In part two of our blog series on HITECH Foundations - we explore a number of key areas including breach notification requirements, restrictions on disclosures and fines related to HITECH non-compliance. 

If you missed part one of our series, check it out here

HITECH2Let’s now take a closer look at:

  • Which HIT infrastructure improvement activities are supported
  • Breach notifications
  • Restrictions on disclosures and sales of health information
  • The ability for individuals to opt-out of marketing

Supported HIT Infrastructure Improvement Activities

The Federal government invests funds to support the following:

  • Health information technology architecture that supports the nationwide electronic exchange & use of health information in a secure, private, and accurate manner (including connecting health information exchanges). 
  • Development and adoption of appropriate certified electronic health records 
  • Training on and dissemination of information on best practices for integrating HIT
  • Infrastructure and tools for the promotion of telemedicine
  • Promotion of the interoperability of clinical data repositories/registries
  • Promotion of technologies and best practices that enhance the protection of health information by all holders of individually identifiable health information
  • Improvement and expansion of the use of HIT by public health departments

Breach Notifications Requirements

Circumstances Where Notification is Required

Covered entities or business associates who interact with PHI in the following ways must notify each individual whose PHI has been (or is reasonably believed to be) impacted by a discovered breach within 60 calendar days:

    1. Accesses
    2. Maintains
    3. Retains
    4. Modifies
    5. Records
    6. Stores
    7. Destroys
    8. Or otherwise:
      1. Holds
      2. Uses
      3. Discloses

In short, if an organization interacts with PHI and that PHI is involved in a breach, that organization is required to notify the individuals impacted by the breach. 

HITECH expects organization to take reasonable steps to detect breaches. This means an organization can’t justifiably claim a notification wasn’t made because the breach was undetected if there were reasonable steps the organization could have taken that would have led to the discovery of the breach.  

How to Notify Individuals, the Media, and the Secretary of DHHS

In notifying individuals, organizations are to send notification via either first-class mail or if a mailing address is not available for the individual:

  • Email
  • Phone number
  • Easily noticeable statement on the organization’s homepage

If a breach involves more than 500 residents in a given State/jurisdiction, the organization must notify prominent media outlets in the affected area.

Organizations are to notify the Secretary of DHHS each year of all breaches involving PHI, unless the breach involves more than 500 individuals. In that situation, the Secretary is to be notified immediately. The Secretary also keeps a list identifying each covered entity involved in these large breaches on the DHHS’s website. 

Information to be Included in a Breach Notification

Regardless of how individuals are notified of a breach, the notification is to include (to the extent possible):

  • A brief description of what happened, when it happened, and when it was discovered
  • A description of the types of unsecured PHI involved. For example:
    • Full name
    • Social security number
    • Date of birth
    • Home address
    • Account number
    • Disability code
    • Etc.
  • The steps individuals should take to protect themselves from potential harm resulting from the breach
  • A brief description of what the covered entity is doing to investigate the breach, mitigate losses, and to protect against any further breaches
  • Contact information individuals can use to ask questions or learn additional information, which is to include a(n):
    • Toll-free number
    • Email address
    • Website
    • Postal address

Notifications and Law Enforcement

If a law enforcement official determines that a notification of a breach would impede a criminal investigation or cause damage to national security, notifications of the breach are to be delayed.

Restrictions on Disclosures and Sales of Health Information

Individuals may request that their PHI be restricted from disclosure. Covered entities must comply with these requests if:

  • The disclosure is to a health plan so that payment may be made
  • The PHI pertains solely to a health care service/item which has been paid for in full and out-of-pocket

Sales of health information are to be limited to the minimum amount of information necessary in order to accomplish the intended purpose of the use, disclosure, or request of PHI.

Ability to Opt-out of Marketing

Any written communication from a health care operation must:

  • Be in a clear and obvious manner
  • Provide an opportunity for the recipient to opt-out of future communications
    • Note: If an individual chooses to opt-out, their decision may not be treated as a revocation of authorization
HITECH 4

Fines

Important Definitions Related to Violations & Fines

As used in this subpart, the following terms have the following meanings:

Reasonable cause

  • An act or omission in which a covered entity or business associate knew (or should have known) was in violation of this act, but in which the covered entity or business associate did not act with willful neglect

Reasonable diligence

  • The business care and prudence expected from a person seeking to satisfy a legal requirement under similar circumstances

Willful neglect

  • Conscious, intentional failure or reckless indifference to the obligation to comply with this act

When Fines Can be Levied

  1. If a covered entity or business associate has violated HIPAA, the US Government can impose a monetary fine on the offending organization
  2. If a violation is committed by more than one covered entity or business associate:
    1. Each offending organization can be fined
    2. If a covered entity is part of an affiliated covered entity, the affiliates are jointly liable unless it’s found that a member of the affiliation was responsible for the violation
  3. A covered entity will be found in violation of HIPAA even in situations where the violation was committed by any of the following acting within the scope of the covered entity:
    1. An agent of the covered entity
    2. A workforce member
    3. Subcontractor
    4. Business associate

Factors Considered When Determining Fine Amounts

The US Government considers the following factors when determining the amount of fines:

  • The nature and extent of the violation, including:
    • The number of affected individuals
    • The time period when the violation occurred
  • The nature and extent of the harm caused by the violation, including:
    • If the violation caused physical harm
    • If the violation resulted in financial harm
    • If the violation harmed an individual’s reputation
    • If the violation hindered an individual’s ability to obtain health care
  • Any previous violations, including:
    • If the violation has happened (or appeared to have happened) before
    • If the covered entity or business associate has attempted to correct previous indications of noncompliance
    • If the covered entity or business associate has responded to technical assistance from the Secretary
    • How the covered entity or business associate has responded to prior complaints
  • The financial condition of the covered entity or business associate, including:
    • If the covered entity or business associate has had financial difficulties, affecting its ability to comply
    • If a civil money penalty would jeopardize the ability of the covered entity or business associate to continue to provide or pay for health care
    • The size of the covered entity or business associate
  • Other matters as justice may require

Fine Amounts

Fines can be up to the following amounts:

  • For a violation where the covered entity or business associate did not know (and would not have known through reasonable efforts) they were in violation:
    • Between $100 - $50,000 per violation
    • No more than $1,500,000 for identical violations during a calendar year (i.e., January 1 - December 31)
  • For a violation stemming from reasonable cause and not willful neglect:
    • Between $1,000 - $50,000 per violation
    • No more than $1,500,000 for identical violations during a calendar year
  • For a violation stemming from willful neglect and were corrected within 30 days (from discovery of the issue) or should have known the violation occurred:
    • Less than $10,000 or more than $50,000 for each violation
    • No more than $1,500,000 for identical violations during a calendar year
  • For a violation stemming from willful neglect and that was not corrected within 30 days (from discovery of the issue) or should have known:
    • Min. of $50,000 for each violation
    •  No more than $1,500,000 for identical violations during a calendar year
  • If a requirement or prohibition in one administrative simplification provision is repeated in a more general form in another provision, a civil money penalty may be imposed for violating only one of the provisions

What Your Organization Can Do

In order to comply with HITECH, your organization should:

  1. Consult with the appropriate experts, including your organization’s legal counsel, to determine if HITECH applies to your organization
  2. Assess if your organization is currently handling PHI
  3. Implement a process so if your organization begins handling PHI, your organization can be HIPAA compliant the first day it begins handling that information
  4. Have your personnel read our compliance articles on HIPAA & HITECH