As part of the American Recovery and Reinvestment Act of 2009, Congress enacted the Health Information Technology for Economic and Clinical Health (HITECH) Act to broaden and increase HIPAA’s scope of protecting the privacy and security of personal health information. HITECH also served to make HIPAA more rigorous and encompassing.
HIPAA, through HITECH, now applies to covered entities’ business associates. 42 U.S.C. §§ 17931-39. HITECH requires a covered entity and business associate to notify appropriate parties regarding the breach of unsecured protected health information (PHI). Anyone who violates these provisions is subject to increased civil and criminal penalties. The Department of Justice is responsible in enforcing criminal penalties while the Department of Health and Human Services’ Office of Civil Rights is responsible in enforcing civil penalties.
HITECH broadens HIPAA by making its privacy provisions applicable to covered entities’ business associates. 42 U.S.C. §§ 17931 & 17934. Such privacy provisions applicable to covered entities are now incorporated into business associate agreements.
HITECH defines business associates as a person, other than in the capacity of a member of the covered entity’s workforce, who performs or assists in the performance of a function or activity involving the use or disclosure of individually identifiable health information (IIHI), including claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, billing, benefit management, practice management, and repricing. 45 C.F.R. § 160.103 (2006). It also includes those who provide legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services to or for such covered entity, or to or for an organization health care arrangement that the covered entity participates where the disclosure of IIHI from a covered entity or arrangement, or from another business associates to the person occurs. Id. Thus, HITECH modifies and thereby broaden HIPAA to include most parties that do business with a covered entity.
Next, HITECH mandates rigorous breach notifications. Under HITECH, a “breach” means an unauthorized acquisition, access, use, or disclosure of PHI which compromises the security or privacy of such information, except where an unauthorized person to whom such information is disclosed would not reasonably have been able to retain such information. 42 U.S.C. § 17921(1)(A). But a breach does not include unintentional acquisition, access, or use of PHI by an employee or individual acting under the authority of a covered entity or business associate if (1) it was made in good faith and within the course and scope of employment and (2) such information is not further acquired, accessed, used, or disclosed. 42 U.S.C. § 17921(1)(B)(i). Neither does an inadvertent disclosure from an individual who is otherwise authorized to access PHI at a facility operated by a covered entity or business associate to another similarly situated individual at the same facility constitute a breach. 42 U.S.C. § 17921(1)(B)(ii). These two exceptions only apply if any of the information received is not further acquired, accessed, used, or disclosed without authorization by any person. 42 U.S.C. § 17921(1)(B)(iii).
When an unauthorized disclosure of “unsecured” PHI is discovered by a covered entity, it must notify each individual whose unsecured PHI has been or is reasonably believed by the covered entity to have been breached. 42 U.S.C. § 17932(a). If a business associate discovers such breach, that business associate must notify the covered entity. 42 U.S.C. § 17932(b). After the discovery of such breach, all notifications must be made without unreasonable delay and, in no case, later than 60 calendar days after the discovery. 42 U.S.C. § 17932(d)(1). There are four methods of notification recognized under HITECH: (1) individual notice via regular mail or electronic mail; (2) media notice if more than 500 residents of a State or jurisdiction’s unsecured PHI is or is reasonably believed to have been accessed, acquired, or disclosed in a breach; (3) notice to Secretary; and (4) posting on HHS’s public website by the Secretary. 42 U.S.C. § 17932(e).
The breach notification only applies to situations where unsecured PHI has been breached. Thus, the use of encryption to secure PHI can provide a “safe harbor” that protects covered entities and business associates from having to give notice under the breach notification provisions.
HITECH has a three-tier civil monetary penalty (CMP) enforcement mechanism. If the person did not know (and by exercising reasonable diligence would not have known) that such person violated a HITECH provision, there is at least a CMP of $100 per violation, not exceeding $25,000 during a calendar year, but not more than $50,000 per violation, and the total may not exceed $1,500,000. 42 U.S.C. § 1320d-5. If the violation was due to reasonable cause and not to willful neglect, the penalty is at least $1,000 per violation not exceeding $100,000 per calendar year, but not more than $50,000 per violation with the total not exceeding $1,500,000. Id. Finally, if the violation was due to willful neglect and the violation is corrected, a penalty that is at least $10,000 per violation with the total not exceeding $250,000 per calendar year but not more than $50,000 per violation and the total may not exceed $1,500,000. Id. On the other hand, if the violation is not corrected, the penalty amount will be at least $250,000 per violation with the total not exceeding $1,500,000. Id.
As for the criminal penalty provisions, a person will be guilty if that person knowingly and in violation of wrongful disclosure of IIHI (1) uses or causes to be used a unique health identifier; (2) obtains IIHI relating to an individual; and (3) discloses IIHI to another person. 42 U.S.C. § 1320d-6. That person can be fined not more than $50,000, imprisoned not more than 1 year, or both. Id. If the crime was committed under false pretenses, that person can be fined not more than $100,000, imprisoned not more than 5 years, or both. Id. The most severe criminal penalty is imposed when an offense is committed with intent to sell, transfer, or use IIHI for commercial advantage where that person can be fined not more than $250,000, imprisoned not more than 10 years, or both.
HITECH strengthens HIPAA by including covered entities’ business associates into its privacy provisions. The breach notification requirement imposes additional duty to covered entities and business associates to report breach to the affected individual, in some cases to the media, the Secretary, and the Secretary will make available to the public on HHS’s public website a list of covered entities involved in a breach. HITECH imposes an increased civil monetary penalty that is divided into three tiers. Covered entities and business associates now will also face criminal penalties for violating the HIPAA rule.
AHLA would like to thank Kelvin Y. Ziegler for drafting this article.