HIPAA & HITECH Unveiled

The HITECH Act expands HIPAA’s coverage, increases compliance obligations, and strengthens enforcement penalties.

HIPAA – Health Insurance Portability and Accountability Act
A US law designed to provide privacy standards to protect patients’ medical records and other health information provided to health plans, doctors, hospitals and other health care providers.

1. A uniform, federal floor of privacy protections across the country.
2. State laws providing additional protections are not affected.
3. Took effect on April 14, 2003.

HITECH – Health Information Technology for Economic and Clinical Health Act
A part of the American Recovery and Reinvestment Act of 2009 that addresses the privacy and security concerns associated with the electronic transmission of health information.

1. Strengthened the civil and criminal enforcement of the HIPAA rules.
2. Signed into law on February 17, 2009.

Effective Immediately

* Collected civil monetary penalties go to Office of Civil Rights
* Civil monetary penalties are increased substantially
* Civil action by state Attorneys General on behalf of aggrieved persons are authorized

On/Before September 15, 2009

* New security breach notification obligations effective

February 17, 2010

* Business associates are directly subject to HIPAA
* Limited Data Set standard for “minimum necessary
* Marketing communications further restricted
* Business associate agreements required for “courier” entities
* Employees of covered entities may have independent criminal liability

On/After January 1, 2011

* Accounting for treatment, payment, or healthcare operation (TPO) disclosures from EHR systems acquired after January 1, 2009; HHS may extend deadline by two years

On/Before February 17, 2011

* New prohibitions on disclosure of PHI in exchange for remuneration
* Mandatory civil monetary penalties for violations involving “willful neglect”

On/Before February 17, 2012

* Complainants will share in collected civil monetary penalties

On/After January 1, 2014

* Accounting required for TPO disclosures from EHR systems acquired before January 1, 2009; HHS may extend deadline by two years

Protected Health Information (PHI) –is any information about health status, provision of health care, or payment for health care that can be linked to a specific individual. Be careful with the Information with identifiers below:

1. Names
2. Phone numbers
3. Fax numbers
4. Electronic mail addresses
5. Social Security numbers
6. Medical record numbers
7. Health plan beneficiary numbers
8. Account numbers
9. Certificate/license numbers
10. All geographical subdivisions smaller than a State
11. Dates (other than year) such as birth date, admission date etc…
12. Vehicle identifiers, serial numbers and license plate numbers
13. Biometric identifiers, including finger, retinal and voice prints
14. Full face photographic images and any comparable images
15. Any other unique identifying number, characteristic, or code
16. Web Uniform Resource Locators (URLs)
17. Device identifiers and serial numbers
18. Internet Protocol (IP) address numbers