What does the new HITECH Act entail?

Expert witness’s that utilize medical records need to stop and take notice of the new Health Information Technology for Economic and Clinical Health Act (HITECH). The HITECH Act, which is a provision of the recently passed American Recovery and Reinvestment Act of 2009 (ARRA), completely changes the HIPAA rules for any expert working as a business associate to a covered entity.

The first major change that affects the business associate is found in section 13401(a). This section stipulates that 45 C.F.R. Part 164 Subpart C (Security Rule) will “apply to the business associate of a covered entity in the same manner such sections apply to the covered entity.” In other words, the business associate must now abide by the Security Rule and safeguard all electronic protected health information. (ePHI). Before HITECH came into existence, the business associate only needed to provide the safeguards that were agreed to in the business associate agreement with the covered entity. However, after the passage of HITECH, business associates will now have to implement administrative safeguards, physical safeguards, technical safeguards, and create formal policies and procedures in order to satisfy the HITECH Act and the Security Rule. The business associate will not be alone in this endeavor; the Secretary of the Health and Human Services will annually issue guidance to the most appropriate and effective technical safeguards for use in complying with section 13401.

Failure to follow section 13401(a) can result in serious consequences for the expert. Prior to HITECH, the business associate did not face any criminal or civil penalties resulting from their negligent or intentional actions in handling protected health information. At most, the business associates punishment would have been a canceled contract with the covered entity. Instead, all of the punishment fell squarely on the shoulders of the covered entity. However, HITECH changes everything.

According to section 13401(b), any business associate that violates the security requirements found in section (a) can face civil as well as criminal penalties. The penalties for 13401(a) violations can be found in sections 1176 and 1177 of the Social Security Act, and these penalties can be severe. For instance, any person who knowingly discloses individually identifiable health information to another person with the intent to sell or transfer such information faces $250,000 in fines and 10 years of imprisonment. Additionally, failing to use reasonable care in securing protected health information can bring about fines of up to $25,000. HITECH has completely changed the liability landscape for all business associates.

The last major change found in the HITECH Act is section 13402: Notification in Case of a Breach. This section of HITECH drastically alters the privacy rule of HIPAA, which in its current form does not require the covered entity or business associate to provide any breach notification to individuals.

According to 13402(a):

a covered entity that access, maintains, retains, modifies, stores, destroys, or otherwise holds, uses, or discloses unsecured protected health information shall in case of a breach of such information that is discovered by the covered entity, notify each individual who’s unsecured protected health information has been, or is reasonably believed by the covered entity to have been accessed, acquired, or disclosed as a result of the breach.

Additionally, section 13402(b) states:

A business associate of a covered entity that accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses, or discloses unsecured PHI of a covered entity to notify the covered entity in the event of a breach in the security of such information. §13402(b). The notice must include, among other things, “the identification of each individual whose unsecured protected health information” was breached.

The important concept to remember from both 13402(a) and (b) is that a notification is only required during a breach of unsecured protected health information. Section 13402(h)(1)(B) of the HITECH Act tries to provide a definition of what unsecured is:

Protected health information that is not secured by a technology standard that renders protected health information unusable, unreadable, or indecipherable to unauthorized individuals and is developed or endorsed by a standards developing organization that is accredited by the American National Standards Institute (ANSI).

Based on the above definition of what unsecured means, if a business associate was to use an ANSI approved encryption standard for their protected health information and a breach occurred, that business associate would not need to provide a notification because the information would be unreadable or indecipherable to the unauthorized individual. Only unsecured information warrants a breach notification.

When a breach of unsecured protected health information occurs and is discovered or should have reasonably been known, business associates or covered entities have, without unreasonable delay, 60 days from the date of discovery to send out their notifications as stated by 13402(d)(1). Lastly, 13402(d)(2) provides that the burden of proof falls on the business associate and covered entity to demonstrate that all required notifications were sent within a reasonable amount of time.

Once a breach is discovered, section 13402(e) defines the methods of notice that a covered entity or business associate must utilize when notifying an individual. For example, 13402(e)(1)(A) maintains that notification by first class mail to the individual or their next of kin is permissible if the previous to the known address, or if selected by the individual, to their e-mail address. Additionally, sections 13402(e)(1)(B) provides that if there is insufficient information to contact an individual either through first class mail or electronic email a conspicuous posting, for a length determined by the Secretary of the HHS, on the home page of the web site of the covered entity or notice in a major print or broadcast media in the same local area as the individual will suffice. If the above forms of notification are used a toll-free phone number must be included in the notification directing the individual where to call to find out more information. Lastly, if the covered entity determines that imminent misuse of unsecured protected health information is about to take place, section 13402(e)(1)(C) allows for the contacting of the individual by telephone or other appropriate method.

Section 13402(e)(1) applies to the notification of individuals. However, if the unsecured protected health information of 500 or more residents of the same state or jurisdiction is breached, section 13420(e)(2) will kick in. This section stipulates that if such a breach occurred, prominent media outlets in those states or jurisdiction must be notified. Also, 13420(e)(3) requires an immediate notification to the Secretary of the HHS if the breach involves 500 or more individuals.

In every notification a business associate or covered entity provides an individual or media outlet, certain information must be included in that notification. As a result, section 13402(f) must be followed. This section requires that ever notification includes a brief description of the breach, dates of breach and breach discovery, description of the unsecured ePHI involved, the steps needed to be taken by the individual to protect themselves, the steps the covered entity is taking to mitigate losses and prevent further breaches, and contact information for individuals to ask questions or learn additional information.

Every expert that can be classified as a business associate to a covered entity and handles electronic protected health information must have an understanding of the new HITECH Act. Doing so will not only allow you to properly safeguard the ePHI but will also reduce your chance of having the new penalties imposed on you.


Jeffrey Straka, J.D. and Amanda Moore Straka, J.D., are the authors of numerous articles related to the legal implications of HIPAA, the HITECH Act and Information Security. They each graduated from the Charleston School of Law in 2008 and are both pursuing Masters degrees in Accounting from Seton Hall. They are currently compliance analysts at a corporation in Tampa, FL.