The HITECH Act includes a number of provisions regarding confidentiality, privacy and security of protected health information, which significantly affect both the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the HIPAA Privacy and Security Rules. The Act provides for different enforcement dates for nearly each of the provisions, but some of them already gone into effect upon ARRA’s enactment on February 17, 2009. Furthermore, the Act mandates the HHS Secretary to promulgate regulations regarding various privacy and security provisions, thereby delaying enforcement until the completion of the rule-making process. Consequently, there is still much uncertainty regarding the new privacy and security regime, as established by this Act.
Some of the most significant changes include:
- New breach notification requirements for covered entities. The Act requires covered entities to notify individuals in writing if their protected health information (PHI) is disclosed, lost or otherwise compromised. The notices must be given within sixty (60) days of discovering the breach; if the breach involves 500 or more individuals, the covered entity must also inform HHS and “prominent media outlets serving a state or a jurisdiction.” There are also “temporary” breach notification requirements for commercial personal health record vendors, such as Google Health, Microsoft Vault and Revolution Health; however, Google Health has claimed that the Act’s provisions do not apply to Google. We will have to await the final regulations to see if they remove any ambiguity in this area.
- Business Associates are now subject to HIPAA. Third-party administrators, health information technology vendors, benefit providers and consultants are now directly subject to certain specified HIPAA privacy and security rules and regulations. (Please note that this change in particular may require a review of existing Business Associate Agreements as well as revision of any new BAA's entered into.)
MORE after the jump.
- State Attorneys General may now bring state actions to enforce HIPAA, seeking statutory damages and attorneys’ fees for violations. Previously, such enforcement was exclusively limited to the Office of Civil Rights within HHS.
- The Act restricts a covered entity’s right to refuse an individual’s request not to use or disclose PHI if: (i) disclosure is to a health plan for carrying out payment or health care operations (not for treatment); and (ii) the PHI “pertains solely to a health care item or service for which the health care provider involved has been paid out of pocket in full.” Previously, the covered entity was not required to agree to such requested restrictions.
- The Act requires a covered entity using or disclosing PHI, or requesting PHI from another covered entity, to limit “to the extent practicable” disclosure of PHI to the “limited data set” as defined under HIPAA, or, if more information is “needed,” to the minimum necessary “to accomplish the intended purpose of such use, disclosure, or request, respectively.” Depending upon the forthcoming guidance from HHS (due within 18 months), this may require considerable education, training and additional resources necessary to implement this new requirement.
- The Act removes an exception that excused covered entities from accounting for disclosures of PHI to carry out treatment, payment and health care operations. When this becomes effective (which depends on when an EHR is acquired), all such disclosures must be accounted for if the disclosure was made “through” an EHR. However, the right to disclosures only applies to the 3 years prior to the date on which the accounting is requested, rather than the 6 years currently permitted under HIPAA.
- Covered entities and business associates will be prohibited from receiving remuneration in exchange for any PHI of an individual without first obtaining an authorization from such individual (subject to certain exceptions). The authorization must specify whether the original receiver of PHI may further exchange it for remuneration. This will go into effect in approximately 24 months after ARRA’s enactment.
- A covered entity that “maintains” an EHR is required to produce a copy of a patient’s PHI in electronic format upon an individual’s request, and if the individual so chooses, to transmit the copy directly to an entity or person designated by the individual. A fee for such service may not be greater than the covered entity’s labor costs in responding to the request for the copy.
- The Act imposes new restrictions on covered entities’ and business associates’ marketing communications to potential buyers or users of their products. This is also subject to certain exceptions and qualifications depending on the purpose of the communications and whether any payments are involved.