Contents 1 Citation 2 Overview 3 Electronic health records 4 Definition of "Breach" 5 Privacy 6 References

Citation Edit

Health Information Technology for Economic and Clinical Health (HITECH) Act, Title XIII of Division A and Title IV of Division B of the American Recovery and Reinvestment Act of 2009 (ARRA), Pub. L. No. 111-5 (Feb. 17, 2009), codified at 42 U.S.C. §§300jj et seq.; §§17901 et seq.

Overview Edit

The HITECH Act, enacted as part of the American Recovery and Reinvestment Act of 2009, is designed to promote the widespread adoption and standardization of health information technology, and requires the Department of Health and Human Services (HHS) to modify the HIPAA Privacy, Security, and Enforcement Rules to strengthen the privacy and security protections for health information and to improve the workability and effectiveness of the HIPAA Rules.

Section 13402 of the HITECH Act requires the Department of Health and Human Services (HHS) to issue interim final regulations within 180 days of enactment to require covered entities under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and their business associates to provide for notification in the case of breaches of unsecured protected health information.

Further, the Act provides that no later than 60 days after enactment, the Secretary of Health and Human Services shall, after consultation with stakeholders, issue (and annually update) guidance specifying the technologies and methodologies that render PHI unusable, unreadable, or indecipherable to unauthorized individuals.^[1]

Electronic health records Edit

The Act authorized expenditures of at least $20 billion to promote the adoption and use of EHR technologies that would ideally be connected through a national health information network. Hospitals and physicians who make “meaningful use” of interoperable EHRs can qualify for extra payments through Medicare and Medicaid.

Responsibility for developing policies that [[implement] the overall HITECH Act lies primarily with the Office of the National Coordinator for Health Information Technology (ONC). In this role, ONC works closely with the Center for Medicare and Medicaid Services (CMS), which is responsible for promulgating policies that relate to Medicare and Medicaid payment for meaningful use of EHRs under the HITECH Act. ONC and CMS recently released final rules to implement the first phase of the HITECH Act, which begins in 2011.

The ONC rule specifies the standards, implementation specifications and other criteria for EHR systems and technologies to be certified under the HITECH Act and thus eligible for the Act's incentive programs while the CMS rule specifies how hospitals, physicians, and other eligible professionals must demonstrate their meaningful use of these technologies in order to receive Medicare and Medicaid payment incentives. Both sets of rules strongly indicate that standards and criteria for achieving meaningful use of EHRs will grow more rigorous in subsequent phases (2013 and 2015) as the technology continues to evolve and providers gain experience and sophistication in its use.

Definition of "Breach" Edit

(1) BREACH.--

(A) IN GENERAL.--The term breach means the unauthorized acquisition, access, use, or disclosure of protected health information which compromises the security or privacy of such information, except where an unauthorized person to whom such information is disclosed would not reasonably have been able to retain such information.

(B) EXCEPTIONS.--The term breach does not include--

(i) any unintentional acquisition, access, or use of protected health information by an employee or individual acting under the authority of a covered entity or business associate if--

(I) such acquisition, access, or use was made in good faith and within the course and scope of the employment or other professional relationship of such employee or individual, respectively, with the covered entity or business associate; and

(II) such information is not further acquired, accessed, used, or disclosed by any person; or

(ii) any inadvertent disclosure from an individual who is otherwise authorized to access protected health information at a facility operated by a covered entity or business associate to another similarly situated individual at same facility; and

(iii) any such information received as a result of such disclosure is not further acquired, accessed, used, or disclosed without authorization by any person.^[2]

Privacy Edit

Subtitle D of the HITECH Act, entitled “Privacy,” among other provisions, requires the Department of Health and Human Services to issue interim final regulations for breach notification by entities subject to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and their business associates. In particular, section 13402 of the Act requires HIPAA covered entities to notify affected individuals, and requires business associates to notify covered entities, following the discovery of a breach of unsecured protected health information.

Further, the Act provides that no later than 60 days after enactment, the Secretary shall, after consultation with stakeholders, issue (and annually update) guidance specifying the technologies and methodologies that render protected health information (PHI) unusable, unreadable, or indecipherable to unauthorized individuals.^[3]

If PHI is rendered unusable, unreadable, or indecipherable to unauthorized individuals by one or more of the methods identified by the HHS, then such information is not “unsecured” PHI.

Under the Act, state attorneys general can investigate and take action against organizations for failing to secure PHI.

References Edit

1. ↑ The Act provides that the technologies and methodologies specified in the guidance also are to address the use of standards developed under section 3002(b)(2)(B)(vi) of the Public Health Service Act, as added by section 13101 of the Act. Section 3002(b)(2)(B)(vi) of the Public Health Service Act requires the HIT Policy Committee established in section 3002 to issue recommendations on the development of technologies that allow individually identifiable health information to be rendered unusable, unreadable, or indecipherable to unauthorized individuals when such information is transmitted in the nationwide health information network or physically transported outside of the secured physical perimeter of a health care provider, health plan, or health care clearinghouse. The Department intends to address such standards as they are developed in future iterations of this guidance.
2. ↑ HITECH Act §13400.
3. ↑ The Act provides that the technologies and methodologies specified in the guidance also are to address the use of standards developed under section 3002(b)(2)(B)(vi) of the Public Health Service Act, as added by section 13101 of the Act. Section 3002(b)(2)(B)(vi) of the Public Health Service Act requires the HIT Policy Committee established in section 3002 to issue recommendations on the development of technologies that allow individually identifiable health information to be rendered unusable, unreadable, or indecipherable to unauthorized individuals when such information is transmitted in the nationwide health information network or physically transported outside of the secured physical perimeter of a health care provider, health plan, or health care clearinghouse. The Department intends to address such standards as they are developed in future iterations of this guidance.