Today, President Obama signed the Health Information Technology for Economic and Clinical Health Act (known as the "HITECH Act") into law. The final version of HITECH Act is posted on the Library of Congress’ THOMAS website. The HITECH Act addresses various aspects relating to the use of health information technology ("H.I.T."), including providing for federal funding by way of grants and incentive payments in order to promote H.I.T. implementation.  In addition, Subtitle D of the HITECH Act includes new and far-reaching provisions concerning the privacy and security of health information that will directly affect more entities, businesses and individuals than ever before.

Some of the changes this new law has made to privacy and security include:

  • Security Breach Notification – Covered entities, business associates and others are now affirmatively required to notify individuals and others of breaches of unsecured protected health information.
  • Accounting of Disclosures with EHR Use – Covered entities using and disclosing PHI through an EHR are required to provide individuals with an accounting, when requested, for the prior three years. Uses and disclosures of PHI through EHRs include treatment, payment and health care operations.
  • Access Rights to Electronic Format. –  The HIPAA Privacy Rule is amended to give individuals the right to obtain access to their PHI in electronic format, if requested.
  • Health Care Operation – The definition of "health care operations" will be reviewed by the Secretary of DHHS by August 17, 2010 and narrowed or clarified.   .
  • Marketing – is restricted further.
  • Sale of PHI – Covered entities and business associates are prohibited from directly or indirectly receiving any remuneration in exchange for any PHI of an individual unless a valid authorization is obtained from the individual, except in a very limited number of circumstances.

What should affected entities do?

  • Update Notice of Privacy Practices to reflect changes in privacy and security policies
  • Update HIPAA privacy and security policies accordingly
  • Develop a detailed Breach Notification Policy that complies with HITECH and any state law counterpart to the new federal breach notification provisions
  • Expand business associate lists to include vendors and others
  • Update Business Associate Agreements to include expanded new requirements