Bookmark and Share  Print 

Thursday May 29, 2014

posted by Thomas J. Banaszynski



            The Health Information Technology for Economic & Clinical Health Act (HITECH) was enacted to encourage the use of electronic health records by healthcare providers. 

HIPAA security and privacy rules apply to healthcare providers and business associates

            Before HITECH, business associates of covered healthcare entities were not directly liable for breaches or improper disclosures of Personal Health Information (PHI) while providing services.  With the enactment of HITECH, not only are business associates expected to comply with the Health Insurance Portability & Accountability Act of 1996’s (HIPPA’s) privacy and security rules, but also subcontractors of business associates and other “downstream” players.

            With HITECH, business associates are now directly liable under various HIPAA rules, including impermissible uses and disclosures of health information; failure to provide notification to a covered entity in the event of a breach of confidentiality; failure to provide access to a copy of electronic Personal Health Information (PHI) to either a covered entity or an individual; failure to disclose PHI where required by the Secretary to investigate or determine the business associate’s compliance with the HIPAA rules; or failure to comply with the requirements of the security rule. 

            Business associates must also bear in mind that they have certain contractual obligations.  Covered entities must establish a Business Associate Agreement that requires business associates to implement administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of the electronic PHI that they create, receive or maintain on behalf of a covered entity. 

            What happens when Personal Health Information is wrongfully disclosed

            HITECH requires HIPAA-covered entities to provide notification to affected individuals and – in certain circumstances – to the Secretary of HHS following the discovery of a breach of unsecured protected health information.  A breach is treated as “discovered” on the first day the covered entity knows – or should reasonably have known – of the breach.  In the event a breach is discovered by a business associate of a covered entity, the Act requires the business associate to notify the covered entity.

            A “breach” is the unauthorized acquisition, access, use or disclosure of PHI that compromises the security or privacy of such information. 

            Notifications should include, to the extent possible:  (1) a brief description of what happened, including dates; (2) a description of the types of PHI involved; (3) any steps individuals should take to protect themselves; (4) a brief description of what the covered entity is doing to investigate and correct or mitigate the damage; and (5) procedures for individuals to ask questions.

An individual right to request a restriction of uses and disclosures of his or her personal health information

            Prior to HITECH, covered healthcare providers had discretion to accept or reject an individuals’ request to restrict the use or disclosure of PHI for treatment, payment and healthcare operations purposes.  Now, HITECH sets forth circumstances in which a covered entity must comply with an individual’s request to restrict disclosure of PHI to his or her health plan. 

            With respect to maintenance of medical records, the covered entities need to employ some method of flagging or making notations in the record to ensure that PHI is not inadvertently sent to a health plan. 

(Adapted from an article by to Anthony L. Holton, “Health Care Lawyers:  Ensure your clients (and your colleagues) are complaint with HITECH”, Res Gestae, March 2014.) 

               Please call our office if you have questions on protected health information or any privacy issues.