Legal Implications of HIPAA, HITECH and BAAs

8/4/2019 Legal Implications of HIPAA, HITECH and BAAs

1/10


2/10

HIPAA(Health Insurance Portability and Accountability Act)

Passed in 1996

Enacted to protect health information

transaction standards for the exchange of health information

security standards

privacy standards

Protects protected health information

means individually identifiable health information that is: (i)Transmitted by electronic media; (ii) Maintained in electronic media;or (iii) Transmitted or maintained in any other form or medium

there are certain exclusionssuch as education records and employmentrecords held by a covered entity in its role as employer


3/10

Applies to covered entities

Covered entity means (1) A health plan, (2) A health careclearinghouse, (3) A health care provider who transmits anyhealth information in electronic formin connection with a

transaction covered by this subchapter

Health information means any information, whether oral orrecorded in any form or medium, that: (1) Is created or receivedby a health care provider, . . .employer, . . . and (2) Relates tothe past, present, OR future physical or mental health orcondition of an individual; the provision of health care to anindividual; OR the past, present, or future payment for theprovision of health care to an individual.


4/10

Also applies to the business associates of covered

entities

Business associate means broadly, a person who performs, or

assists in the performance of . . . a function or activity involving

the use or disclosure of individually identifiable healthinformation

including claims processing or administration, data analysis,processing or administration, utilization review, quality assurance,billing, benefit management, practice management, and repricing

Broadly, this means that if you use or receive PHI, then you areeither a covered entity or a business associate


5/10

HITECH (Health Information Technology for Economic andClinical Health)

Signed into law on February 17, 2009

Provides for the adoption of electronic health records

Alsoadds new breach provisions

"the unauthorizedacquisition, access, use, or disclosureofprotected health information which compromisesthe security orprivacyof such information, exceptwhere an unauthorized personto whom such information is disclosed would notreasonably have

been able to retainsuch information"


6/10

HITECH Breach

Who is under Obligations?

Covered Entity Business Associate

Subcontractor Requirements


7/10

HITECH Breach

Who is under Obligations?

Covered Entity

Business Associate Subcontractor Requirements

What are an entitys Obligations?

Investigate, give notice, reprimand, record/notify Secretary of Healthand Human Services

If over 500 individuals affected, then must report to the Secretary As of September 26, 2011, 330 reports (several organizations more than

once), impacting more than 11 million records


8/10

Getting out of Breach Notification

Only provide the required notification if the breach involvedunsecured protected health information

Unsecured PHI is PHI that has not been rendered unusable,unreadable, or indecipherableto unauthorized individualsthrough the use of a technology or methodology specified bythe Secretary in guidance


9/10

Getting out of Breach Notification

Guidance available:http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/brguidance.html (and is to be updated annually)

Data at Rest: NIST

Data in Motion:


10/10

Documents

Legal Implications of HIPAA, HITECH and BAAs