HITECH
Health Information Technology for Economic and Clinical Health Act (HITECH Act)
The Health Information Technology for Economic and Clinical Health Act (HITECH Act) was signed into law on February 17, 2009 as part of the Title XIII of the American Recovery and Reinvestment Act of 2009 (ARRA) and sets forth a federal standard for security breach notifications relating to the unauthorized dissemination of protected health information (PHI). The Health Insurance Portability and Accountability Act of 1996 (HIPAA) does not currently require covered entities to report and/or notify individuals or government agencies of any unauthorized access to and/or dissemination of PHI. Section 13402 of the HITECH Act requires covered entities (as defined by HIPAA) to notify individuals if there has been a breach of their unsecured protected health information (UPHI). Section 13407 of the HITECH Act sets forth breach notification requirements for vendors of personal health records (PHR) and related entities that are not subject to the HIPAA requirements.
Section 13402 of the HITECH Act requires cover entities and business associates in the event of a breach of any PHI to notify each individual who’s UPHI has been, or is reasonably believed by the covered entity to have been disclosed without authorization. Unsecured protected health information is defined as PHI that “is not secured through the use of a technology or methodology” specified by the Secretary of the Department of Health and Human Services (DHHS) in guidance that was issued on April 17, 2009. The DHHS guidance sets forth the technologies and methodologies that covered entities should employ to render PHI unusable, unreadable or indecipherable to unauthorized individuals. The term “breach” is defined by the HITECH Act as the “unauthorized acquisition, access, use or disclosure of protected health information which compromises the security or privacy of such information, except where an unauthorized person to whom such information is disclosed would not reasonably have been able to retain such information.”
In the event of any breach of any UPHI, the covered entity must notify all affected individuals without reasonable delay but in no case later that sixty (60) calendar days after the discovery of the breach by the covered entity. Written notice may be sent to the individual by first class mail at the last known address or by electronic mail, if specified by the individual. Section 13402 of the HITECH Act also provides for emergency and/or substitute delivery methods for the notice. In the event the breach of UPHI affects more than 500 residents of a State or jurisdiction, the covered entity is require to notify (i) prominent media outlets serving said State or jurisdiction; and (ii) the Secretary of DHHS which will post said breach on the DHHS website.
The content of the breach notice (regardless of the delivery method) must include the following:
- A brief description of what happened, including the date of the breach and the date of the discovery of the breach, if known.
- A description of the types of UPHI that were involved in the breach.
- The steps individuals should take to protect themselves from potential harm resulting from the breach.
- A brief description of what the covered entity involved is doing to investigate the breach, to mitigate losses, and to protect against any further breaches.
- Contact procedures for individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an e-mail address, website or postal address.
Section 13407 of the HITECH Act requires a vendor of personal health records following the discovery of a breach of security of unsecured PHR identifiable health information to notify: (i) each individual who is a citizen or resident of the United States whose unsecured PHR identifiable health information was acquired by an unauthorized person as a result of such a breach of security; and (ii) the Federal Trade Commission (FTC). In addition, third party service providers that that provide services to a vendor of PHR must notify said vendor following the discovery of a breach security of unsecured PHR identifiable health information to notify said vendor of the breach. The term “PHR identifiable information” is defined as individually identifiable health information (as defined by HIPAA) and includes information “that is provided by or on behalf of the individual; and that identifies the individual or with respect to which there is a reasonable basis to believe that the information can be used to identify the individual.” The content of the breach notice and method of delivery is the same as set forth in Section 13402 of the HITECH Act.
The HITECH Act requires the FTC to issue interim rules implementing breach notifications requirements for PHR vendors and certain other non-HIPAA covered entities on or before August 16, 2009. The HITECH Act also requires the DHHS and FTC to submit a joint report to Congress by February 17, 2010 on privacy, security and breach notification requirements for entities that are not HIPAA covered entities or business associates, such as PHR vendors and other related entities and service providers. HIPAA covered entities, business associates, PHR vendors, PHR related entities and third party service vendors will be required to be in compliance with the federal breach notifications provisions within thirty days from the issuance of the interim final regulations.
Enforcement
Section 13410(d) of the HITECH Act, which became effective on February 18, 2009, revised section 1176(a) of the Social Security Act (the Act) by establishing:
- Four categories of violations that reflect increasing levels of culpability;
- Four corresponding tiers of penalty amounts that significantly increase the minimum penalty amount for each violation; and
- A maximum penalty amount of $1.5 million for all violations of an identical provision.
It also amended section 1176(b) of the Act by:
- Striking the previous bar on the imposition of penalties if the covered entity did not know and with the exercise of reasonable diligence would not have known of the violation (such violations are now punishable under the lowest tier of penalties); and
- Providing a prohibition on the imposition of penalties for any violation that is corrected within a 30-day time period, as long as the violation was not due to willful neglect.
This interim final rule conforms HIPAA’s enforcement regulations to these statutory revisions that are currently effective under section 13410(d) of the HITECH Act. This interim final rule does not make amendments with respect to those enforcement provisions of the HITECH Act that are not yet effective under the applicable statutory provisions.
This interim final rule will become effective on November 30, 2009.
Legislative information
- United States Department of Health and Human Services (HHS) Security Standards; Final Rule: 45 CFR Parts 160, 162, and 164
- HHS Standards for Privacy of Individually Identifiable Health Information; Final Rule: 45 CFR Parts 160 and 164
- Law: Pub. L. 104-191, 110 Stat. 1936
- United States House of Representatives: 104 H.R. 3103, H. Rept. 104-469, Pt. 1, H. Rept. 104-736
- United States Senate: 104 S. 1028, 104 S. 1698, S. Rept. 104-156
- HITECH Act Breach Notification Guidance
- HITECH Act Enforcement Interim Final Rule
External links
- California Office of HIPAA Implementation (CalOHI)
- "HIPAA", Centers for Medicare and Medicaid Services
- Congressional Research Service (CRS) reports regarding HIPAA, University of North Texas Libraries
- Full text of the Health Insurance Portability and Accountability Act (PDF/TXT) U.S. Government Printing Office
- Full text of the Health Insurance Portability and Accountability Act (HTM) Legal Archiver
- Office for Civil Rights page on HIPAA
- HIPAA documentation, resources and commentary
- HITECH Act Breach Notification Guidance
- HITECH Act Enforcement Interim Final Rule