Health Information Technology for Economic and Clinical Health Act (HITECH)
Health Information Technology for Economic and Clinical Health Act (HITECH) promotes the adoption and meaningful use of electronic health records (EHRs) and strengthen the privacy and security of protected health information (PHI).
- passed in 2009 to bring health system up to date with modern technology
- provides incentives to use electronic health records (EHRs) and penalties for not
- scope is aligned with HIPAA, applies to covered entities and transactions
- main purpose was to speed up innovation in healthcare and provide updates to HIPAA related to privacy
- provides additional privacy and security requirements for PHI
- notify victims about data breaches
Breach Notification Rule
- Breach Notification Rule is triggered when any unsecure PHI is used or disclosed in a way not authorized by law
- four primary factors to determine a breach:
- the type of information involved and whether individual patients may be identified
- the parties who used and accessed the information
- likelihood that PHI was actually acquired or viewed by an unauthorized party
- e.g., email was deleted before being read
- how well PHI is secured
- four primary factors to determine a breach:
- must notify victims within 60 days of knowing about a data breach
- must explain the breach and any steps victims should take to protect themselves
- if breach affects more than 500 individuals, must notify media outlets
- must notify HHS of any breaches
- if breach affects >500 people, then must notify within 60 days
- otherwise, annually
- business associates must notify covered entities of any breach within 60 days
- once notified, covered entity is responsible for subsequent notification requirements
- covered entity must maintain documentation and evidence that demonstrates fulfillment of notification requirements