How does HITECH change / modify HIPAA – Summary


Hope Levy-­‐Biehl, Amy Joseph, Steve Phillips, Karl Schmitz, Paul Smith


How does HITECH change / modify HIPAA - Summary

Image courtesy of [Victor Habbick] / FreeDigitalPhotos.net 

The long-­‐awaited final rule implementing the privacy and security provisions of the HITECH Act has been released. The rule covers much the same ground as the proposed HITECH rule issued in 2010, but also includes changes to the HITECH Breach Notification Rule, in particular to address the controversial provision that presently allows covered entities to avoid reporting if they determine that there is not a significant risk of harm to the individual. (The rule is available at  www.federalregister.gov/public-­‐ inspection . The government’s press release is available at:www.hhs.gov/news/press/2013pres/01/20130117b.html ).

The new rule, which was authored by the Office for Civil Rights (OCR) of the Department of Health and Human Services (HHS) covers four main topics:

•    The extension of the HIPAA Security Rule and the privacy and security provisions of the HITECH Act

to business associates;

•    Modification of the Breach Notification Rule;

•    Changes to the HIPAA privacy standards, some of which are mandated by the HITECH Act and some

of which address problems with the original standards that have emerged over time;

•    Modifications to the HIPAA Enforcement Rule to implement the HITECH Act.

The effective date of the rule is March 26, 2013, and the changes to the Enforcement Rule will be implemented then.  Covered entities and their business associates must comply with the other changes by September 23, 2013.  The rule allows additional time to amend existing business associate contracts.

A summary of the principal changes follows.

Business associates  

Definitional Changes and other business associate clarifications and modifications

Section 160.103 of the HIPAA regulations contains definitions of certain key terms that appear

throughout the HIPAA rules.  One significant change in this final rule involves a number of changes in the

definition of “business associate.”

The HIPAA Privacy and Security Rules generally permit a covered entity to disclose protected health information (PHI) to a business associate and to allow a business associate to create, receive, maintain or transmit protected health information on a covered entity’s behalf, provided the covered entity obtains satisfactory assurances from the business associate (typically in the form of a business associate agreement) that the business associate will appropriately safeguard the information it receives.

Historically, a “business associate” has been defined as a person (including a natural or artificial person, public or private) who, on behalf of a covered entity or an organized health care arrangement, performed or assisted in the performance of a function or activity regulated by HIPAA and involving the use or disclosure of individually identifiable health information.  The definition included, by way of example, various functions that a business associate may provide, including legal, actuarial, accounting, consulting, management, administrative or financial services.

Various changes have been made to this definition in the final rule.  For one, patient safety activities have been added to the list of functions and activities that a person may undertake on behalf of a covered entity that give rise to a business associate relationship.  This modification was necessary to conform the HIPAA regulations to the statutory provisions of the Patient Safety and Quality Improvement Act of 2005 (PSQIA).

In addition, the definition of a “business associate” now includes both a list of activities that constitute “business associate” activities and those that specifically fall outside the definition of a “business associate.”   The following are now specifically included in the definition as examples of business associates:

•    a Health Information Organization, e-­‐prescribing gateway or other person that provides data transmission services with respect to PHI to a covered entity and that requires access to such PHI on a routine basis;

•    a person that offers a personal health record to one or more individuals on behalf of a covered entity; and

•    a subcontractor that creates, receives, maintains, or transmits PHI on behalf of the business associate.

Further, specifically excluded from the definition of a business associate are the following:

•    a health care provider, with respect to disclosures by a covered entity to the health care provider concerning the treatment of the individual;

•    a plan sponsor, with respect to disclosures by a group health plan (or by a health insurance issuer or HMO with respect to a group health plan) to the plan sponsor, as long as the plan and the sponsor comply with the requirements of the Privacy Rule;

•    a government agency, with respect to determining eligibility for, or enrollment in, a government health plan that provides public benefits and is administered by another government agency, or collecting PHI for such purposes, to the extent such activities are authorized by law; and

•          a covered entity participating in an organized health care arrangement that performs various business associate functions for or on behalf of the organized health care arrangement.

Download / View PDF here.