The HITECH Act expanded HIPAA privacy and security rules in several key ways:
1) It made business associates directly subject to HIPAA rules and require them to sign business associate agreements, protect PHI, and notify covered entities of breaches.
2) It required covered entities and business associates to notify individuals and government of any breaches of unsecured PHI.
3) It strengthened individual rights to access their electronic health records and accounting of disclosures, and required covered entities to agree to restrictions on disclosures to health plans.
4) It prohibited the sale of PHI by covered entities and business associates without authorization and placed restrictions on marketing communications.
5) It
Breaking the Kubernetes Kill Chain: Host Path Mount
HIPAA CHANGES" HITECH Act Strengthens Privacy and Security Rules
1. Brought to you by Filice Insurance
1
Changes to HIPAA Rules: HITECH Act
President Obama signed the Health Information Technology for Economic and Clinical Health Act (HITECH Act) into
law on Feb. 17, 2009. The HITECH Act contained health information technology provisions and also made significant
changes to the privacy and security requirements of the Health Insurance Portability and Accountability Act of 1996
(HIPAA Privacy and Security Rules).
The general effective date of the HITECH Act was Feb. 17, 2010, but some provisions have varying effective dates.
This Legislative Brief provides an overview of the changes made to the HIPAA Privacy and Security Rules by the
HITECH Act.
BUSINESS ASSOCIATES
Prior to the HITECH Act, the HIPAA Privacy and Security Rules directly applied only to Covered Entities - health plans,
health care providers and health care clearinghouses. Under the prior law, a Covered Entity’s Business Associates had
to agree, through a Business Associate Agreement, to comply with certain requirements of the HIPAA Privacy and
Security Rules, but were not directly governed by the regulations.
The HITECH Act maintained the Business Associate Agreement requirement, and made a number of the HIPAA Privacy
and Security Rules’ requirements directly applicable to Business Associates.
For example, under the HITECH Act, Business Associates are required to:
• Comply with the minimum necessary standard so that when a Business Associate uses, discloses or requests
protected health information (PHI), it must limit PHI to the minimum amount necessary to accomplish the
purpose of the use, disclosure or request;
• Report breaches of unsecured PHI to a Covered Entity in compliance with the Privacy Rules’ breach notification
requirements; and
• Implement administrative, physical and technical safeguards to ensure the confidentiality, integrity and
availability of electronic PHI (ePHI) and adopt and implement policies and procedures for protecting ePHI.
The HITECH Act’s requirements for Business Associates generally became effective on Feb. 17, 2010. The additional
obligations must be incorporated into the Business Associate Agreement between the Covered Entity and Business
Associate. Penalties for violations of the Privacy and Security Rules that formerly applied only to Covered Entities now
apply to Business Associates as well.
The HITECH Act also expanded the definition of Business Associate to include organizations that provide data
transmissions of PHI to a Covered Entity (or its Business Associate) and require access on a routine basis to this PHI,
as well as vendors that contract with Covered Entities to offer a personal health record to patients. These Business
Associates must enter into Business Associate Agreements with the Covered Entities.
BREACH NOTIFICATION FOR UNSECURED PHI
Under the HITECH Act, Covered Entities are required to notify individuals whose “unsecured PHI” has been breached.
Covered Entities are also required to notify the Department of Health and Human Services (HHS) and, in some cases,