The HITECH (Health Information Technology for Economic and Clinical Health) Act is Title 13 of the American Recovery and Reinvestment Act of 2009 (ARRA). While the various subtitles of HITECH cover many topics relevant to physicians (for example, financial incentives for health information technology), this article will address only Subtitle D of HITECH amending the privacy and security rules under HIPAA (Health Insurance Portability and Accountability Act of 1996).
HIPAA's privacy and security rules established floors of confidentiality and security protections for patients' demographic and health information in all forms—paper, oral, and electronic. The development of health information technology (for example, electronic health records, personal health records, health information exchanges) has resulted in additional risks; HITECH builds on the privacy and security rules to address these new risks.
Who must comply with the HITECH amendments to HIPAA?
Covered entities and business associates under HIPAA must comply with HIPAA, as amended by HITECH.
Isn't every physician a covered entity under HIPAA?
No. Only providers who electronically submit specific transactions electronically are covered by (required to comply with) HIPAA. The most common transaction that makes a provider covered is the electronic submission of claims to health plans. The Department of Health and Human Services (HHS) has useful resources to determine the applicability of the federal HIPAA regulations posted at <www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/index.html>.
What is a business associate?
Under the privacy rule, a business associate is a person who provides a function on behalf of a covered entity (other than as part of the covered entity's workforce) that involves the use of protected health information (PHI). Examples of this type of business associate include billing services, transcription services, and answering services. A business associate is also a person who provides specified services involving the use of PHI to a covered entity. The specified services are legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, and financial services. The HHS Web site at <www.hhs.gov/ocr/privacy> has much more information on entities that are, and are not, business associates.
Business associates may use and disclose PHI, but only in compliance with the business associate agreement evidencing the business associate's promise to maintain the confidentiality and security of PHI. Under existing law, business associates only have contractual liability with the covered entity via the business associate agreement. As of February 2010, business associates must comply with the security rule and will be subject to government enforcement.
What does HITECH say about HIPAA?
There are many changes to HIPAA under HITECH, but not all of the provisions have the same effective date. See Summary Timeline for HITECH Requirements for Providers Covered Under HIPAA for a summary timeline showing the implications of the major HITECH provisions on HIPAA-covered entities.
The most significant provisions of HITECH include the following:
Part 2 of this article will include FAQs on enforcement and compliance with HIPAA, as well as breach notification. Please note that nothing in this article should be construed as legal advice.