“HITECH” Act: What You Need to Know About Electronic Protected Health Information

By: Gregory S. Weiner, Esquire                               gweiner@pklaw.com

Recently enacted legislation has resulted in extensive expansions to the privacy, security, breach notification and enforcement rules of the Health Information Technology for Economic and Clinical Health (HITECH) Act under the Health Insurance Portability and Accountability Act (HIPPA).  The new laws were adopted on March 26, 2013 and compliance with most of the law is required by September 23rd, 2013.

The law makes significant changes to protect patients and their right to privacy concerning their own personal health information (PHI).   The act offers patients greater control over distribution, use and disclosure of their PHI.  As a result of these changes, the law places harsher penalties and compliance regulations on health care providers and their “business associates.”  The law, with its stringent compliance demands, gives the government’s ability to enforce this rule some bite.  That bite can cost $25,000 for first time offenses, and $1.5 Million for repeated violations of the same offense.  This can result in multiple seven figure penalties if compliance is not met.  Furthermore, a covered entity can no longer bar the imposition of a civil money penalty for an unknown violation, unless it corrects the violation within 30 days of discovery.

So what do you need to know?  First, The Act has expanded the definition of what qualifies as a “Business Associate” to include any parties that “create, maintain or transmit” personal health information (PHI).  This new broad definition includes many subcontractors not previously covered by The Act.   These newly covered “business associates” will be subject to the same compliance regulations as the company that delegates their work with regard to electronic PHI.  What’s more daunting is that this compliance travels from the top, down.  Therefore, a subcontractor’s subcontractor is held to many of the same compliance requirements as that of the original business associate.

The changes to the patient privacy rules places greater control concerning PHI in the hands of the patients.  The modification requires that, unless otherwise permitted by the patient, the PHI only be used and disclosed for the stated purposes under HIPAA. This modification falls in line with the requirements of the Genetic Nondiscrimination Act, “GINA,” which prohibits the use or disclosure of genetic information for underwriting purposes.  Furthermore, patients must be notified of these new privacy rights as soon as possible.

The last rule modified concerns the Security Rule.  The modification lowers the threshold of harm to impose liability on the business associate or subcontractor who or which allowed the breach.  The new rule also sets forth specific safeguards that business associates and subcontractors must implement in order to be compliant.

To avoid any future issues concerning these changes, businesses providing services that deal with electronic protected health information must ensure they are fully compliant with HIPAA/HITECH and other healthcare privacy related legislation.  PK Law attorneys are well versed in healthcare legislation and regulations and can assist you with drafting, amending current contracts and negotiating:

  • Website Development Agreements
  • Software As a Service (SaaS) Agreements
  • Website User Agreements
  • Licensing Agreements
  • Joint Venture and Teaming Agreements
  • Vendor Contracts

For additional information contact Gregory Weiner at gweiner@pklaw.com  or 410-339-5785 or contact information@pklaw.com.


This information is provided for general information only.  None of the information provided herein should be construed as providing legal advice or a separate attorney client relationship. Applicability of the legal principles discussed may differ substantially in individual situations. You should not act upon the information presented herein without consulting an attorney of your choice about your particular situation. While PK Law has taken reasonable efforts to insure the accuracy of this material, the accuracy cannot be guaranteed and PK Law makes no warranties or representations as to its accuracy.