HIPAA was passed in 1996 to protect individuals' health information by establishing privacy and security standards. It applies to covered entities like health plans, providers, and clearinghouses, as well as their business associates. HIPAA regulates the use and disclosure of protected health information. HITECH, passed in 2009, strengthened HIPAA by adding breach notification requirements for covered entities and business associates to notify individuals and the government when unsecured health data is compromised.

2. • HIPAA (Health Insurance Portability and Accountability Act)
• Passed in 1996
• Enacted to protect health information
• transaction standards for the exchange of health information
• security standards
• privacy standards
• Protects “protected health information”
• means individually identifiable health information that is: (i)
Transmitted by electronic media; (ii) Maintained in electronic media;
or (iii) Transmitted or maintained in any other form or medium
• there are certain exclusions such as education records and employment
records held by a covered entity in its role as employer

3. • Applies to “covered entities”
• Covered entity means (1) A health plan, (2) A health care
clearinghouse, (3) A health care provider who transmits any
health information in electronic form in connection with a
transaction covered by this subchapter
• Health information means any information, whether oral or
recorded in any form or medium, that: (1) Is created or received
by a health care provider, . . .employer, . . . and (2) Relates to
the past, present, OR future physical or mental health or
condition of an individual; the provision of health care to an
individual; OR the past, present, or future payment for the
provision of health care to an individual.

4. • Also applies to the “business associates” of covered
entities
• Business associate means broadly, a person who “performs, or
assists in the performance of . . . a function or activity involving
the use or disclosure of individually identifiable health
information”
• including claims processing or administration, data analysis,
processing or administration, utilization review, quality assurance,
billing, benefit management, practice management, and repricing
• Broadly, this means that if you use or receive PHI, then you are
either a covered entity or a business associate

5. • HITECH (Health Information Technology for Economic and
Clinical Health)
• Signed into law on February 17, 2009
• Provides for the adoption of electronic health records
• Also adds new breach provisions
• "the unauthorized acquisition, access, use, or disclosure of
protected health information which compromises the security or
privacy of such information, except where an unauthorized person
to whom such information is disclosed would not reasonably have
been able to retain such information"

6. HITECH Breach
• Who is under Obligations?
• Covered Entity
• Business Associate
• Subcontractor Requirements

7. HITECH Breach
• Who is under Obligations?
• Covered Entity
• Business Associate
• Subcontractor Requirements
• What are an entity’s Obligations?
• Investigate, give notice, reprimand, record/notify Secretary of Health
and Human Services
• If over 500 individuals affected, then must report to the Secretary
• As of September 26, 2011, 330 reports (several organizations more than
once), impacting more than 11 million records

8. Getting out of Breach Notification
• Only provide the required notification if the breach involved
unsecured protected health information
• Unsecured PHI is PHI that has not been rendered unusable,
unreadable, or indecipherable to unauthorized individuals
through the use of a technology or methodology specified by
the Secretary in guidance

9. Getting out of Breach Notification
• Guidance available:
http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificatio
nrule/brguidance.html (and is to be updated annually)
• Data at Rest: NIST
• Data in Motion: