On Tuesday, February 17, 2009, President Obama signed into law the widely-debated federal economic stimulus package, officially titled the American Recovery and Reinvestment Act of 2009, and with it, enacted the Health Information Technology for Economic and Clinical Health Act (HITECH Act). Much of the media attention on the HITECH Act has focused on the policies promoting health information technology a topic that President Obama touted throughout his campaign. However, the HITECH Act also contains myriad regulations that expand the security and privacy provisions of the Health Information Portability and Accountability Act of 1996 ("HIPAA"), and generally extends some of those regulations to non-HIPAA-covered vendors of personal health records and their business partners.
If you are hoping that federal lawmakers have used the HITECH Act to finally set a national standard for patient medical information, however, you will be disappointed.
The HITECH Act, like HIPAA, preempts any contrary state laws, but leaves intact any state laws and regulations that impose stricter requirements on the handling of patient information. As a practical matter, this means that if you are covered by HIPAA and the HITECH Act you must meet new minimum standards while continuing to monitor and comply with the ever-increasing patchwork of laws governing patient information in every state in which you operate.
What follows is a more detailed discussion of the provisions of the HITECH Act and how it attempts to provide additional security for patients’ health information.
A prime example of these "patchwork" state laws are recent security breach notification requirements that regulate personal information. If the medical records that you manage also contain social security numbers or financial account information (data that state laws typically recognize as "personal information"), both the HITECH Act and this patchwork of state laws may govern. Currently, forty-four states (including the District of Columbia, the Virgin Islands and Puerto Rico) have enacted some form of a notification requirement for data breaches of personal information. (The six states without laws on their books are Alabama, Kentucky, Mississippi, Missouri, New Mexico, and South Dakota.) However, the definition of "personal information," and the extent, substance, and timing of notification vary from state to state. As a result, data breaches involving patient information can be subject to a wide variety of federal and state law. While the HITECH Act raises the bar, it does little to unify this area of law.
The HITECH Act provides a "floor" for notification requirements regarding any security breach of patients’ "unsecured protected health information." The definition of "protected health information" (or "PHI") is imported from HIPAA, and generally includes any part of a patient’s medical record or payment history. The definition of "unsecured" PHI is broadly defined and generally means any PHI that is not secured by technology rendering that information unreadable or unusable in an accredited manner. The Secretary of Health and Human Services has been charged with issuing more definite guidance within 60 days.
The HITECH Act’s security breach notification requirements specify the timing, manner, and substance of any breach notification, among them:
- notifying the Secretary of Health and Human Services "immediately" if the breach is with respect to 500 or more individuals;
- notifying each individual whose unprotected health information is reasonably believed to have been accessed, acquired, or disclosed as a result of the breach;
- providing notice to prominent media outlets in each State where the unsecured protected health information of 500 or more residents is reasonably believed to have been accessed, acquired, or disclosed as a result of the breach;
- completing all notifications to affected individuals and media, if applicable — "without unreasonable delay and in no case later than 60 days," unless delayed notification is authorized for certain law enforcement purposes (so as not to "impede a criminal investigation or cause damage to national security");
- specifying in each notification to an individual a description of what happened, the types of information believed to have been accessed, and contact procedures for affected individuals to ask questions or learn more information; and
- requiring all affected entities to provide the Secretary of Health and Human Services an annual log tracking every breach.
While all affected entities will need to update their notification protocol to comply with these requirements, affected entities in those six states that do not require data breach notification (Alabama, Kentucky, Mississippi, Missouri, New Mexico, and South Dakota) will have some significant catching up to do.
- The HITECH Act is available here (.pdf), or directly from the Government Printing Office here (.pdf)
- [Note that the HITECH Act begins at H.R. 1-112 through 1-165 (pp. 112 through 165 in the document). The security and privacy provisions are found at Subtitle D Privacy, beginning H.R. 1-144 (p. 144)]