What is the state of the HITECH rollout vis-a-vis its effective dates?
A summary of the HITECH Act effective dates for its various provisions can be found here.
On February 17, 2009 Upon Enactment
- Application of tiered civil monetary penalties (i.e. for violations occurring post enactment)
- State Attorney General Authority to Enforce (i.e. bring a civil action on behalf of citizens post enactment)
Note: To the best of our knowledge we have not as yet seen any fines imposed using the new tiered civil monetary penalties. However, we have seen a "historic lawsuit by a State Attorney General." If you have been paying attention (if not you soon will be) State Attorney Generals now have the statutory right to bring HIPAA related suits under HITECH 13410 on behalf of their citizens. So while an individual still cannot bring a civil action under HITECH, they can complain to their State Attorney General for relief. HHS just added fifty additional high profile and ambitious staffers and it doesn't come out of their budget! You can expect more State Attorney Generals to follow suit (no pun actually intended).
By April 20, 2009 Within 60 Days of Enactment
- HHS must set forth a list of technologies and methodologies that render information "unusable, unreadable or indecipherable." Directly relevant to breach notification requirements.
Note: HHS met its date and issued the requisite guidance.Section 13402 of the HITECH Act requires breach notification following the discovery of a breach of unsecured protected health information. Section 13402(h) of the Act defines ‘‘unsecured protected health information’’ as ‘‘protected health information that is not secured through the use of a technology or methodology specified by the Secretary in guidance’’ and requires the Secretary to specify in the guidance the technologies and methodologies that render protected health information unusable, unreadable, or indecipherable to unauthorized individuals. As required by the Act, this guidance was issued on April 17, 2009, and later published in the Federal Register on April 27, 2009 (74 FR 19006).
Note: The bottom line with respect to this guidance is that if a Covered Entity encrypts or destroys PHI according to the suggested standards and processes (i.e. secures the PHI) then if a breach occurs the Breach Notification Requirements of Section 13402 are not triggered because by definition the PHI has been rendered "unusable, unreadable, or indecipherable to unauthorized individuals." HHS adopted NIST standards that met the required defined as follows:
(a) Electronic PHI has been encrypted as specified in the HIPAA Security Rule by ‘‘the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key’’ 2 and such confidential process or key that might enable decryption has not been breached. To avoid a breach of the confidential process or key, these decryption tools should be stored on a device or at a location separate from the data they are used to encrypt or decrypt. The encryption processes identified below have been tested by the National Institute of Standards and Technology (NIST) and judged to meet this standard. The encryption processes identified below have been tested by the National Institute of Standards and Technology (NIST) and judged to meet this standard.
(i) Valid encryption processes for data at rest are consistent with NIST Special Publication 800–111, Guide to Storage Encryption Technologies for End User Devices.
(ii) Valid encryption processes for data in motion are those which comply, as appropriate, with NIST Special Publications 800–52, Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations; 800– 77, Guide to IPsec VPNs; or 800–113, Guide to SSL VPNs, or others which are Federal Information Processing Standards (FIPS) 140–2 validated.
(b) The media on which the PHI is stored or recorded have been destroyed in one of the following ways: (i) Paper, film, or other hard copy media have been shredded or destroyed such that the PHI cannot be read or otherwise cannot be reconstructed. Redaction is specifically excluded as a means of data destruction. (ii) Electronic media have been cleared, purged, or destroyed consistent with NIST Special Publication 800–88, Guidelines for Media Sanitization,such that the PHI cannot be retrieved.
By August 18, 2009 Within 180 Days of Enactment
- HHS and FTC must each promulgate interim final regulations on breach notification; which apply to breaches discovered on or after the interim final regulations have been published.
Note: HHS met its date (slightly late) by issuing its Breach Notification Interim Final Rule on August, 24 2009. The rule went into effect on September 23, 2009. HHS created Subpart D of CFR 164 to meet the requirements contained in HITECH Section 13402 (i.e. "Notification in the Case of Breach"). To summarize the applicability of the rule HHS stated as follows:
These breach notification provisions are found in section 13402 of the Act and apply to HIPAA covered entities and their business associates that access, maintain, retain, modify, record, store, destroy, or otherwise hold, use, or disclose unsecured protected health information. The Act incorporates the definitions of ‘‘covered entity,’’ ‘‘business associate,’’ and ‘‘protected health information’’ used in the HIPAA Administrative Simplification regulations (45 CFR parts 160, 162, and 164) (HIPAA Rules) at § 160.103.
Note: The FTC promulgated its own Breach Notification Rules but they are harmonized with those of HHS. Why two different sets of rules? Because while HHS will enforce HITECH for covered entities and business associates, it is the FTC that has enforcement responsibility for vendors of Personal Health Records that are neither CEs or BAs (e.g. Google Health and Microsoft Healthvault).
By December 31, 2009 By this Specific Date
- IN GENERAL.—Not later than December 31, 2009, the Secretary shall, through the rulemaking process consistent with subsection (a)(2)(A), adopt an initial set of standards, implementation specifications, and certification criteria for the areas required for consideration under section 3002(b)(2)(B). The rulemaking for the initial set of standards, implementation specifications, and certification criteria may be issued on an interim, final basis.
Note: HHS met its date and the "real geeks" among us spent part of our New Year's holiday "downtime" pouring through the Interim Final Rules regarding the proposed standards and the meaningful use stages (see this post regarding interpreting the meaningful use stages and this post summarizing the adopted standards).
On February 18, 2010 Effective One Year Post Enactment
The HHS Virtual Money Machine
- Application of rules to, and accountability for, business associates.
- Clarification regarding which entities are required to be business associates.
- Patient's right to restrict disclosures to health plans.
- Deeming of limited data set as satisfying the minimum necessary standard.
- Patient's right to electronic access to, and an electronic copy of, their health record.
- Clarification regarding marketing provisions.
- Opt-out for fund raising communications; HIPAA's current provisions regarding fund raising remain in full force an effect.
- Clarification regarding the ability to impose criminal penalties against individuals.
- Civil monetary penalties and settlements flowing to HHS/OCR (Office of Civil Rights) for enforcement.
- Requirement for HHS to begin conducting mandatory audits.
In addition, the HHS virtual money machine kicks in as HITECH/HIPAA related fines start flowing into HHS' coffers (see 13410 "improved enforcement"). Finally, what the healthcare has been holding it breadth for; mandatory audits (see 13411). Look folks, not only is there a new sheriff in town, this sheriff comes equipped with a money printing machine (something Wyatt Earp and Doc Holiday would have killed for--literally). All kidding aside, in the compliance world this is BIG NEWS!!!
By February 18, 2010 Due Within One Year Post Enactment
- HHS and FTC study on privacy and security requirements for PHR vendors and applications
- GAO study on best practices for disclosures for treatment and use of electronic informed consent.
- First annual report on HIPAA enforcement.
- First annual guidance on the most effective and appropriate technical safeguards for health information.
- HHS study on de-identification.
- HHS implementation of health information privacy educational initiative.
Looking for a best of breed HIPAA Training?
To stay current on the HITECH Act and its quickly changing regulatory scheme visit the HITECH Survival Guide website and/or sign up for our free monthly compliance newsletter. Also, check out our FREE EHR Checklist.
If you need tools that will help with your compliance initiatives then check out the HSG Store. Do you need an Internet Lawyer with HITECH / HIPAA experience?
