Enter to open, tab to navigate, enter to select
Health Information Technology for Economic and Clinical Health Act
Practical Law UK Legal Update 2-386-1873 (Approx. 3 pages)
Health Information Technology for Economic and Clinical Health Act
by Kenneth J. Laverriere and Sharon Lippett, Shearman & Sterling LLP
| Published on 27 May 2009 • USA (National/Federal) |
Speedread
The US Department of Health and Human Services issues guidance for group health plans, health care providers and health care clearing houses on fulfilling the notice requirements contained in the HITECH Act, which includes the health information technology provisions of the American Recovery and Reinvestment Act of 2009.
On 17 April 2009, the US Department of Health and Human Services issued guidance relating to notice requirements under the Health Information Technology for Economic and Clinical Health Act (HITECH Act), which includes the health information technology provisions of the American Recovery and Reinvestment Act of 2009.
General rule. "Covered entities" must notify affected individuals within 60 days of any "breach" of their unsecured "protected health information". The requirements for the content and delivery of the notice are set out in the HITECH Act. If the protected health information is not unsecured, disclosure of a breach is not required, subject to the mitigation requirement (see below).
Covered entities. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) defines "covered entity" as a group health plan, health care provider or health care clearing house.
Protected health information. Under HIPAA, "protected health information" is any information that:
- Is created or received by a covered entity.
- Is transmitted or maintained in any form or medium.
- Identifies an individual.
- Relates to at least one of the following:
- the individual's past, present or future physical or mental health;
- the provision of health care to the individual; or
- the past, present or future payment for health care.
Protected health information is unsecured if it is not secured through the use of a technology or methodology specified by the Department of Health and Human Services in the 17 April guidance. Protected health information is not unsecured if it is rendered "unusable, unreadable or indecipherable to unauthorized individuals" by one or more methods described in the guidance.
Breach. Protected health information has been breached if there is an "unauthorized acquisition, access, use or disclosure of protected health information which compromises the security or privacy of such information, except where an unauthorized person to whom such information is disclosed would not reasonably have been able to retain such information".
Relief provided by the guidance. The 17 April guidance identifies and describes two safe harbour methods for rendering protected health information unusable, unreadable or indecipherable:
- Encryption.
- Destruction.
Covered entities may use other technologies and methods not described in the guidance for rendering protected health information unusable, unreadable or indecipherable. However, by electing one of the other technologies or methods, a covered entity will not have the protection of the safe harbour.
Mitigation requirement. The guidance does not relieve covered entities from compliance with all other federal and state statutory and regulatory obligations that may apply following a breach of protected health information, such as the obligation under HIPAA to mitigate the harmful effect of such breach. If a covered entity experiences a breach of unsecured protected health information, the covered entity will have to determine whether the mitigation requirement necessitates notice to affected individuals. If the protected health information subject to the breach is unsecured, notice is required, even if the covered entity believes that the mitigation standard would not require notice.
For more information, please click here.