HIPAA privacy/security changes

The Health Information Technology for Economic and Clinical Health Act, known as HITECH, is part of American Recovery and Reinvestment Act (ARRA). HITECH provides federal funding for health information technology initiatives to improve administrative efficiencies and also made changes to the HIPAA Privacy and Security Regulations.

New rules under HITECH:

• Added a new requirement to notify affected individuals and the Department of Health and Human Services of breaches of unsecured protected health information (PHI). 
• Required business associates to comply with the security rule and certain standards from privacy rule.
• Provided increased civil monetary penalties and enforcement.

Covered entities are:

• Health care providers that conduct certain transactions in electronic form
• Health plans
• Health care clearinghouses

Penalties

• Old rule was: Maximum civil penalty of $100 per violation up to $25,000/year for multiple violations of same requirement
• New rule is: Tiered civil penalty structure:
• Innocent mistakes (did not know and would not have known violation occurred after reasonable diligence)—no change.
• Reasonable cause and not willful neglect—$1,000 per violation up to a maximum of $100,000/year for multiple violations of same requirement
• Willful neglect—up to $10,000 per violation that is timely corrected, up to a maximum of $250,000/year for multiple violations of the same requirement
• Willful neglect—up to $50,000 per violation that is not timely corrected, up to a maximum of $1,500,000/year for multiple violations of the same requirement

Effective dates

• Increased civil penalties: Were effective immediately, February 2009.
• Notification of breach provisions: Were effective September 23, 2009 (although penalties were not assessed for breaches discovered before late February 2010).
• General effective date for most other provisions (including expanded business associate requirements): February 17, 2010