The HITECH Act revises HIPAA regulations

After the COBRA changes in the economic stimulus package signed by President Obama on February 17, 2009, come the changes to the Health Insurance Portability and Accountability Act, or HIPAA.

The revisions don’t affect all employers, but some of those in the healthcare sector such as insurers, healthcare providers, and healthcare clearinghouses. Jennifer N. Willcox, an attorney with Pullman & Comley at the firm’s Bridgeport, Connecticut, notes that Title XIII of ARRA, known as the HITECH Act, is the source of these dozens of HIPAA revisions. When the HITECH Act becomes effective, in February 2010, the business associates will be subject, for the first time, to the same civil and criminal penalties that can now be assessed against plans and providers for HIPAA violations.

At present, many state laws state that people whose personal information is stolen must be notified by the company from which it was stolen. Now, the HITECH Act adds a federal obligation to those laws which states that individuals must be informed by the plans or providers, within no more than 60 days, if their personal information has been acquired or used without authority. And, if the data on 500 or more people are breached, the covered entity from which it was taken must report the incident to the Secretary of Health and Human Services (HHS).

Earlier, when the individuals requested under HIPAA that the disclosure of their private health information must be restricted, the covered entities could dishonour such request. Once the HITECH Act is in effect, such a request must be honored if the information is related to an item or service for which the patient paid out of pocket.

Again, HIPAA enforcements have been made stronger. So, criminal penalties will apply not only to covered entities that violate privacy rules but also to those organizations’ individual employees. And, not only have civil penalties been increased but they can be shared with harmed individuals. Most important, HITECH gives state attorneys general the power to enforce HIPAA rules.