Breach Notification Rule – HITECH (HIPAA Part 2)

The Health Information Technology for Economic and Clinical Health Act, known as the HITECH Act, was enacted as part of the American Recovery and Reinvestment Act of 2009, signed by President Barack Obama on February 17 of last year.  HITECH Act amends the federal HIPAA’s privacy and security rules.

Effective February 2010, several of the provisions of HITECH become active including:

  • Breach notification.
  • Access to patient records.
  • Restrictions on the use and disclosure of protected health information.

Although HITECH went into effect on September 23, 2009, the U.S. Department of Health and Human Services stated that it would not impose sanctions for failure to comply with the new rules until February 2010.

Required provisions for HITECH compliance are:

Breach notification: The HITECH Act require providers to notify affected individuals of any data breach promptly.  If the data breach affects more than 500 people, the media should be notified including the affected people.  In addition, if the breach affects more than 500 people the Health and Human Services must be notified.  Breach affecting less than 500 people must be reported to the secretary of Health and Human Services on an annual basis.

Access to electronic health records: The HITECH Act now requires covered entities to provide individuals with electronic copies of their electronic protected health information.  Individuals can now also designate another person or entity to be the recipient of the electronic protected health information.

California law: California Health and Safety Code Section 123100-123149.5 entitles patients to:

  • Inspect records during business hours within 5 days of presenting a written request.
  • Receive copies of records within 15 days of presenting a written request.

The law gives the providers the right to:

  • Charge a reasonable clerical cost for locating and making the records available.
  • Charge $0.25 per page, as well as reasonable clerical costs, for copies.
  • Charge reasonable costs, not exceeding actual duplication cost, for x-ray copies.
  • Prepare a summary of the records as an alternative to providing copies or allowing inspection.

Restrictions on disclosure of protected health information: The HIPAA privacy rule currently provides individuals with a right to request a restriction on the use or disclosure or protected health information for purposes of treatment, payment, or health care operations purposes. Until now, providers had no obligation to agree to that request.  However, effective February 2010, if a patient has paid out-of-pocket for services rendered and requested that the provider not send their health information (or portions thereof) to their insurance plan, the provider must comply with this request.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: