• Health Information & Technology for Economic and Clinical Health Act ("HITECH")
  • April 3, 2009 | Authors: Teresa K. Culver; Christie Kizer Burbank; Stephanie S. Pierce
  • Law Firms: Miller & Martin PLLC - Nashville Office ; Miller & Martin PLLC - Chattanooga Office ; Miller & Martin PLLC - Nashville Office
  • On February 17, 2009 the American Recovery and Reinvestment Act of 2009 (the "Act") was signed into law by President Obama.  The law, also known as the Economic Stimulus Bill, contains substantial changes to the HIPAA privacy and security laws as part of the "Health Information and Technology for Economic and Clinical Health Act ("HITECH")".  The changes will have a significant impact on hospitals and other health care entities and providers in numerous areas: (1) relationships with and responsibilities of Business Associates, (2) notifications of breaches of protected health information, (3) HIPAA enforcement and the penalties for violations, and (4) the use of electronic health records.

    The following summarizes a few of the HITECH provisions of the Act.

    • Application of HIPAA to Business Associates. Applies the HIPAA privacy provisions and security standards and the corresponding civil and criminal penalties for violating same to business associates in the same manner as applied to covered entities.
    • Notification of Breaches. Defines "Breach" as the unauthorized acquisition, access, use, or disclosure of protected health information ("PHI"). Requires a covered entity to notify each individual of a breach of unsecured PHI within 60 days of the breach. Requires business associates to notify covered entities of a breach of unsecured PHI. Requires a covered entity to notify the Secretary of the Department of Health and Human Services (the "Secretary") of such breaches. If the breach involves more than 500 individuals, the Secretary must be notified immediately and notice must be made to local media. Breaches involving fewer than 500 individuals may be maintained on a log and reported annually to the Secretary. These requirements will go into effect 30 days after the date that interim final regulations are issued which will be no later than August 16, 2009.
    • Restrictions Requested by Patients. Permits individuals to request non-disclosure of PHI to a health plan if the individual has paid out-of-pocket, in full, for the item or service.
    • Accounting of Disclosures. Where a covered entity uses or maintains an electronic health record ("EHR") with respect to PHI, individuals will have the right to receive an accounting of PHI disclosures made by the covered entity for treatment, payment, and health care operations during the preceding three years.  Effective Jan. 1, 2014 for covered entities that have acquired EHR by Jan 1, 2009; for covered entities acquiring EHR after Jan 1, 2009, effective the latter of Jan 1, 2011 or the date EHR is acquired.
    • Increased Penalties and Enforcement. Clarifies that criminal penalties for wrongful disclosure of individually identifiable health information apply to an individual who, without authorization, obtains or discloses such information maintained by a covered entity whether or not that individual is an employee of the covered entity. Authorizes State attorneys general to prosecute and seek civil penalties and allows collection of attorneys' fees by an attorney general. Within three years of the effective date of the Act, the Secretary will implement a system whereby harmed individuals may receive a percentage of any civil monetary penalty or monetary settlement collected as the result of a HIPAA violation.
    • Electronic Health Records. HITECH provides for $19 billion in grants and loan funding to eligible entities, which includes, among others, health care providers (including hospitals and physicians) participating in Medicare, Medicaid, and the State Children's Heath Insurance Program. The funds will support technology architecture, development and adoption of certified EHRs, training, infrastructure, and overall expansion and promotion of health information technology. Hospital incentives start at $2 million annually, with an additional amount tied to annual Medicare discharge volume, and will decrease for each subsequent year during a 5-year incentive period. With certain qualifiers, non-hospital-based physicians and physician groups can received up to $60,000 for "Qualifying EHR Systems" during the 5-year incentive period, including up to $18,000 the first year (2011) and decreasing thereafter.

    The following are among the steps covered entities should consider in preparation for these changes:

    • Develop and implement a Breach Notification Policy and Procedure;
    • Update Notice of Privacy Practices as needed;
    • Revise HIPAA policies and procedures to encompass changes (Business Associates will need to implement written HIPAA privacy and security policies);
    • Review and amendment of existing business associate agreements, including a determination of the need for new business associate agreements, to include the expanded requirements;
    • Plan ahead and position your entity to obtain loan and grant funding through the stimulus for purposes of implementing an EHR; and
    • Once guidance is issued by the Secretary regarding specific technologies and methodologies that render PHI secured, ensure health information is protected through the use of those technologies or methodologies.

    Please note that this is a summary of a few of the significant provisions of the HITECH Act.  As proposed regulations are issued, we will provide further updates.