HITECH Act Strengthens Health Privacy Requirements

By: Absolute Team | 7/10/2009

The Health Information Technology for Economic and Clinical Health (HITECH) Act, which was signed into law in February 2009, will come into effect on February 17, 2010. This new Act, in addition to encouraging doctors and hospitals to use electronic health care records systems, changes privacy requirements. The new privacy requirements strengthen those requirements already mandated by HIPAA.

Some of the changes that HITECH will mandate, in regards to privacy requirements, include:

  • Definition of Personal Health Information (PHI) expanded
  • Stronger data breach notification requirements
  • Increased penalties for HIPAA violations and more aggressive enforcement, including criminal cases
  • Subjects business associates to civil and criminal penalties for violating HIPAA requirements
  • Defined guidelines on how to protect PHI

In terms of data breaches, HITECH will require that individuals be notified if their PHI has been accessed and that information was unsecured, unencrypted or not deleted from a computer using an a method that meets the standard (such as the Computrace Data Delete feature). The act requires that vendors notify the individual of the breach even if identity theft is not probable, which is a much stronger requirement than many State notification requirements.

Though the effective date for HITECH is not until February, 2010, in August of this year the US Department of Health and Human Services (HHS) and the Federal Trade Commission (FTC) will synchronize their respective regulations and issue interim final regulations.

Healthcare organizations will need to address these new HITECH requirements by strengthening their data security measures. Computerworld has put together 5 Steps to HITECH Preparedness that's very worth the read.

Image: clipart

Financial Services