The HITECH Act

Expanding HIPAA

HITECH is an acronym for the Health Information Technology for Economic and Clinical Health Act which was introduced in 2009 as part of the American Recovery and Reinvestment Act. The act extends the Health Insurance Portability and Accountability Act (HIPAA) and provides the regulating bodies with significantly stronger enforcement power.

HITECH expands the reach of HIPAA data privacy and security requirements to include the business associates of the entities that are subject to HIPAA (health care providers, pharmacies, and similar). Business associates are companies like accounting firms, billing agencies, law firms and anyone else who provides services to the entities covered under HIPAA and are exposed to their patient's data. Under the HITECH Act, these companies are now directly subject to HIPAA security and privacy requirements, as well as to the same civil and criminal penalties that hospitals, pharmacies and other HIPAA-covered entities face for violations.

One of the significant changes introduced in the HITECH Act is the strengthening of the enforcement of HIPAA. The act adds some real teeth to its enforcement by increasing penalties for non compliance and encouraging the United States Department of Health and Human Services’ Office of Civil Rights to proactively enforce the act by giving the awarded fines back to the Office of Civil Rights.

Additionally, the HITECH Act's data breach notification requirements for protected health information now extends data breach notification laws to include information that could be used in identity theft - Social Security Numbers, credit card numbers, banking information, and the like to health information.

The HITECH Act requires covered entities to notify the Secretary of Health and Human Services and affected individuals when their protected information has been compromised. Notice must be given to the individuals whose data is affected without unreasonable delay and no later than 60 days after the breach occurs. Similarly, business associates that experience a breach are required to notify the covered entities with which they have contracted, and the covered entities will then notify the affected individuals. If the breach involves 500 people or more, the covered entity will also be required to notify major media outlets.

To prepare for these new requirements, experts suggest covered entities and business associates alike should, at a minimum, review their current software, security and processes to make sure they are in compliance. At a minimum covered entities are being advised to notify their business associates that changes are required by the American Recovery and Reinvestment Act and begin working on a plan to revise their business associate contracts to reflect the changes.