Requirements - and penalties - of the privacy and security rules now apply directly to business associates. These include such entities as IT vendors, banks, billing firms and other service providers, who now must comply with the rules as if they were covered entities. Further, some newer types of organizations - particularly health information exchanges/regional health information organizations, e-prescribing gateways and personal health records vendors - now are considered business associates.
Under HITECH as enacted, covered entities and personal health records vendors must notify individuals if their protected health information is breached. They also must notify the Department of Health and Human Services and local news media if the breach involves more than 500 individuals. Business associates experiencing a breach must notify the covered entity, which then notifies individuals. However, notification of a breach is not required if the information was unintentionally disclosed to an authorized recipient and is not further disclosed, or if it is rendered unreadable via encryption or other methods.
Under an interim final breach notification rule issued in 2009, which may be amended based on industry feedback, HHS instituted a "harm threshold" that would dictate when an organization has to notify individuals of a breach. The organization upon learning of a breach would conduct a risk assessment to determine if the breach could cause harm that would warrant notification.
In other words, organizations that experience a breach can determine if they need to give notification. Industry reaction to this harm threshold has been mixed (See related story, page 38). Privacy advocates and members of Congress charged that HHS violated congressional intent by adding the threshold. Organizations representing providers said the change was reasonable and would reduce unnecessary notifications.
HITECH also gave individuals the right to request from covered entities an accounting of all disclosures of their protected health information from electronic health records systems. This includes information used for treatment, payment and operations. A covered entity may impose a fee that is not greater than the cost of accounting for disclosures.
Under the law, the effective date for accounting for EHR disclosures is Jan. 1, 2014, if an entity acquired an EHR as of Jan. 1, 2009. HHS can move the deadline to 2016 if it determines a later date is necessary. If an entity acquired an EHR after Jan. 1, 2009, the effective date is Jan. 1, 2011, or the date it acquires an EHR, whichever is later. HHS can move this deadline to 2013 if it determines a later date is necessary.
Consequently, organizations with older EHRs have more time to upgrade them, and those with a new EHR should make sure the system supports these accounting functions.
Other privacy and security changes under HITECH include:
- Individuals now have the right to receive an electronic copy of their personal health information maintained in an EHR. Covered entities can charge a fee that covers the labor cost of producing the electronic copy.
- Covered entities should limit uses and disclosures of personal health information to the "minimum necessary" to conduct a particular function. The disclosing entity will determine what is the minimum necessary for the stated purpose. HHS during 2010 is expected to issue regulations governing the "minimum necessary" provisions.
- Activities where companies pay providers to send communications to patients about new products and services formerly were considered part of a provider's "operations." This meant the activities were permissible under the privacy rule. Now, these activities are considered to be "marketing" and subject to restrictions. HHS expects to issue new regulations on marketing this year.
- Enforcement and penalties have been stiffened. HHS, for instance, now will conduct periodic audits to ensure covered entities and business associates are complying with the privacy and security rules - and have received stimulus funds for such purposes. State attorneys general can bring a civil action in federal court for violations occurring after enactment of the new law. Further, penalties now can be levied against individuals within a covered entity. Victims can receive compensation from fines levied against individuals and covered entities. HHS is expected during 2010 to determine what portion of penalties will be distributed to victims.
This article can also be found at HealthDataManagement.com.
Joseph Goedert is news editor at Health Data Management.
Howard Anderson is the executive editor of Health Data Management magazine.