HIPAA/HITECH recent changes:
Title XIII of the American Recovery and Reinvestment Act of 2009, the Health Information Technology for Economic and Clinical Health (“HITECH”) Act, which became effective February 17, 2010, codifies and expands many of the requirements published by the Department of Health and Human Services (“DHHS”) pursuant to HIPAA to protect the privacy and security of protected health information (“PHI”).
Business Associates (generally defined as a person or organization, other than a member of a covered entities workforce, that performs certain functions or activities on behalf of, or provides certain services to, a covered entity that involve the use or disclosure of individually identifiable health information) of Covered Entities (health plans, health care clearinghouses and any health care provider who transmits health care information in electronic form in connection with transactions for which DHHS has adopted standards under HIPAA) are to have complied with the Security Rule of the HITECH Act on or before February 17, 2010. Business Associates will now be regulated by the federal government. The HITECH Act provides that the security requirements of HIPAA that applied to Covered Entities are now applicable to Business Associates and those requirements must be a part of the Business Associate Agreement between the Covered Entity and the Business Associate.
On February 18, 2010 a new restriction of PHI became effective and applies to Covered Entity health care providers. A health care provider must now honor patient requests to restrict disclosure of PHI to a health plan for purposes other than treatment if the patient pays the health care provider out of pocket in full.
On February 22, 2010, enforcement of the Breach Notification Rule went into effect for “failure to provide the required notifications for breaches” of unsecured PHI discovered on or after February 22. This Rule applies to both Covered Entities and Business Associates, provides obligations for each regarding compilation and recording of information concerning a breach by either party and must also be a part of the Business Associate Agreement between the Covered Entity and Business Associate.
The HITECH Act mandates compliance audits by DHHS and provides enhanced civil and criminal penalties for non-compliance. Prosecution for non-compliance has, further, been delegated to State Attorneys General. You are encouraged to contact your attorney or other person or organization having expertise in HIPAA/HITECH requirements to ensure you are, or quickly become, current with the latest changes in the continuing effort to protect PHI