Today, Wednesday, February 17, 2010, marks one year since the HITECH Act of 2009 passed. This means that most of the Act’s provisions are now enforceable – particularly, the breach notification and penalties aspect of the Act. While most healthcare organizations are concerned about the “meaningful use” requirement, for us in the IT security space it is the expanded PHR safeguards that are important. At a high level, the data protection part of HITECH …
- establishes mandatory federal security breach reporting requirements for covered entities and their business associates who handle unsecured ePHI;
- expands criminal and civil penalties for noncompliance;
- applies HIPAA privacy and security requirements directly to business associates, which are now enforceable by the federal government under HIPAA; and
- explicitly classifies Health Information Exchanges as business associates.
The details are, of course, more nuanced. IANAL, but here’s some of what I see folks in the healthcare industry are going to be facing …
1. Broadened Definitions. HITECH now includes Protected Health Information in hardcopy versus just sensitive information as defined in state breach laws. In addition, business associates are now directly covered (instead of contractually) and Health Information Exchanges (HIEs) are now classified as business associates. This greatly expands the type of data and organizations impacted.
2. Notification Requirements. The notification must occur within 60 days of discovery (i.e., when the incident is first known), or “by exercising reasonable diligence, would have been known.” This puts a tremendous burden on the IT organization.
In addition, the notification must be made without unreasonable delay and in no case later than 60 calendar days after the date the breach. This means, despite the suggestion to the contrary in the latest Ponemon Cost of a Breach study, you must provide notification immediately. In fact, HHS addressed this specifically in their guidance: “For example, if a covered entity has compiled the information necessary to provide notification to individuals on day 10 but waits until day 60 to send the notifications, it would constitute an unreasonable delay despite the fact that the covered entity has provided notification within 60 days.” 
3. Unsecured ePHI. HITECH covers breaches of “unsecured ePHI;” the interim final rule  from HHS, states that “encryption and destruction [are] the two technologies and methodologies for rendering protected health information unusable, unreadable, or indecipherable to unauthorized individuals.” Furthermore, HHS has stated that “we do not believe that access controls meet the statutory standard of rendering protected health information unusable, unreadable, or indecipherable to unauthorized individuals.” [emphasis added]
So, bottom line: while encryption may not be required, it certainly seems like it’s the only way to claim that ePHI is secure. And you better have your data encrypted up and down your data chain … so, don’t forget about the backup CDs on the shelf, nor the “work at home” data entry clerk. Oh, and you better have a mechanism for discovery in case data are lost or inappropriately disclosed.
4. Exceptions. Notification delays are allowed if it might impede a criminal investigation or cause damage to national security. In addition, notification is *not* required in cases a) which are accidental, b) which are between normally authorized people, and/or c) where it’s unlikely to be retained.
5. Increased Fines. The fines have been greatly expanded from the $250,000 maximum called for in HIPAA, as seen in the table below; notice the escalation for cases deemed “willful neglect.”
6. Personal Liability. One of the more overlooked parts of HITECH is that criminal penalties may apply to individuals and employees of a covered entity who disclose individually identifiable health information maintained by the covered entity without proper authorization. So, additional training of employees may be indicated to make sure this is understood.
7. More Oversight. Healthcare organizations are facing a very complex compliance landscape now; here are but a few of the additional regulatory bodies you need to be concerned about.
- Federal Trade Commission. The FTC is getting involved in several ways. First, inappropriate PHR disclosure by non-HIPAA covered entities will be covered by them. In addition, the FTC is enforcing so-called “Red Flag” rules to prevent identity fraud.
- State Attorneys General. HITECH now empowers them to bring civil suits on behalf of residents of a state against any person for harm due to a violation. In addition, several states (notably California, Massachusetts and Nevada) have promulgated data breach notification laws which impact healthcare organizations.
- PCI DSS. Although this may not be “top of mind” for healthcare IT security folks, the PCI DSS rules govern credit card protection, and need to be considered as part of the administrative network.
 See pg 42749
 See pp 42741 – 42742