HITECH What You Need to Know About Electronic Protected Health Information


Recently enacted legislation has resulted in extensive expansions to the privacy, security, breach notification and enforcement rules of the Health Information Technology for Economic and Clinical Health (HITECH) Act under the Health Insurance Portability and Accountability (HIPPA) Act.  The new laws were adopted on March 26, 2013 and compliance with most of the law is required by September 23rd, 2013.

The law makes significantly favorable changes to protect patients and their rights to privacy concerning their own personal health information (PHI).   The act also offers the patients greater control over distribution, use and disclosure of their PHI.  As a result of this balance shift, the law places harsher penalties and compliance regulations on health care providers and their “business associates.”  The law, with its stringent compliance demands, gives the government’s ability to enforce this rule some bite.  That bite can cost $25,000 for first time offenses, and $1.5M for repeated violations of the same offense.  This can result in multiple seven figure penalties if compliance is not met.  Furthermore, a covered entity can no longer bar the imposition of a civil money penalty for an unknown violation, unless it corrects the violation within 30 days of discovery.

So what do you need to know?  First, The Act has expanded the definition of what qualifies as a “Business Associate” to include any parties that “create, maintain or transmit” personal health information (PHI).  This new broad definition includes many subcontractors not previously covered by The Act.   These newly covered “business associates” will be held to the same compliance regulations as the company that delegates their work with regard to electronic PHI.  What’s more daunting is that this compliance travels from the top, down.  Therefore, a subcontractor’s subcontractor is held to many of the same compliance requirements as that of the original business associate. 

The changes to the Privacy Rule places greater control concerning PHI in the hands of the patients.  The modification requires that, unless otherwise permitted by the patient, the PHI only be used and disclosure for the stated purposes under HIPAA. This modification falls in line with the requirements of the Genetic Nondiscrimination Act “GINA,” which prohibits the use or disclosure of genetic information for underwriting purposes.  Furthermore, patients must be notified of these new privacy rights as soon as possible.

The last rule modified concerns the Security Rule.  The modification lowers the threshold of harm to impose liability on the business associate or subcontractor who allowed the breach.  The new rule also sets forth specific safeguards that business associates and subcontractors must implement in order to be compliant.

To avoid any future issues concerning these changes, businesses providing services that deal with electronic protected health information must ensure they are fully compliant with HIPPA/HITECH and other healthcare privacy related legislation.  PK Law attorneys are well versed in healthcare legislation and regulations and can assist you with drafting, amending current contracts and negotiating:

  • Website Development Agreements
  • Software As a Service (SaaS) Agreements
  • Website User Agreements
  • Licensing Agreements
  • Joint Venture and Teaming Agreements
  • Vendor Contracts

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Pessin Katz Law, P.A. | Attorney Advertising

Written by:


Pessin Katz Law, P.A. on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:

Sign up to create your digest using LinkedIn*

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.

Already signed up? Log in here

*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.