Passed on February 17, 2009, the Health Information Technology for Economic and Clinical Health Act (“HITECH Act”) requires entities covered by HIPAA and their business associates to notify each individual “whose unsecured PHI (protected health information) has been, or is reasonably believed by the covered entity to have been, accessed, acquired, or disclosed” due to a breach. Protected health information is deemed to be secured when it has been encrypted or destroyed in accordance with the standards of the National Institute of Standards and Technology.
A breach is defined under the HITECH Act as “the unauthorized acquisition, access, use, or disclosure of protected health information which compromises the security or privacy of such information, except where an unauthorized person to whom such information is disclosed would not reasonably have been able to retain such information.” The HITECH Act also sets forth two exceptions to reporting a breach when (1) an employee or authorized individual of a covered entity or a business associate has unauthorized acquisition, access, or use made in good faith within the course and scope of employment or other professional relationship and no further acquisition, access, use, or disclosure of the PHI takes place; or (2) an individual authorized to access the PHI at a facility operated by a covered entity or business associate inadvertently discloses the PHI to a similarly situated individual at the same facility and no further acquisition, access, use, or disclosure of the PHI takes place.
Written notification of a breach must take place without unreasonable delay i.e., no later than 60 calendar days after the circumstances of the breach is known by the covered entity or business associate’s employee, officer, or other agent, exclusive of the individual causing the breach. Notifications can be provided in electronic format if that preference is expressed and if the contact information is out of date or nonexistent then alternative notice must be provided via the website or major media outlets. The alternative notice methods must include a toll free number. If a large number of individuals in a state or jurisdiction are affected by the breach (i.e. 500 or more) then in addition to the usual notification methods, then notice must be provided via prominent media outlets. The notices must set forth the nature of the breach, the description of the PHI disclosed, the steps individuals have to take to protect themselves, the actions taken by the covered entity or business associate and contact procedures.
HITECH Act clarified an ambiguity under HIPAA and stated that the criminal penalties of HIPAA apply to persons other than covered entities. Thus business associates and other third parties which obtain or disclose PHI without authorization are subject to criminal penalties for disclosure of PHI. The civil penalties for failure to comply with HIPAA have been increased under the HITECH Act. HITECH Act implemented tiered penalties the severity of which depended on the nature of the violation. Violations due to willful neglect are now subject to civil money penalties and the Secretary of the Department of Health and Human Resources will be required to investigate such violations based on a complaint starting in 2011. There are four tiers of violations under the HITECH Act amendments. The penalties are escalated from $100 per violation at the lowest level to $50,000.00 per violation at the highest and the overall penalties for a calendar year can range from $25,000 to $1,500,000.
This summary only covers the salient points of the HITECH Act for the lay person. The details of
other provisions will be covered in other postings in this series.