Rarely mentioned in political discussions of the American Recovery and Reinvestment Act of 2009 (more commonly referred to as the Economic Stimulus Act) (the “Act”) is a provision known as the “Health Information Technology for Economic and Clinical Health Act” (“HITECH”). Beginning February 2010, HITECH will dramatically impact current HIPAA regulations, as well as health professionals and their practices.

1. Security Breaches: With the exception of incidental disclosures, providers will be required to notify patients of any unauthorized access or breach of their Personal Health Information (“PHI”) within 60 days after the breach. If a breach affects more than 500 patients, the provider must notify the Department of Health and Human Services (“HHS”), which will report the name of the provider on its website. If a breach affects more than 500 people located in the same geographic area, the provider must also contact that local media market. A provider’s business associates must inform the provider of any unauthorized breach, and the provider must treat such breaches in a similar manner.

2. Penalties: Under HITECH, civil monetary penalties will increase, and such penalties will be mandatory for HIPAA violations attributable to “willful neglect.” Previously, HIPAA enforcement bodies had discretion on whether to impose financial penalties. HITECH further expands civil monetary penalties and criminal liability to business associates, and allows for criminal penalties to be applied to any individual or employee of a provider who obtains unauthorized PHI.

3. Right of Action: HITECH creates a private right of action for HIPAA violations. HITECH also allows a state to file suit on behalf of a patient whose HIPAA rights are violated, and patients may recover civil damages, costs and attorneys’ fees.

4. Electronic Health Records: HITECH changes current HIPAA rules and requires that a record of disclosures for treatment, payment and healthcare operations be kept for PHI maintained in an Electronic Health Records (“EHR”) system. The effective date of this requirement depends upon when the provider began using the EHR system, but will not be earlier than 2011. HITECH allows patients to elect to receive their PHI via electronic format if the provider maintains an EHR system. The patient can also designate an individual to receive the electronic transmission and cannot be charged more than labor cost for completing the request.

HITECH provides financial incentives for providers to establish EHR systems. Although providers are not required to adopt an EHR system, those who fail to do so by 2015 may face decreased Medicare reimbursement rates, unless they can show “significant hardship.”

5. Right to Restrict Information: HITECH allows patients to request that certain information not be released to the patient’s health plan. Information unrelated to treatment and services a patient pays for out-of-pocket cannot be disclosed if the patient objects. Any information falling outside this category may still be disclosed to health plans within the confines of all other applicable HIPAA regulations.

6. Sale of PHI: Providers may no longer accept remuneration in exchange for HIPAA-compliant PHI disclosures, unless such disclosures are made for one of the following purposes:

• Public health activity;
• Research activity and the charge relates to the cost of preparation and transmittal;
• Treatment of the patient;
• Sale or merger of all or part of the provider;
• It is a necessary function of a business associate and is pursuant to a valid business associate agreement;
• To provide a copy of PHI to the patient; or
• Other activity as directed by HHS.

Given these changes in HIPAA regulations and enforcement, it is critical to ensure that your HIPAA policies and business associate agreements are in full regulatory compliance. Please contact our attorneys if you would like us to review your HIPAA compliance