment Act of 2009, entitled the Health Information Technology for Economic and Clinical Health (“HITECH”) Act goes into effect on February 17, 2010 and was enacted principally as a stimulus bill. HITECH’s focus is to provide funding for electronic health records and related activities. In light of increased use of electronic health records, HITECH provides additional legal protections concerning protected health information (“PHI”) and expands the protections afforded by the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) with regard to privacy and security. HITECH also provides for direct regulation of Business Associates by the Department of Heath and Human Services (“HHS”).
What is a Business Associate?
A “Business Associate” is defined by HIPAA to be a person or entity who provides certain functions, activities and services to or on behalf of a covered entity involving the use or disclosure of PHI. This definition may include technology providers and other vendors contracting with a covered entity. A “covered entity” under HIPAA is a health plan, health care clearing house and health care providers who transmit any health information in electronic form.
How does HITECH impact Business Associates?
- HITECH requires Business Associates to comply with the HIPAA Security Rule (45 CFR parts 160 and 164, parts A and C) regarding implementation of administrative, physical and technical safeguards to protect PHI and development and enforcement of procedures and documentation standards. Security requirements that are applicable to covered entities are now also applicable to Business Associates.
Business Associate must comply with HIPAA business associate safeguards, including accounting for disclosures and retuning or destroying PHI at contract termination if feasible. - HITECH security and privacy requirements are required to be incorporated into business associate agreements between Business Associates and covered entities.
- HHS has the right to perform compliance audits of Business Associates.
- Termination of the Business Associate Agreement or notification of HHS is required by Business Associates in the event of known breaches of the business associate agreement by the covered entity. The Business Associate will be deemed to violate the provisions of HIPAA if it knows of such breaches by a covered entity and it fails to cure the breach, terminate the business associate agreement or report the breach to HHS.
- Business Associates are subject to enhanced criminal and civil penalties for violations.
- HHS will issue annual guidance on the most effective and appropriate technical safeguards, which will also apply to Business Associates.
Breach Notification Regulations
In August, 2009, HHS issued an interim final rule implementing the new HITECH breach notification requirement described above. Sanctions for violations of this rule may be imposed commencing in February, 2010. A breach is an unauthorized use or disclosure that violates the HIPAA Privacy Rule. The rule requires covered entities to notify affected individuals when there is a breach of their “unsecured PHI”. Unsecured PHI is PHI that is not secured through the “use of technology or a methodology specified by the Secretary [of HHS] in guidance”. Under an existing HHS rule published in April, 2009 (74 FR 19006), encryption or destruction are currently the only sanctioned methods to secure PHI. Firewalls and other access controls will not be deemed to render PHI secure for purposes of HITECH.
HHS also clarifies in this rule that the HITECH breach notification requirement only applies if the breach passes a “harm threshold” such that the breach “poses a significant risk of financial, reputational or other harm to the individual”. This requires risk assessment to determine if the disclosure of PHI poses a significant risk of harm to the affected individual. Considerations include (i) who used the impermissibly disclosed information; (ii) to whom the information is disclosed (i.e. – another covered entity, as opposed to an entity under no obligation to maintain the privacy of the information); and the type and amount of PHI involved in the impermissible disclosure.
Notice must be provided to the affected individual and HHS no later than 60 days after the breach of unsecured PHI is discovered. If a Business Associate is responsible for the breach, it must notify the covered entity and provide the information necessary to provide the required notice.
More Guidance is Forthcoming
Comprehensive HHS regulations are forthcoming, and will be published in the coming weeks. Among other issues, these regulations should address the expansion of the definition of Business Associate and the extension of the HIPAA Security Rule and Privacy Rule to Business Associates. These regulations should also address requirements for approved technologies for electronic health records. Business Associates should analyze these new regulations carefully in implementing changes to their HIPAA compliance processes.