What is the HITECH Act final rule?

The HITECH Act Final Rule, officially known as the Omnibus Rule, represents a significant update to the Health Insurance Portability and Accountability Act (HIPAA), substantially strengthening patient privacy and data security protections. Published in 2013, this rule implemented the provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act, which was part of the American Recovery and Reinvestment Act (ARRA) of 2009.

What is the HITECH Act Final Rule?

The HITECH Act Final Rule was enacted to enhance the privacy and security of Protected Health Information (PHI) in an increasingly digital healthcare landscape. It broadened the scope of HIPAA's regulations, making them more robust and applicable to a wider range of entities involved in healthcare data.

Key Provisions and Impacts of the Omnibus Rule

The Final Rule introduced several critical changes that redefined compliance requirements for healthcare organizations and their partners.

1. Expanded Scope and Business Associate Liability

One of the most impactful changes was extending direct HIPAA liability to Business Associates (BAs) and their subcontractors.

• Before the Omnibus Rule: Business Associates (entities performing services for Covered Entities involving PHI, like billing companies or IT providers) were contractually obligated to protect PHI but not directly liable for HIPAA violations.
• After the Omnibus Rule: BAs and their subcontractors are now directly liable for complying with specific HIPAA Privacy and Security Rule provisions. This means they can face civil and criminal penalties for non-compliance, just like Covered Entities.

2. Stricter Breach Notification Requirements

The rule revised the criteria for determining what constitutes a reportable breach of unsecured PHI.

• It introduced a presumption of a breach unless a Covered Entity or Business Associate can demonstrate that there is a low probability that the PHI has been compromised.
• This shifts the burden of proof, requiring a risk assessment to justify not notifying individuals and the Department of Health and Human Services (HHS) of a potential breach.

3. Enhanced Individual Rights

Patients gained greater control over their health information, empowering them with new rights concerning their PHI.

• Right to Restrict Disclosure: Individuals were granted a crucial new right to restrict the disclosure of their PHI to health plans. This applies specifically when the disclosure is for payment or healthcare operations, and the individual has paid in full, out-of-pocket, for the healthcare services or items. This means if you pay for a service entirely yourself, you can request your provider not share that specific information with your insurance company for billing or operational purposes.
• Access to Electronic Records: The rule affirmed the right of individuals to obtain an electronic copy of their Electronic Health Records (EHRs).
• Personal Representative Designation: Clarified when and how personal representatives can act on behalf of individuals regarding their PHI.

4. Restrictions on PHI Use for Marketing and Fundraising

The Final Rule tightened regulations around how PHI can be used for marketing and fundraising activities.

• Marketing: Generally requires individual authorization for marketing communications where a Covered Entity receives remuneration for making the communication.
• Fundraising: While still permitted, individuals must be given a clear and conspicuous opportunity to opt out of future fundraising communications.

5. Prohibition on the Sale of PHI

With limited exceptions, the rule explicitly prohibits the sale of PHI without a patient's specific written authorization. This measure aims to prevent the commercialization of sensitive health data.

6. Genetic Information Non-Discrimination Act (GINA) Protections

The Omnibus Rule incorporated protections from the Genetic Information Non-Discrimination Act (GINA) into HIPAA. This means that genetic information is now specifically protected as PHI, preventing its use for discriminatory purposes in health insurance or employment.

7. Increased Penalties for Non-Compliance

The Final Rule significantly increased the civil monetary penalties for HIPAA violations, establishing a tiered penalty structure based on the level of culpability (e.g., unawareness, reasonable cause, willful neglect). This escalation in penalties served as a strong deterrent for non-compliance.

Practical Implications and Examples

The HITECH Act Final Rule fundamentally reshaped how healthcare data is handled and protected across the industry.

• For Healthcare Providers (Covered Entities):

  • Updated Policies: Providers had to revise their privacy practices and policies to reflect the new regulations, especially concerning breach notification and individual rights.
  • Staff Training: Extensive training became necessary for all staff handling PHI to ensure understanding and compliance with the expanded rules.
  • Business Associate Agreements (BAAs): Existing BAAs had to be updated, and new agreements meticulously drafted to ensure BAs acknowledged their direct liability.

• For Business Associates and Subcontractors:

  • Direct Compliance Programs: BAs had to establish their own internal HIPAA compliance programs, including risk assessments, security safeguards, and breach response plans.
  • Due Diligence: Increased scrutiny when selecting their own subcontractors to ensure they also meet HIPAA standards.

• For Patients:

  • Greater Transparency: Patients gained more insight into how their health information is used and shared.
  • Enhanced Control: The ability to restrict PHI disclosure, particularly for services paid out-of-pocket, offered a new level of control over personal health data.

The HITECH Act Final Rule reinforced HIPAA's foundational principles, adapting them to the complexities of modern digital healthcare and ensuring stronger protections for patient privacy and security.