HITECH Business FAQs
The Health Information Technology for Economic and Clinical Health Act (known as the "HITECH Act") is part of the federal Stimulus Bill signed into law by President Obama on February 17, 2009. HITECH significantly expands the HIPAA Privacy Rule and Security Standards and adds new requirements concerning privacy and security for protected health information that materially and directly affect business associates.
As a courtesy, we are providing the following questions and answers to assist you in understanding these new changes.
- To whom does HITECH apply?
HITECH amends HIPAA. HIPAA applies to "Covered Entities" and "Business Associates" of covered entities. - What is a Covered Entity?
"Covered entities" under the HIPAA Privacy Rule generally include health care providers, health plans, and health care clearinghouses.
Covered products we offer that are subject to the HIPAA Privacy and Security Rules include, long term care, expense base cancer, hospital confinement, dental, vision or intensive care policies, certain medical coverages and other health plans pursuant to the Health Insurance Portability and Accountability Act ("HIPAA"). - Who is a Business Associate under HIPAA?
A "Business Associate" is a person or entity who performs or assists in performing a function or activity that involves the use or disclosure of protected health information ("PHI") on behalf of a covered entity, or (covered product).
If a service provider deals with PHI related to our long term care, expense base cancer, hospital confinement, dental, vision or intensive care policies then they are considered a Business Associate and HIPAA would apply. - What is Protected Health Information?
Protected Health Information ("PHI") is any individually identifiable health information that is created, transmitted, or maintained by a Covered Entity. "Identifiable" means that a person reading the information could reasonably use it to identify an individual.
Examples of PHI include, but are not limited to, underwriting information collected from an individual or information completed on claim forms, relating to a covered product such as long term care, expense base cancer, hospital confinement, dental, vision or intensive care policies, certain medical coverages and other health plans pursuant to the Health Insurance Portability and Accountability Act ("HIPAA"). - How do I know if I am a Business Associate?
If you receive, transmit, create, or maintain PHI on behalf of a Covered Entity you are likely considered a "Business Associate" under HIPAA. Examples of Business Associates include, but are not limited to, sales agents/brokers, third-party administrators, and vendors who have access to PHI. - Weren’t Business Associates already subject to HIPAA?
While Business Associates have always been contractually obligated to comply with the provisions of their Business Associate Agreements, HITECH now legally requires Business Associates to be compliant. - What new requirements does HITECH impose on Business Associates?
- Business Associates must comply with the administrative, physical, and technical safeguards for electronic PHI under the HIPAA Security Rule in the same manner as a Covered Entity; Business Associates must develop and establish a written data security program for electronic PHI that complies with the HIPAA Security Rule.
- Business Associates must comply with the restrictions on use and disclosure of PHI contained in Section 164.504(e) of the HIPAA Privacy Rule.
- Business Associates will be subject to new restrictions on marketing communications and mandatory compliance audits by the Department of Health and Human Services ("HHS").
- Are Business Associates subject to the new security breach requirements under HITECH?
Yes. Business Associates are required to notify Covered Entities of any breach of "unsecured PHI" so that the Covered Entity can comply with its new notification requirements under HITECH. "Unsecured PHI" is information that has not been encrypted or otherwise rendered unusable, unreadable, or indecipherable to unauthorized individuals in accordance with guidance issued by HHS. To ensure compliance with this requirement, Business Associates should have adequate policies and procedures in place to detect, evaluate and report breaches. - What do I need to do if I become aware of a security incident or breach?
If you discover a potential or actual security incident or breach, involving either paper or electronic data, you should notify Unum without unreasonable delay. To the extent possible, such notice should include the following information: (i) a brief description of what happened, (ii) a description of the types of unsecured protected health information that was involved in the incident/breach (i.e. name, SSN, DOB), and (iii) the identification of each individual affected by the incident/breach, and any other such information required by Section 164.410 of the HIPAA Privacy Rule.
Please note that the new HITECH breach notification obligations do not replace your existing reporting and notification obligations under existing state breach notification laws.
Please note that the new HITECH breach notification obligations do not replace your existing reporting and notification obligations under existing state breach notification laws. - What are the new enforcement and penalty provisions of HITECH?
These include existing civil penalties under HIPAA by establishing a tiered system of penalties ranging from $100 per violation for unknowing violations to $50,000 per violation due to "willful neglect". HITECH also expands the HIPAA Privacy Rule’s enforcement provisions by giving State Attorneys General the ability to enforce violations with injunctions and civil damages.
Business Associates are subject to civil and criminal penalties for breaching their Business Associate Agreements or otherwise violating HIPAA. - Do the new requirements of HITECH require that my Business Associate Agreement with your company be amended?
The HITECH Act requires that the new privacy and security requirements imposed on Business Associates be incorporated into all Business Associate Agreements, new and existing, by the earlier of: (1) then next renewal, 9/23/2013 or (2) 9/23/2014. - Where can I learn more information about HITECH?
You can find additional resources on the Office of Civil Rights website found at www.hhs.gov/ocr/privacy
We also highly recommend that you contact an attorney or seek legal advice regarding your responsibilities under HITECH, as it is not our intent to provide legal advice in this FAQ document.