by Eric A. Mahler, Esq., Ogletree Deakins
The Health Information Technology for Economic and Clinical Health (HITECH) Act was signed into law on Feb. 17 as part of the American Recovery and Reinvestment Act of 2009, also known as the economic stimulus bill.
HITECH was designed to advance the use of health information technology, such as electronic health records.
Among other important aspects, the HITECH Act expands the scope and enforcement power of the Health Insurance Portability and Accountability Act (HIPAA), with greater penalties for noncompliance.
Privacy and security regulations
One of HIPAA’s primary purposes is to safeguard the confidentiality of patients’ health information. If you provide health insurance to your employees, it’s important to understand how HITECH affects HIPAA.
HIPAA previously required that “covered entities” enter into contracts or “business associate agreements” (BAAs) with noncovered entities if those transactions involved the exchange of protected health information (PHI).
For HR purposes, one of the most common types of covered entities are group health insurance carriers. Business associates include other companies that provide ancillary services, such as claims processing.
The BAAs required the entities working on behalf of providers and insurers to use appropriate safeguards for the PHI they receive from the covered entities. The BAAs also set forth permitted uses and disclosures for the PHI.
Prior to HITECH, business associates were not directly subject to either HIPAA or direct government enforcement action.
Under HITECH, business associates must now comply directly with the administrative safeguards, physical safeguards, policies and procedures and documentation requirements of HIPAA. Business associates also must comply with the HIPAA Privacy Rule provisions that would otherwise be applicable to them through BAAs and any changes to the privacy rules (whether or not those changes are covered by the BAAs).
Business associates can now be subject to enforcement by federal or state authorities for any failure to comply with HIPAA (as amended by HITECH).
If security is breached
In contrast to the previous version of HIPAA, covered entities must now notify individuals whose health information has been breached. Business associates must notify covered entities of any breaches; the covered entity must then notify the individual.
A two-part inquiry is applied to determine if notification is required:
- Does it qualify as a breach?
- Was the information protected by encrypted technology?
No notification to individuals is required if the breached information was covered by an encryption system approved by the U.S. Department of Health and Human Services (HHS). Those systems render the information “unusable, unreadable or indecipherable to unauthorized individuals,” using technologies or methods approved by HHS.
Notice must occur no later than 60 days after discovery of the breach—when at least one employee of the entity knows or should have known of the breach. Notice is also required to be provided to media outlets if the information of more than 500 individuals has been compromised. Notification must also be forwarded to HHS.
Author: Eric A. Mahler is an associate in the Bloomfield Hills, Mich., office of Ogletree, Deakins, Nash, Smoak & Stewart, P.C. His practice concentrates on labor and employment, advising clients on matters including collective bargaining, corporate downsizing, union-free campaigns, media communications regarding labor negotiations, disciplinary matters, grievance adjustment, contract administration and revising job descriptions.
Like what you've read? ...Republish it and share great business tips!
Attention: Readers, Publishers, Editors, Bloggers, Media, Webmasters and more...
We believe great content should be read and passed around. After all, knowledge IS power. And good business can become great with the right information at their fingertips. If you'd like to share any of the insightful articles on BusinessManagementDaily.com, you may republish or syndicate it without charge.
The only thing we ask is that you keep the article exactly as it was written and formatted. You also need to include an attribution statement and link to the article.
" This information is proudly provided by Business Management Daily.com: http://www.businessmanagementdaily.com/10330/a-hitech-world-new-law-expands-hipaa-enforcement-power "