What the HITECH Act means for you

Key Points

The Health Information Technology for Economic and Clinical Health (HITECH) Act was swept into law as part of the American Recovery and Reinvestment Act of 2009. HITECH affects many aspects of your practice's Health Insurance Portability and Accountability Act (HIPAA) compliance and brings with it increased enforcement and more severe penalties for HIPAA violations.¹

HITECH requires practices to immediately review and modify their existing HIPAA policies and procedures to incorporate the data breach rule's requirements, and to train staff. In addition, several states have even more stringent requirements that are not pre-empted by HITECH. Your approach to compliance should include both federal and state requirements.

HITECH mandates that practices take certain actions when protected health information (PHI) has been or may have been accessed, used, or disclosed improperly, whether by negligence, accident, theft, or otherwise. PHI is individually identifiable health information that is maintained or transmitted by a practice in any form or medium, whether orally, electronically, or in writing. Practices also must maintain documentation, such as logs of qualifying breaches, for reporting to the U.S. Department of Health and Human Services (HHS). Covered entities and business associates also have the burden of proof to establish that, where they determined that a qualifying breach occurred, all required notifications were made, as well to defend their decision in a case in which they determined that a potential breach incident did not result in a qualifying breach and, thus, no notifications were required.

A qualified data breach is an impermissible acquisition, access, use, or disclosure of "unsecured" PHI that compromises the security or privacy of the PHI and that poses a significant risk of financial, reputational, or other harm to an individual. Disclosure of date of birth, ZIP code, or certain other personal identifiers of patients alone does not constitute a breach.

If the PHI is secured, then notification is not required. Secured data are unusable, unreadable, or indecipherable to unauthorized individuals. Whether that standard has been met is determined by guidance from the HHS on technologies and methodologies. Basically, this "safe harbor" applies to two categories of secured PHI: 1) electronic PHI that meets specified standards of encryption, and 2) PHI stored or recorded on media that have been destroyed. The adoption of this safe harbor provides significant incentive to encrypt PHI. Other security methods, such as firewalls, stringent access controls, and redaction of identifying information, without encryption, do not provide a safe harbor.

THE HARM THRESHOLD

If a breach has occurred and your PHI does not meet the safe harbor guidance, then you still need to provide notification only if the breach poses a significant risk of financial, reputational, or other harm to the individual. This is called the "harm threshold." This threshold was established, in large part, to avoid notifying - and unnecessarily alarming - individuals that their PHI had been breached when no real damage resulted from the breach. If the unauthorized disclosure will not likely harm the affected individuals, then no notification is required.

Notification only is required if there is reason to believe that the information breached was improperly disclosed in a way that would present a significant risk of identity theft. For example, an accidental disclosure to a trustworthy individual who is unlikely to use the information for improper purposes would be a far lesser risk than a disclosure resulting from someone hacking into a computer system. Similarly, the unauthorized disclosure to an unknown individual of names attached to Social Security numbers, driver's license numbers, or financial account numbers likely would require notification, whereas disclosure of a simple list of names with no further data linked to those names generally would not require notification.

Even if the disclosed information includes only names, if that list, through other methods, can be linked to other information that could result in embarrassment, discrimination, or other harm, then notification still may be required. For example, if a list of patient names is disclosed, and through other means that list can be identified as a list of patients in a mental health or infectious disease treatment center, then the disclosure may well have the potential to result in substantial harm.

Whether or not notification is required, it is important that the covered entities take immediate steps to mitigate harm, including taking all reasonable measures to retrieve data that have been stolen, lost, or improperly disposed of, or to shut down a computer system after hacker intrusion. But these mitigation efforts alone will not avoid the data breach rule's notice requirements.