The HIPAA is being amended to align it with The Health Information Technology for Economic and Clinical Health Act (HITECH Act) to ensure greater degree of enforcement of the former.
The HITECH Act is a part of the American Recovery and Reinvestment Act of 2009 and relates to health care information technology management and maintenance rules. The HITECH Act was enacted for the purpose of providing incentives to health care professionals to switch over to electronic formats in face of an anticipated increase in the volumes of information and increased data exchange between health care organizations. The HIPAA was enacted to provide the necessary protection to privacy and security to information so collected.
The criticism that is often leveled against HIPAA is that is not vigorously enforced. The HIPAA-centric amendments to the HITECH Act are focused on this type of criticism and attempt to bridge the gaps between enactment and enforcement of the provisions. The HITECH Act imposes mandatory penalties for “willful neglect” (to be determined on a case to case basis) and HIPAA ups the ante for compliance.
Notification of Breach is made mandatory for unauthorized access and use of “unsecured PHI” (unencrypted PHI under the HITECH Act) and HIPAA and HITECH enact rules that are similar to state data breach laws. The patients have to be notified of any breach of personal information. Additionally, the media and the HHS have to be notified. However, notification of breach will be mandatory if the breach fails to pass the four prescribed tests for “harm threshold”.
Where the health care organization has implemented the EHR system in compliance with the HITECH Act with an eye on the incentives should now ensure that it does not infringe on the individual’s rights under the amended HIPAA. Individuals can obtain their PHI in electronic formats or designate a third party to receive their PHI in writing. A small fee may be charged by the health care service for servicing the request.
The definition of Business Associates has been amended for both HITECH and HIPAA to include all contractors, sub contractors or others permitted by the health care service provider to access patient information. The burden of compliance now squarely rests both with the business associate and the principal and principals are required to amend existing agreements or rewrite new agreements including the provisions and spelling out the responsibilities of all parties concerned in great detail.
Unfortunately, the scope of this article is limited and at best can be described as skimming the surface. The “devil is in the details”! Serious compliance to either act will demand a more detailed study.