For the privacy rule, the HITECH Act imposes an obligation on both parties to police the compliance of the other party. For example, if a third-party service provider becomes aware of a pattern of activity or practice of the physician that constitutes a material breach of the physician’s obligations under the Business Associate Agreement, the service provider must take reasonable steps to cure the breach. What is a reasonable step will vary with the circumstances and nature of the parties’ relationship. If those steps prove to be unsuccessful in curing the breach, the service provider must either terminate the contract with the physician, if feasible, or report the problem to the Department of Health and Human Services (HHS).
Explore This IssueJanuary 2010
While HIPAA already requires physicians and business associates to enter into a written contract, existing agreements should be reviewed to determine whether they are sufficient under the HITECH Act and should be modified accordingly.
The HITECH Act requires covered entities and business associates that access, maintain, retain, modify, record, store, destroy, or otherwise hold, use, or disclose unsecured PHI to provide notification upon discovering a breach of unsecured PHI. “Breach” is generally defined as the unauthorized acquisition, access, use, or disclosure of unsecured PHI. “Unsecured PHI” is PHI that is not secured through the use of a technology or methodology that renders PHI “unusable, unreadable, or indecipherable to unauthorized individuals.”
A physician who discovers a breach of unsecured PHI should inform the patient; a service provider that discovers a breach of unsecured PHI should notify the physician. In general, the notice must be provided “without unreasonable delay and in no case later than 60 calendar days after the discovery of the breach.”
Disclosures upon Patient Request
The HITECH Act also requires physicians to comply with patient requests to restrict the disclosure of any PHI that pertains to a health care item or service paid out of pocket in full, under certain circumstances.
Accounting of Electronic PHI
In general, HIPAA provides the patient with the right to receive an accounting of any disclosures of his or her PHI. As such, HIPAA requires business associates to make information available to the physician to enable the physician to provide this accounting of disclosures to the patient. Under the HITECH Act, the physician must provide an accounting of the disclosures of PHI made by the physician and either an accounting of the disclosures made by service providers acting on behalf of the physician or a list of all service providers acting on the physician’s behalf, along with their contact information.
Prohibition on the Sale of PHI
The HITECH Act generally prohibits physicians and service providers from receiving remuneration in exchange for a patient’s PHI, unless the physician obtains a valid authorization from the patient. This prohibition is subject to exceptions, however, when the purpose of the exchange is for research, treatment of an individual, payment from a physician to a third-party service provider for activities involving the exchange of PHI, or other reasons determined by HHS.
Penalties and Enforcement
The HITECH Act expands enforcement activities and penalties for violations of the law. In the event of noncompliance, the violating party may be subject to civil monetary penalties ranging from $100 to $1.5 million per violation, depending on the amount of neglect and intent involved.