The HITECH Act (Health Information Technology for Economic and Clinical Health) was passed in February 2009 as part of the American Recovery and Reinvestment Act, it expanded the obligations of covered entities and business associates to protect the confidentiality and security of Protected Health Information (PHI). Passage of the HITECH Act was timely because its main purpose was to address voids inherent in HIPAA due to the development of new technologies that did not exist at the time HIPAA was originally implemented.
Given the dynamic nature of the communications industry in the 21st Century, the Office of Civil Rights and other appropriate legislative bodies have continued to revise regulations in an effort to evolve oversight to address lapses revealed when technology outpaces legislation. Therefore, the OCR has appropriately released the final HIPAA HITECH “Omnibus” Rule on January 17, 2013, which enhances privacy, security, enforcement, and breach notification rules, and effectively combines and simplifies ambiguities and redundancies in existing law. According to HHS Secretary Kathleen Sebelius, “the new rule will help protect patient privacy and safeguard patients' health information in an ever-expanding digital age…[since] much has changed in healthcare since HIPAA was enacted over 15 years ago.”
Prior to the HITECH Act, business associates only had contractual obligations under their business associate agreements to maintain the privacy and security of PHI, but were not subject to sanctions under HIPAA rules. However, the HITECH Act expanded the HIPAA obligations to include business associates by:
- Applying many of the security and privacy standards to business associates
- Requiring business associates to comply with the breach notification requirements of the HITECH Act
- Subjecting business associates to civil and criminal penalties for HIPAA violations
Furthermore, the HITECH Act strengthened HIPAA penalties, and requires periodic audits to ensure that covered entities as well as business associates comply with the new rules.
The changes provide the public with increased protections and controls of their Protected Health Information (PHI). The new rules focused on health care providers, health plans and entities that process health insurance claims. These changes hold everyone accountable for use and disclosure of PHI, such as third party billing services, contractors and subcontractors to HIPAA rules and penalties.
Covered entities must obtain assurances from their business associates, and business associates must do the same with regard to subcontractors, and so on, no matter how far 'down the chain' the information flows.
The new rule:
- Tightens limitations on the use of patient records for marketing
- Prohibits the sale of patient information without a patient's consent.
- When patients pay in full, they have the right to insist their provider not share information about their treatment with their health plan.
The Final Rule will broaden the breach notification obligations of covered entities and business associates by modifying the definition of “breach” and the risk assessment process for determining whether notification will be required. The Final Rule replaces the “harm” standard of the interim Breach Notification Rule with a standard based on the risk that PHI is compromised. It requires entities with patient record breaches to assess the likelihood that the information could be obtained to determine whether they must notify individuals of the breach. The criteria specified are:
- The nature and extent of the protected information involved, including sensitive mental health records
- To whom the breach was made, for example, a wrong fax number, where the risk of misuse was low
- Was the protected health information actually viewed or acquired
- Whether the risk has been mitigated
- Number of individuals affected
- Time period during which the violation occurred
- If the violation caused physical, financial, or reputational harm
- If the individual’s ability to obtain healthcare has been hindered
- Patients can ask for a copy of their electronic medical record
- Penalties increased for noncompliance based on the level of negligence with the maximum penalty being $1.5 million per violation.
Covered entities, business associates, subcontractors, and vendors should review, modify, and implement new policies and procedures in order to comply with the Final Rule.
The new regulations take effect on March 26, 2013 and become enforceable on September 23, 2013.