HIPAA, the HITECH Act, and Protected Health Information
The Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act directly impact health care providers, health plans, and health care clearinghouses (covered entities) as they provide the legal framework for enforceable privacy, security, and breach notification rules related to protected health information (PHI).
HIPAA and the HITECH Act also directly impact business associates and subcontractors, such as eDiscovery providers, that handle PHI in support of covered entities. The impact extends compliance requirements and liability for non-compliance beyond the covered entities directly to the business associates and subcontractors they may contract with for support. Because of this fact, it is important that all covered entities, business associates, and subcontractors dealing with PHI ensure that the eDiscovery providers supporting them adhere to all HIPAA and HITECH Act compliance requirements. One way to do this is to work only with eDiscovery providers who have successfully passed an independent third-party audit for HIPAA and HITECH Act compliance.
What is HIPAA?
The Health Insurance Portability and Accountability Act (HIPAA) was passed by Congress in 1996. The purpose of HIPAA was to improve the portability of health insurance coverage, reduce healthcare fraud and abuse, and to protect the privacy of personal health records. After HIPAA introduction, several regulations were promulgated to ensure the health information privacy, security, and timely notification of breaches. The regulations included:
• The Privacy Rule: Created national standards to protect the privacy of protected health Information (PHI)
• The Security Rule: Governed the security of electronic PHI (ePHI)
• The Breach Notification Rule: Established the requirement for timely notification of privacy and
security failures for unsecured PHI
What is the HITECH Act?
The Health Information Technology for Economic and Clinical Health (HITECH) Act was enacted by Congress as part of the American Recovery and Reinvestment Act of 2009. The purpose of the HITECH Act was to promote the adoption and meaningful use of health information technology.
What is the HIPAA Omnibus Rule?
In 2013, the Department of Health and Human Services (HHS) released the HIPAA Omnibus Rule. This rule was designed to give patients additional rights to their health information and to increase penalties to entities that failed to protect PHI. This was driven by enhanced enforcement of the HITECH Act. The Omnibus Rule modified HIPAA privacy, security and enforcement regulations in key areas to include:
• Business Associate and Subcontractor Compliance Accountability
• PHI Use and Disclosure Limitations
• Breach Notification Requirements for Unauthorized Disclosures of Unsecured PHI
HIPAA and HITECH ACT rules apply to covered entities and business associates.
What is a Covered Entity?
A covered entity under HIPAA is defined as one of the following:
• Health Care Providers that engage in HIPAA electronic standard transactions
• Health Plans (e.g., Health Insurance Companies, HMOs, Company Health Plans)
• Health Care Clearinghouses
What is a Business Associate?
A business associate under HIPAA is generally defined as an organization that operates on behalf of a covered entity or operates on behalf of another business associate and is required to obtain access to ePHI as part of their support. eDiscovery providers who must obtain access to ePHI as part of their eDiscovery support are treated as business associates under HIPAA.
Additionally, when a covered entity engages the services of a cloud service provider (CSP), to create, receive, maintain, or transmit ePHI (such as to process or store ePHI) on its behalf, the CSP is a business associate under HIPAA.
What is Protected Health Information?
Generally speaking, the HIPAA definition of protected health information (PHI) is any information about health status, provision of health care, or payment for health care that can be linked to a specific individual. ePHI is a subset of PHI that deals with electronic media.
Why are these definitions and relationships important in eDiscovery provider selection?
If a company, law firm, or organization is involved in an audit, investigation, or litigation that requires the handling of ePHI originating from a covered entity, they need to ensure that any service provider supporting their eDiscovery effort correctly handles, manages, and secures all ePHI and is in compliance with HIPAA and HITECH Act requirements. If those eDiscovery service providers are not in compliance with HIPAA and HITECH Act requirements, then the supported company, law firm, or organization may be directly liable for compliance failures at the federal and state level.
- Health Insurance Portability and Accountability Act of 1996 (ASPE)
- Guidance on HIPAA and Cloud Computing (HHS.gov)
- HITECH Act Enforcement Interim Final Rule (HHS.gov)