The final rules of the Health Information Technology for Economic and Clinical Health (HITECH) Act significantly strengthened the privacy and security protections of health information under HIPAA, expanding its reach and increasing accountability for violations. These rules, largely implemented through the 2013 HIPAA Omnibus Rule, aimed to promote the adoption and meaningful use of health information technology while ensuring the safeguarding of protected health information (PHI).
Key Pillars of the HITECH Final Rules
The HITECH Act introduced several critical amendments to HIPAA, impacting how healthcare entities and their business associates handle patient data. These changes focused on breach notification, increased penalties, enhanced individual rights, and direct liability for business associates.
1. Enhanced Individual Rights and Authorization Requirements
HITECH expanded the circumstances under which individuals have greater control over their health information and introduced new authorization requirements.
- Right to an Electronic Copy: Individuals gained the right to request an electronic copy of their medical records. If a covered entity uses an electronic health record (EHR) system, it must provide the requested PHI in an electronic format if the individual requests it and it is readily producible.
- Right to Restrict Disclosures to Health Plans: Patients now have the right to restrict disclosures of their PHI to a health plan if the disclosure pertains solely to a healthcare item or service for which the patient, or person acting on behalf of the patient, has paid out of pocket in full.
- Expanded Authorization for Sensitive Data: The rules clarify and expand situations requiring an individual's express authorization for the use or disclosure of their PHI:
- Sale of PHI: An authorization must be obtained for the sale of protected health information.
- Marketing Purposes: Uses and disclosures of PHI for marketing purposes generally require prior authorization from the individual.
- Psychotherapy Notes: Most uses and disclosures of psychotherapy notes necessitate an individual's explicit authorization. These notes are highly sensitive and are afforded special protection under HIPAA.
2. Direct Liability for Business Associates
One of the most significant changes introduced by HITECH is that business associates (BAs) are now directly liable for compliance with certain HIPAA Privacy and Security Rules. Previously, only covered entities were directly subject to HIPAA rules, with BAs bound by contract.
- Definition of Business Associate: The rules clarified the definition of a business associate, including subcontractors who create, receive, maintain, or transmit PHI on behalf of a business associate.
- Direct Compliance: BAs and their subcontractors are now directly responsible for compliance with:
- The HIPAA Security Rule.
- Portions of the HIPAA Privacy Rule, including the use and disclosure limitations and the requirement to provide PHI to individuals.
- The Breach Notification Rule.
3. Strengthened Breach Notification Requirements
HITECH mandated specific procedures for notifying individuals, the Secretary of Health and Human Services (HHS), and in some cases, the media, following a breach of unsecured PHI.
- Definition of Breach: A breach is generally defined as an impermissible use or disclosure of unsecured PHI that compromises the security or privacy of the PHI.
- Risk Assessment: Covered entities and business associates must conduct a comprehensive risk assessment to determine if a breach has occurred and whether the PHI has been compromised, based on specific factors outlined in the rules.
- Notification Timelines:
- Individuals: Notifications must be made without unreasonable delay and in no case later than 60 calendar days after discovery of the breach.
- HHS: Breaches affecting 500 or more individuals must be reported to HHS concurrently with individual notifications. Smaller breaches can be logged and reported annually.
- Media: If a breach affects 500 or more residents of a state or jurisdiction, prominent media outlets serving that area must also be notified.
4. Increased Enforcement and Penalties
HITECH significantly increased the civil monetary penalties for HIPAA violations, introducing a tiered penalty structure based on the culpability of the covered entity or business associate.
- Tiered Penalties: Penalties range from a minimum of \$100 per violation for unintentional breaches, up to \$50,000 per violation for willful neglect, with annual caps reaching \$1.5 million.
- Mandatory Investigations: HHS is required to investigate complaints of violations that involve willful neglect.
- State Attorneys General Enforcement: State attorneys general were granted the authority to enforce HIPAA rules, bringing civil actions on behalf of their residents.
5. Genetic Information Nondiscrimination Act (GINA)
The HITECH Omnibus Rule also incorporated provisions of the Genetic Information Nondiscrimination Act (GINA) into HIPAA, designating genetic information as protected health information. This prevents health plans from using or disclosing genetic information for underwriting purposes.
Summary of Key HITECH Final Rule Changes
The table below summarizes some of the most impactful changes brought about by the HITECH Act's final rules:
| Feature | Pre-HITECH (Original HIPAA) | Post-HITECH (Final Rules) |
|---|---|---|
| Business Associate Liability | Contractually obligated, not directly liable under HIPAA | Directly liable for specific HIPAA Privacy & Security Rule violations |
| Breach Notification | No explicit federal breach notification requirements | Mandatory notification for unsecured PHI breaches |
| Penalties | Lower civil monetary penalties; less aggressive enforcement | Significantly increased, tiered penalties; mandatory investigations |
| Individual Rights | Limited rights to electronic access and restrictions | Expanded rights (e.g., electronic access, restrict disclosures for self-pay) |
| Authorization (Key Scenarios) | More general for marketing, sale, psychotherapy notes | Explicit authorization required for: - Sale of PHI - Marketing - Most psychotherapy notes |
| Genetic Information | Not explicitly defined as PHI under HIPAA | Protected as PHI; GINA protections incorporated |
Practical Implications
The HITECH final rules have compelled healthcare organizations and their partners to elevate their data privacy and security practices.
- Updated Policies and Procedures: Covered entities and business associates must update their HIPAA policies and procedures to reflect the expanded requirements.
- Business Associate Agreements (BAAs): Existing BAAs needed to be revised to include the new direct liabilities and obligations of business associates.
- Enhanced Training: Staff training on HIPAA rules must be updated to cover the HITECH provisions, particularly regarding breach prevention and reporting.
- Robust Security Measures: Organizations must implement strong technical and administrative safeguards to protect electronic PHI and prevent breaches, given the increased penalties and mandatory breach notifications.
The HITECH Act's final rules represent a significant modernization of HIPAA, adapting it to the digital age of healthcare and placing a higher premium on the protection of patient data.
