On Feb. 17, 2009, President Obama signed into law the American Recovery and Reinvestment Act of 2009 (commonly referred to as ARRA or the Stimulus Bill) which includes the Health Information Technology for Economic and Clinical Health (HITECH) Act. The HITECH Act includes significant changes to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) that affect otolaryngologists and other health care providers, as well as those who process or work with health care information. Below is a summary of how these new provisions, many of which go into effect this Feb. 17, will affect your practice.
Explore This Issue
January 2010Expansion of Security and Privacy Provisions
The HITECH Act extends the principal privacy and security provisions of HIPAA directly to business associates who have access to individual health information in the course of performing services for covered entities.
A “covered entity” is a health plan, a health care clearinghouse, or a health care provider who transmits health information in electronic form. A “business associate” is a person (other than a member of the covered entity’s workforce) or entity who, on behalf of a covered entity, performs an activity involving the use or disclosure of an individual’s health care information, such as the performance of financial, legal, actuarial, accounting, consulting, data aggregation, management, administrative, or accreditation services to or for a covered entity. A common example of a business associate is a third-party service provider that assists with claims processing or billing.
An example of how this works is that HIPAA permits a physician to disclose a patient’s protected health information (“PHI”) to a third-party service provider in order to allow the service provider to create, receive, maintain, or transmit health information on behalf of the physician, as long as the physician receives written assurance that the service provider has implemented appropriate safeguards to protect the confidentiality of the information. These written assurances are typically in the form of a Business Associate Agreement.
With respect to the security provisions of HIPAA, the HITECH Act includes new requirements for third-party service providers to protect the confidentiality of electronic protected health information (“ePHI”). For example, service providers should develop physical safeguards to limit access to ePHI stored in electronic information systems (i.e., facility or workspace access controls) and develop technical safeguards so that only those persons or software programs that have been granted access rights can access ePHI (i.e., person or entity authentication).