79 J. Kan. Bar Assn 9, 23 (2010). How HITECH Are You? New Privacy and Security Rule Requirements.

• Author: Catherine Walberg

Kansas Bar Journal

Volume 79.

79 J. Kan. Bar Assn 9, 23 (2010).

How HITECH Are You? New Privacy and Security Rule Requirements

Kansas Bar Journal Volume 79, September 2010 79 J. Kan. Bar Ass'n 9, 23 (2010) How HITECH Are You? New Privacy and Security Rule Requirements Catherine Walberg [23]

I. Introduction

Several years ago, many health law attorneys found themselves immersed in the sea of the Health Information Portability and Accountability Act (HIPAA) Privacy and Security Rules. Having returned to the surface for air, attorneys may resist revisiting the sea of detail of the HIPAA Privacy and Security Rules.(fn1) Unfortunately, given recent changes in the law, it is time to jump back into HIPAA if you use, receive, or disclose health information in representing clients or advise clients who do.

In February 2009, President Barack Obama signed into law the Health Information Technology for Economic and Clinic Health Act (HITECH)(fn2) as part of the American Recovery and Reinvestment Act of 2009. HITECH amends the HIPAA Privacy and Security Rules and its aim is to strengthen the privacy and security of electronic health information.(fn3) In addition, Congress increased and widened the scope of penalty provisions under HIPAA.(fn4) Unless otherwise specified below, HITECH became effective February 17, 2010.(fn5)

HITECH is relevant to Kansas attorneys who represent in any capacity health care providers, health insurers, or health care clearinghouses. HITECH will impact the advice Kansas attorneys give to their clients about HIPAA in terms of the storage, use, disclosure, and destruction of health information. HITECH will also require attorneys who receive health information from their clients to implement certain safeguards in terms of protecting the confidentiality of such information.

Most would find HITECH impenetrable, however, without at least a gross understanding of the HIPAA Privacy and Security Rules. Consequently, it is useful to generally summarize HIPAA Privacy and Security Rules as a precursor to outlining recent changes to these rules by HITECH.(fn6)

A. Pre-HITECH privacy rule

Very simply, the HIPAA Privacy Rule (Privacy Rule) sets out minimum rules that covered entities must follow in protecting the confidentiality of protected health information (PHI)(fn7) and in granting patients access to their PHI. A "covered entity" is defined as a health plan, a health care clearinghouse, or a health care provider that transmits health information in electronic from in connection with a transaction covered by HIPAA (i.e., most health care providers).(fn8) PHI is essentially the health information about an individual created or received by a health care provider, health plan, employer, or health care clearinghouse.(fn9) It includes information about the past, present, or future physical or mental health condition of an individual and payment information relating to such care.(fn10) The Privacy Rule establishes the minimum level of privacy covered entities must afford PHI and the minimum level of access covered entities must give individuals to their PHI.(fn11) To the extent state law affords greater privacy protection to PHI or affords an individual more access to the individual's PHI, state law controls.(fn12) The Kansas laws addressing the confidentiality of health information consist of case law and a myriad of statutes.(fn13) Reconciling the myriad of Kansas statutes with HIPAA is a daunting task, best left to the Kansas Legislature or another article! Suffice it to say that the Privacy Rule is often referred to as a confidentiality floor, i.e., the minimum level of confidentiality covered entities must afford PHI and the minimum level of access to PHI covered entities must give individuals who are the subject of the PHI.

Very generally, under the Privacy Rule, subject to numerous exceptions, PHI must be kept confidential unless a patient signs an authorization permitting disclosure of PHI or unless disclosure is otherwise authorized by HIPAA and state law.(fn14) The authorization must meet the requirements of the Privacy Rule to be valid.(fn15) A key exception to this general rule allows disclosure of PHI for payment, treatment, or health care operations.(fn16) Exceptions to the authorization requirement also include typical disclosures, such as disclosures required by law, e.g., contagious disease reporting, disclosures pursuant to a court order, and disclosures for purposes of a workers' compensation claim.(fn17) In those situations, no authorizations are needed.(fn18)

The other major branch of the Privacy Rule is the access provisions.(fn19) Very generally, subject to certain exceptions, an individual has unfettered access to the individual's PHI.(fn20)

In or instance, the Privacy Rule requires most covered entities to give a "notice of privacy," detailing an individual's rights related to PHI privacy and access.(fn22) Health care providers must give patients the opportunity to request addition to detailed rules related to privacy of, and access to, PHI, the Privacy Rule imposes numerous administrative requirements.(fn21) Famendments to their PHI.(fn23) The Privacy Rule also mandates workforce training and policies and procedures relating to the confidentiality of PHI and relating to sanctions for privacy violations.(fn24)

The Privacy Rule also requires covered entities to keep an "accounting" of disclosures of PHI, subject to exceptions.(fn25) An accounting is a list of disclosures of PHI made by a covered entity to those outside its workforce.(fn26) The accounting must be maintained in the manner specified by the Privacy Rule.(fn27) One key exception to the accounting requirement makes clear that, "pre-HITECH," covered entities did not have to provide an accounting of disclosures made for purposes of payment, treatment, or health care operations.(fn28)

One last administrative requirement of the Privacy Rule is noteworthy before reviewing HITECH. If a covered entity discloses PHI outside its workforce to a business associate, as that term is defined by the Privacy Rule, the covered entity must obtain certain "satisfactory assurances" via a business associate agreement prior to sharing PHI with the business associate.(fn29) The business associate must abide by the business associate agreement in using and disclosing PHI.(fn30) The obligations of such business associate were strictly contractual pre-HITECH.(fn31)

B. Pre-HITECH security rule

[24]

Prior to discussing HITECH, it is also helpful to briefly review the HIPAA Security Rule (Security Rule).(fn32) The Security Rule outlines the requirements covered entities must take to protect electronic health information. E-PHI is PHI transmitted by, or maintained in, electronic media.(fn33) Under the Security Rule, covered entities must:

1. Ensure the confidentiality, integrity, and availability of E-PHI; 2. Protect against any reasonably anticipated threats or hazards to the security or integrity of E-PHI; 3. Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required by the Privacy or Security Rules; and 4. Ensure compliance by their workforce with the Privacy and Security Rules.(fn34)

After that rudimentary review of the Privacy and Security Rules, HITECH becomes, perhaps, more comprehensible. What follows is a brief overview of the key additions and changes HITECH makes to the HIPAA Privacy and Security Rules.

II. Covered Entities

Below is a summary of the key changes HITECH makes to the HIPAA Privacy and Security Rules that are applicable to covered entities. "Covered Entities" is defined under HIPAA, and the definition is unchanged by HITECH. The definition includes most health care providers, health insurers, and health care clearing houses.(fn35)

A. Notification of Breach [Effective 9/23/09]

Covered entities must notify individuals of any breach of privacy regarding unsecured protected health information.(fn36) On August 24, 2009, Health and Human Services (HHS) issued interim final regulations regarding the breach notification requirements under HITECH as discussed below.(fn37) HITECH adds a new definition for "unsecured protected health information."(fn38) Unsecured PHI is defined as protected health information that is not rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of technology or methodology specified by the Secretary of HHS (Secretary) in its guidance.(fn39) The guidance specifies technologies and methodologies that HHS believes render protected health information unusable, unreadable, or indecipherable to unauthorized individuals.(fn40)

Following the discovery of a breach of unsecured PHI, a...