HIPAA and HITECH

On February 17th, 2009 President Obama signed into law the Health Information Technology for Economic and Clinical Health Act, or “HITECH Act,” as part of a $787 billion economic stimulus package.

 The HITECH Act significantly expands the scope of existing federal privacy and security rules under HIPAA and creates new rules that will have major economic and legal consequences for all health care providers, health plans and their “business associates” (such as billing firms, lawyers, accountants, auditors and consultants). This tip sheet is designed to acquaint covered entities with the most significant revisions and additions to the federal privacy and security rules under the HITECH Act, including revisions to HIPAA’s marketing, disclosure and information request laws and new rules concerning breaches of protected health information (“PHI”) and the use of electronic health records (“EHR”).

1. Update your policies and procedures to reflect changes in PHI disclosure laws which require covered entities to comply with patient requests concerning the nondisclosure of certain PHI to health plans for the purpose of carrying out payment or healthcare operations.
2. Update your policies and procedures to reflect a patient’s right to receive a copy of PHI maintained in any EHR. Set a fee schedule for this service (charges must not exceed labor costs).
3. Adopt breach notification policies and procedures. Update your security incident procedures and your employee handbook to ensure that they comply with the HITECH Act’s new breach notification and sanction provisions.
4. Make sure staff members are properly trained and educated about privacy and security laws. The HITECH Act specifically requires your workforce to receive training regarding the new breach notification regulations that went into effect
5. Identify and notify all “business associates” of the application of HIPAA and update and modify your business associate agreements.
6. Watch for new HITECH Act guidelines and regulations. Although some aspects of the HITECH Act are already in force and effect, other parts are still being developed. Regulations detailing the new breach notification rules, for instance, were issued August 23, 2009 and just went into effect.
7. Consider developing a long-term plan for implementing and financing the new health information technical safeguards imposed by the HITECH Act.

1. Revisit your marketing practices to ensure that they comply with new restrictions regarding the use of PHI for marketing purposes. These new rules apply to all communications made after February 17, 2010.
2. Employees of covered entities may have indepentent criminal liability.
3. Business associate agreements requires for "courier" entities and are directly subject to HIPAA regulations

1. Update your policies and procedures to comply with new regulatory restrictions regarding the sale of PHI (to be in effect by February 17, 2011). With a few exceptions, neither covered entities nor their business associates will be permitted to sell PHI without a patient’s written authorization.
2. Consult your EHR vendor about the security of PHI. Ask what would happen to patients’ data if a laptop or hard drive were stolen, and consider safeguards like encryption and secure passwords. Ask if your current EHR system has the ability to track patient information.

Please consult your legal department to update you on your specific HIPAA regulations and their changes. 

Audits and penalties have changed also. 

Contact us for help with any of your document management or business process management needs.  See our products and services.

Sign up for our Email Newsletter