World Leader in Electronic Compliance Communications
Don't let compliance
slow you down
Get a quote in minutes.
Demo our Services Today !
No obligation, 10-day trial
Access Customer Service

Among tax cuts and credits, more bailout fund requirements, and restrictions on executive pay packages, the American Recovery and Reinvestment Act of 2009 (ARRA) also includes a section that expands the reach of the Health Insurance Portability and Accountability Act (HIPAA) and introduces the first federally mandated data breach notification requirement.

Title XIII of ARRA, also known as the Health Information Technology for Economic and Clinical Health Act (HITECH Act), reserves $22 billion to "advance the use of health information technology" -- in large part so the U.S. will be able to move to e-health records by a 2014 deadline.

It also expands the reach of HIPAA data privacy and security requirements to include the "business associates" of those entities (health care providers, pharmacies, and the like) that are subject to HIPAA. Business associates are companies like accounting firms, billing agencies, law firms or others that provide services to the entities covered under HIPAA.

The expanded opportunity for state attorneys general to get involved in enforcement under the HITECH Act will create more complexity for those subject to HIPAA -- especially those who do business in more than one state.

The HITECH Act requires HIPAA-covered entities to notify the Secretary of Health and Human Services and affected individuals when their protected information has been compromised. Notice must be given to the individuals whose data is affected "without unreasonable delay," and no later than 60 days after the breach occurs. Similarly, business associates that experience a breach are required to notify the covered entities with which they have contracted, and the covered entities will then notify the affected individuals. If the breach involves 500 people or more, the covered entity will also be required to notify major media outlets.

The HITECH Act includes a number of measures designed to broaden the scope and increase the rigor of HIPAA compliance. New updates to the law are added on a regular basis. In terms of the management and protection of PHI data, five key areas are especially important.

  1. Increased responsibility for Information Security Officers (Electronic Communication) (specific title may vary under policies of the "covered entity") The HITECH Act requires proactive administrative management of all users who have access to or connect to the chosen communication system. Information Security Officers are required to: be the primary authority and responsible individual contact to manage items such as addition, termination and suspension of authorized users; be the primary contact when an audit occurs, manage passwords, access codes, etc.; be the conduit for or be notified of all technical support; ensure compliance policies and procedures of the covered entity. The authority and responsibilities roles of the Information Security Officer are significantly increased. Actions taken by the Information Security Officer are required to have an audit trail.
  2. Proactive enforcement
    The HITECH Act requires periodic audits to ensure that covered entities and business associates are in compliance with the requirements of the HITECH Act. If required technology is not in place by 2015, these incentives turn into penalties and payment cuts. Penalties for a single violation can total $250,000, with a maximum of $1.5 million for repeated or uncorrected violations.  Organizations must move soon to gain maximum benefit from incentives - and to avoid penalties for non-compliance with the HITECH Act. Physicians can earn $40,000 to $60,000 over a five-year period if they implement health information technology according to regulations. For hospitals, payment incentives start at a rate of $2 million annually. Additional amounts are provided based on the volume of Medicare-supported patients.
  3. Extension of HIPAA rules to business associates
    The new law basically extends HIPAA privacy and security requirements to cover the business associates of covered entities. These business associates can include health information exchange organizations, regional health information organizations, or "any vendor that contracts with a covered entity to allow that covered entity to offer a personal health record to patients as part of its electronic health record." Services can include legal support, accounting, IT, financial support, marketing and other areas. In effect, these associates are now subject to the same requirements for PHI data security as covered entities - along with the same penalties for noncompliance. The financial penalties for violations of HIPAA have also been increased, and a percentage of the civil penalties collected will be distributed to individuals harmed by the violations. The HITECH Act also provides that business associate agreements must be revised to include any new privacy or security requirements of the legislation.

  4. Stricter requirements for breach notifications
    The HITECH Act requires that patients be notified of any unauthorized acquisition, access, use, or disclosure of their unsecured PHI that compromises the privacy or security of such information. Unless otherwise defined by the HHS, the HITECH Act defines unsecured PHI as any PHI that is not secured by a technology standard that renders it unusable, unreadable, or indecipherable to unauthorized individuals and is developed or endorsed by a standards developing organization that is accredited by the American National Standards Institute.

  5. Encryption as a recognized methodology for protecting PHI
    The HITECH Act requires the secretary of HHS to issue guidance specifying the technologies and methodologies that render protected health information "unusable, unreadable or indecipherable" to unauthorized persons. This guidance was provided by the HHS on April 17th, 2009. Along with data destruction, encryption is cited as a compliant-appropriate methodology. In effect, the use of encryption can provide a "safe harbor" that protects covered entities and business associates from having to give notice under the breach notification provisions. HHS guidance identifies two encryption processes recognized by the National Institute of Standards and Technology (NIST) as rendering protected health information unusable, unreadable or indecipherable. For data at rest, the acceptable processes are those that are consistent with NIST Special Publication 800-111, Guide to Storage Encryption Technologies for End User Devices. Valid encryption processes for data in motion (such as data moving through a network) are those in compliance with Federal Information Processing Standard (FIPS) 140-2.





   Secure Email
   Secure File Transfer
   Secure Fax
   Secure Automated FTP
   Virtual Private Networking
   SafetySend Lockbox
   Outlook Compatibility
   Admin Console  
   Private Label


   Medical Solutions
   Financial Solutions
   Legal Solutions
   Corporate Solutions


   HIPAA Compliance
   GLBA Compliance
   PCI DSS Compliance
   HITECH Compliance
   SOX Compliance


   Technical FAQ
   Outlook Setup Guide
   User Guide



   Featured Clients
   Channel Partners
   Contact Us
Detailed Difference