Becoming "HITECH" -- The Evolving State of Health Information Privacy and Security
This is the first in a series of three HITECH alerts.
The Health Information Technology for Economic and Clinical Health Act (the “HITECH Act” or “HITECH”), which was included in the 2009 American Recovery and Reinvestment Act, significantly broadens the scope of existing health information privacy and security requirements, particularly the regulations implementing the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). This Alert is the first in a series of three HITECH alerts produced by the Wolff & Samson Health Care and Hospital Group that will discuss the major provisions of HITECH affecting HIPAA covered entities and business associates.
What You Should Do Now
While several of HITECH’s provisions are effective February 17, 2010, many provisions require guidance and/or further regulation from the Secretary of the United States Department of Health and Human Services (the “Secretary”). The legal landscape for the privacy and security of health information will inevitably evolve as a result of such guidance and regulations. However, in the meantime, HIPAA covered entities and business associates should be aware of the potential scope of their HITECH obligations.
If you are a HIPAA covered entity and have not done so already, you should acknowledge the changes made by HITECH that are summarized in this series of Alerts and amend your practices, policies, procedures and training programs accordingly. If you are a business associate of a HIPAA covered entity, HITECH significantly expands your compliance obligations and will essentially require you to implement many of the same administrative and compliance safeguards covered entities were required to implement under HIPAA. If they have not done so yet, business associates should evaluate their current practices in complying with the terms of their Business Associate Agreements and, if necessary, put in place the infrastructure required to fulfill their expanded compliance obligations. The extent of such obligations and the internal infrastructure needed to implement HITECH will depend on the extent of the activities the business associate performs on behalf of covered entities that involve the use or disclosure of protected health information.
What Is HITECH?
HITECH, in part, (i) creates new and revises or expands existing privacy requirements with respect to protected health information (“PHI”) under HIPAA (the “HITECH HIPAA Amendments”); (ii) imposes the HITECH HIPAA Amendments as well as certain existing HIPAA privacy and security standards directly on business associates and applies civil and criminal penalties to business associates for violations; (iii) requires covered entities to notify individuals – and requires business associates to notify covered entities – when unsecured PHI has been breached (“Breach Notification Standards”); and (iv) expands existing enforcement provisions and penalties for violations of health information privacy and security requirements.
The remainder of this first Alert summarizes certain HITECH HIPAA Amendments. The second Alert will address the implications of HITECH specifically for business associates and business associate agreements. The third Alert will review the Breach Notification Standards.
HITECH HIPAA Amendments Effective February 17, 2010
- Mandatory Compliance with Individual’s Request to Restrict Certain Disclosures of PHI to Health Plan. Covered entities and business associates are now required to comply with an individual’s request to restrict the disclosure of his or her PHI to a health plan for the purpose of facilitating payment or healthcare operations if the PHI pertains solely to a healthcare item or service for which the healthcare provider has been paid out of pocket in full.
- Change to HIPAA “Minimum Necessary” Standard – Burden Placed on Disclosing Entity to Make “Minimum Necessary” Determination. When using or disclosing PHI or when requesting PHI from another covered entity, current HIPAA regulations require a covered entity to make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure or request (i.e., the “minimum necessary” standard). Pursuant to the HITECH Act, compliance with the HIPAA “minimum necessary” standard will be deemed to have occurred only if a covered entity or business associate limits the use, disclosure or request of PHI, to the extent practicable, to a limited data set or, if needed by such entity, the “minimum necessary” to accomplish the intended purpose of such use, disclosure or request. In addition, the covered entity or business associate making a disclosure of PHI cannot rely on a requesting covered entity’s assessment of “minimum necessary;” the disclosing entity must make its own determination as to whether or not a disclosure meets the “minimum necessary” standard. The Secretary must issue guidance as to what constitutes “minimum necessary” by August 2010.
- Individual’s Right to Access Certain PHI in an Electronic Format. In the event a covered entity uses or maintains PHI in an electronic health record, an individual has a right to obtain a copy of such PHI in an electronic format and/or direct the covered entity to transmit such copy to a person or entity designated by the individual.
- Certain Marketing-Related Activities Not Considered “Healthcare Operations” – Patient Authorization Likely Required for Such Activities. Communications encouraging patients to use a product or service will not be considered “healthcare operations” under HIPAA and will likely require a HIPAA patient authorization unless such communications are used (a) to describe a health-related product or service that is included in a plan of benefits of the covered entity, (b) for treatment of the individual, or (c) for case management or care coordination. In addition, even if any of the exceptions (a) through (c) apply, such communications will generally not be considered “health care operations” if the covered entity receives direct or indirect payment in exchange for the communication, in which case a HIPAA patient authorization will likely be required.
- Expansion of HIPAA Fundraising Opt-Out Requirement. Written fundraising communications that currently fall under the HIPAA definition of “healthcare operations” occurring on or after February 17, 2010 must provide, in a clear and conspicuous manner, an opportunity for the recipient of the communication to elect not to receive any further such communication. Such an election shall be considered a revocation of the recipient’s previous HIPAA authorization, if applicable.
Other HITECH HIPAA Amendments That Have an Effective Date Later Than February 17, 2010
The following HITECH HIPAA Amendments have an effective date later than February 17, 2010; their actual effective date depends on the circumstances, as further explained below.
- Individuals Have Right to Receive Accounting of PHI Disclosures Made Through an Electronic Health Record for Purposes of Treatment, Payment and Healthcare Operations. Currently, HIPAA does not provide an individual with a right to receive an accounting of disclosures of PHI made by a covered entity for purposes of the covered entity’s treatment, payment and health care operations. The HITECH Act now provides such a right with respect to disclosures of PHI made through an “electronic health record” (“EHR”). The effective date of this HITECH provision is dependent on when the covered entity acquired the EHR, but it will in no event apply to disclosures made from an EHR prior to January 1, 2011.
- Prohibition on Sale of PHI without Patient Authorization. Under HITECH, a covered entity and business associate will be prohibited from directly or indirectly receiving remuneration in exchange for any PHI of an individual without a HIPAA patient authorization unless an exception applies. Exceptions to this provision include exchanges for (i) public health activities; (ii) research purposes; and (iii) treatment of the individual. The Secretary is required to promulgate regulations to implement this provision by August 2010. This provision will not be effective until six months after the date of the promulgation of such regulations.
¦ ¦ ¦
For more information, please contact:
David M. Hyman ¦ Member of the Firm ¦ (973) 530-2009 ¦ firstname.lastname@example.org
Daniel A. Schwartz ¦ Member of the Firm ¦ (973) 530-2005 ¦ email@example.com
Nicole DiMaria ¦ Counsel ¦ (973) 530-2111 ¦ firstname.lastname@example.org