II. WHO ENFORCES HITECH?
The Office for Civil Rights (“OCR”) of the United States Department of Health and Human Services (“HHS”) is the primary enforcement authority for HITECH. Prior to HITECH, the OCR enforced the HIPAA privacy rules and the Centers for Medicare and Medicaid Services (“CMS”) enforced the security rules. Other federal agencies, such as CMS with the Electronic Health Record (“EHR”) Incentive, may continue to have interests in ensuring in HITECH compliance, but HHS has the primary enforcement authority.
As an alternative form of enforcement, state attorneys general also may bring suit in federal courts on behalf of their residents to enforce HITECH. 42 U.S.C. § 1320d-5(d).
III. WHO DOES IT APPLY TO?
HITECH applies to covered entities (“CEs”) which primarily consist of hospitals and physicians. It also applies to business associates (“BAs”) which are people or entities that conduct work on behalf of CEs and handle PHI.
Lawyers who handle PHI through their work for CEs or other BAs are considered BAs. As a result, most health care and medical malpractice attorneys are subject to these regulations.
IV. WHAT DOES IT DO?
A. Preempts State Law
HITECH preempts any contrary provisions of state law. The only exceptions occur when the OCR determines that the state law is necessary, the state law involves controlled substances, or the state law is stricter than the HITECH requirements.
B. Imposes HIPAA Privacy and Security Regulations on BAs
Under HITECH, HIPAA privacy and security regulations are codified to apply not only to CEs, but also to BAs. Prior to HITECH, BAs were not subject to the HIPAA security rules. BAs are now subject to the administrative, physical, and technical security requirements under HIPAA. This is a substantial change because BAs will be required to implement new policies and procedures to ensure compliance with HITECH. An extensive analysis of what used to be required of BAs and the new security compliance requirements for BAs can be found in the HITECH Task Force’s Security Compliance for Business Associates cross-walk located at:
BAs must comply with the privacy requirements as well. BA compliance with the privacy regulations is typically handled through entering into a business associate contracts (“BAC”). BACs are used by CEs and BAs to ensure that any BAs working for CEs are in compliance with the HITECH Act. 42 U.S.C. § 17938.
Additional changes to the HIPAA privacy provisions under HITECH include: expanded accounting disclosures (42 U.S.C. § 17935(c)), changes to the minimum necessary standard for disclosures (42 U.S.C. § 17935(b)), restrictions on disclosures to health plans (42 U.S.C. § 17935(a)), a prohibition on the sale of PHI (42 U.S.C. § 17935(d)), mandated access for patients to electronic PHI in EHR (42 U.S.C. § 17935(e)), new restrictions on marketing (42 U.S.C. § 17936(a)), and changes to the fundraising rule (42 U.S.C. § 17936(b)). HIPAA had regulations in most of these areas; however, HITECH increased and expanded the requirements.
C. Imposes Security Breach Notification Requirements
HITECH also creates new security breach notification requirements. A breach notification obligation occurs when there is a breach of unsecured PHI by a CE or a BA. Both the term “breach” and “unsecured PHI” have specific definitions that help CEs and BAs to understand when certain timing and notifications requirements under HITECH kick in. A “breach” is defined in 42 U.S.C. § 17921(1) as “the unauthorized acquisition, access, use or disclosure of protected health information which compromises the security or privacy of such information, except where an unauthorized person to whom such information is disclosed would not reasonably have been able to retain such information.” Unsecured PHI is defined as PHI that is not secured “through the use of a technology or methodology, specified by the [HHS] Secretary in guidance that renders PHI ‘unusable, unreadable, or indecipherable to unauthorized individuals’” 45 C.F.R. § 164.402.
CEs and BAs will look to attorneys for assistance to understand when timing and notification restrictions have been triggered. Attorneys will also advise their clients about reducing the risk of a potential breach.
V. WHY SHOULD I CARE?
If you practice in the area of health law, and have any medical provider like a physician, nurse or hospital as a client, it is highly likely that HITECH applies to you. You will need to take the appropriate steps to ensure you are in compliance with HITECH.
Your clients who qualify as CEs and BAs will also look to you for assistance in complying with the HITECH requirements. More specifically, your clients will need assistance in understanding HITECH’s application due to its recent implementation, continuing tweaks to compliance deadlines, and ongoing clarifications. Failure to comply with the HITECH provisions will likely result in significant sanctions, including: civil penalties (42 U.S.C. § 17939(c) – (d)), criminal prosecution and audits (42 U.S.C. § 17940).
VI. WHAT RESOURCES SHOULD I LOOK AT?
HITECH Act – 42 U.S.C. § 300jj et seq.
42 U.S.C. § 17921 et seq.
111 P.L. 5
HITECH Breach Rule - 45 C.F.R. Parts 160 and 164
HIPAA Privacy and Security Rules – 45 C.F.R. Parts 160, 162, and 164
VII. WHERE ELSE CAN I GO FOR HELP?
The following websites provide additional assistance on understanding HITECH:
The ABA HITECH task force:
The Office of Civil Rights:
The Office of the National