HIPAA HITECH Act
HIPAA HITECH ACT
The Health Insurance Portability and Accountability Act (HIPAA) was amended in 2009 by the Health Information Technology for Economic and Clinical Health (HITECH) Act. The HITECH Act was part of the American Recovery and Reinvestment Act (ARRA) of 2009. The HITECH Act required the U.S. Department of Health and Human Services (HHS) to modify the HIPAA Privacy, Security and Enforcement Rules (HIPAA Rules). The HITECH Act further strengthens the privacy and security protections for health information and improves the ease of use and effectiveness of the HIPAA Rules. Proposed Federal Regulations have recently been released by HHS.
These proposed Regulations not only make HITECH changes, but they are the first major updating of the HIPAA Privacy Rule and HIPAA Security Rule since 2003. (The Privacy Rule and the Security rules can be found at 45 CFR Sections 160, 162 and 164.) HHS says that it took this opportunity to update the Privacy and Security Rules as HHS "has accumulated a wealth of experience with these rules, both from public contact in various forums and through the process of enforcing the rules."
In the proposed Federal Regulations, HHS solicits comments regarding specific elements of the proposed changes. These comments are due to HHS by September 12, 2010. They could help shape the final Regulations issued by HHS. In the recent past, HHS has seriously considered such comments it received.
The proposed modifications to the HIPAA Rules include:
- expanding the required content of business associate (BA) agreements;
- extending BA associate requirements to subcontractors;
- establishing new limitations on the use and disclosure of protected health information (PHI) for marketing and fund-raising purposes;
- creating additional requirements for Notices of Privacy Practices that covered entities are required to give;
- greatly increasing the possible civil penalties for violations of HIPAA;
- expanding individual patients' rights to access their information and to place restrictions on certain disclosures of PHI to health plans;
- providing more flexibility for research authorizations, including the use of PHI for future, unspecified research;
- providing mandatory notices to patients for breaches or possible breaches of their privacy under certain circumstances;
- allowing for the disclosure of PHI to a decedent's family members, even if they are not personal representatives;
- prohibiting the sale of PHI; and
- adding provisions designed to strengthen and expand HIPAA's enforcement provisions.
If you are a health care provider who is accused by a patient of a breach of the patient's confidentiality, you should immediately retain the services of a qualified health attorney to represent you. If you receive a notice from the Office of Civil Rights (OCR) of the U.S. Department of Health and Human Services that it is investigating a complaint for a violation of HIPAA, you should immediately retain the services of a qualified health attorney to represent you; you could be facing criminal penalties or significant civil fines.