On Feb. 17, 2009, President Obama signed into law the American Recovery and Reinvestment Act of 2009 ("ARRA"). Title XIII of ARRA, the Health Information Technology for Economic and Clinical Health Act (the "HITECH Act"), significantly changes the landscape of federal privacy and security law as it relates to protected health information ("PHI"). As part of its effort to develop a nationwide health information technology infrastructure that allows for the electronic exchange of PHI, Congress, in passing the HITECH Act, has (1) extended the reach of the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") and its implementing privacy and security regulations (respectively, the "Privacy Rule" and the "Security Rule"), (2) imposed a breach notification requirement on HIPAA covered entities and their business associates, (3) limited certain uses and disclosures of PHI, (4) increased individuals' rights with respect to PHI and, significantly, (5) increased enforcement of, and penalties for, violations of privacy and security of PHI. The most significant of these changes are summarized below. Many of the HITECH Act's provisions will be effective on Feb. 17, 2010 (12 months after its enactment), while other provisions require regulations to be implemented or may become effective two years or more after the law's enactment. Breach Notification
The HIPAA Privacy and Security Rules do not currently require covered entities to notify individuals when their PHI has been subject to a breach. However, most states have passed general security breach notification laws in recent years that require notification of individuals whose financial information (such as Social Security number or credit card number) has been subject to unauthorized access. The HITECH Act adds more detailed and stringent provisions to many of the common elements of state security breach notification laws, such as the Act's requirements regarding (1) the content of the notice, (2) media notice, (3) acceptable encryption technologies, and (4) the 60-day deadline for notification. Applying security breach notification standards to medical information is consistent with concerns expressed by the Federal Trade Commission ("FTC") and other regulators about the growing crime of medical identity theft. New Regulation of Personal Health Record Vendors The recent movement to adopt personal health records ("PHRs"), spurred by the efforts of large employers, has led to concerns that vendors of PHR products are not necessarily required by law to report breaches involving PHR data. Most state security breach notification laws do not define "personal information" to include medical information, focusing instead on information that may be used to commit financial fraud. The HITECH Act addresses that perceived deficiency by extending the security breach notification provisions described above to (1) PHR vendors, (2) businesses that offer products or services through a website of a PHR vendor or a covered entity that offers PHRs, and (3) entities that access information in, or send information to, a PHR (collectively "PHR businesses").
Business Associates — Increased Duties and Penalties Prior to the enactment of the HITECH Act, HIPAA applied to business associates only indirectly by way of the business associate's contractual obligations to the covered entity. Similarly, the penalty for a violation of these obligations was merely damages that resulted from any contractual breach (unless the business associate also happened to be a covered entity). The HITECH Act, however, has expanded both the application of HIPAA requirements and penalties to business associates.
Limitations on the Use and Disclosure of PHI
Individual Rights
Increased Enforcement and Penalties The HITECH Act seeks to put more teeth in HIPAA enforcement efforts by increasing civil penalties for HIPAA violations and, in certain cases, requiring formal investigations. These changes appear to respond to charges that the Centers for Medicare and Medicaid Services ("CMS"), which enforces the Security Rule, and the HHS Office for Civil Rights ("OCR"), which enforces the Privacy Rule, have been less than rigorous in enforcing HIPAA. In October 2008, these charges took the form of a report from the HHS Office of Inspector General ("OIG") that took CMS to task for ineffective and incomplete enforcement of the Security Rule. In the report, OIG charged that CMS' approach to Security Rule enforcement left "significant vulnerabilities" undetected with respect to electronic medical records at U.S. hospitals.
|