HITECH Act and Security Breach Notifications

The federal stimulus package law , otherwise known as the American Recovery and Reinvestment Act of 2009 (ARRA), has a number of measures related to health information technology (HIT) and incentives to adopt electronic health record (EHR) systems.  The Health Information Technology for Economic and Clinical Health Act’s (HITECH Act) provisions (within the ARRA) expand the scope of the privacy and security requirements under the Health Insurance Portability and Accountability Act of 1996 (HIPAA).  Holy Acronyms, Batman, let’s simplify.  The HITECH Act is complex. Let’s look at one topic: Security Breach Notification.  

Security Breach Notification under HIPAA
Under current HIPAA regulations, covered health entities are not directly obligated or mandated to notify patients of unauthorized uses or disclosures of their protected health information (PHI). Unless patients live in a state where there is an applicable security breach notification law, covered entities had the discretion to determine whether to notify patients.  If your health records had been disclosed or even modified during a security incident, you may have never known.  Few people think about the security of their health records, and how much historical information resides in health records. Here are some hypothetical potential situations to think about:

·         Are you allergic to a certain medicine? Would you die if that medicine was given to you because your health records were modified by a hacker?
·         Would you want your ex to tell a divorce court that you are being treated for a sexually transmitted disease?
·         Do you have a serious medical condition that potential employers may not want to cover like AIDS or terminal cancer?
·         Did you tell your employer that you don’t smoke, but you do?

Patient health records are filled with life saving and life-altering information. These personal histories need to be protected with the highest levels of data security. Currently, HIPAA does not directly obligate covered entities to notify patients of unauthorized uses or disclosures of their protected health information (PHI).  GASP!

The HITECH Act and Security Breach Notifications

What does it say about security breaches?
The HITECH Act requires that patients be notified of any unauthorized acquisition, access, use, or disclosure of their unsecured protected health information (Unsecured PHI) that compromises the privacy or security of such information. NOTE: The U.S. Department of Health and Human Services (HHS) is required to define the term “Unsecured PHI” within 60 days. If such guidance is not issued, the HITECH Act defines Unsecured PHI as any PHI that is not secured by a technology standard that renders it unusable, unreadable, or indecipherable to unauthorized individuals and is developed or endorsed by a standards developing organization that is accredited by the American National Standards Institute. Translation: Encryption.

When must patients be notified?
The HITECH Act specifies the timeliness of such notifications (i.e., “without unreasonable delay and in no case later than 60 calendar days after discovery of the breach”) and explains the information that must appear in the notification to affected patients.

What if the breach affects more than 500 patients?
If a breach affects 500 patients or more, it must be reported to HHS, which will post the name of the breaching entity on its public Web site. Breaches affecting 500 patients or more who reside in the same area must be reported to the local media.

Are there exceptions to notification?
There are some exceptions related to unintentional or inadvertent use or disclosure by employees or authorized individuals within the “same facility.”

“My company is not a covered entity; does this apply to my company?”
The new security breach notification requirements apply to both covered entities and business associates. Business associates must notify covered entities of any unauthorized acquisition, access, use, or disclosure of Unsecured PHI they hold on behalf of the covered entity, including the identity of each individual who is the subject of the Unsecured PHI.

What about employee snooping? Is that considered a security breach?
Yes. The security breach notification requirements apply unauthorized internal access to such PHI. This means that unauthorized employee “snooping” into medical records could trigger the notification requirements.