HIPAA/HITECH

Updated by Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH)

Regulated by the Department of Health and Human Services (HHS)

Does not preempt stricter state privacy laws (Ex: California Medical Information Privacy Act)

No private right of action

Differences FERPA vs HIPAA

• • FERPA applies to student health records.

  • HIPAA applies to non-student health records.

Applicability:

• • “covered entities”

  • healthcare providers

  • insurers

  • business associates

Healthcare providers:

• • doctors’ offices

  • hospitals

  • Health plans (health insurers)

  • Healthcare clearinghouses

  • Business associates (Ex: PHI stored on the cloud)

The Security Rule:

• • Minimum security requirements for PHI that a covered entity receives, creates, maintains or transmits in electronic form.

  • Ensure confidentiality, integrity, and availability of all ePHI

  • Protect against any reasonably anticipated threats to ePHI

  • Protect against any reasonably anticipated disclosures of ePHI

  • Ensure compliance with the Security Rule by its workforce

  • Each covered entity must have individual responsible for oversight and implementation

  • Covered entity must conduct initial and ongoing risk assessments

  • Covered entity must implement security awareness and training program for workforce

Qualified Protective Order (QPO) prohibits litigating parties from using or disclosing the protected health info for any purpose other than the litigation or proceeding for which such info was requested. It also requires the return to the covered entity or destruction of PHI (including copies) at the end of litigation.

Disclosure under HIPAA pursuant to a court order or subpoena is permitted if three criteria are met:

• • The info sought is relevant and material to legit law enforcement inquiry

  • The request is specific and limited in scope to the extent reasonably practicable in light of the purpose for which the info is sought o De-identified info could not be reasonably used

Permits disclosure of PHI to authorized federal officials for the conduct of lawful intelligence, counter intelligence, and other national security under the National Security Act.

Strengthened HIPAA to address privacy impacts of the expanded use of electronic health records

Breach: must notify individuals within 60 days of discovery

• • If more than 500 people, must notify HHS immediately

  • If 500 or more in the same jurisdiction, must notify media

  • Covered entity can avoid liability if they utilize encryption software

Penalties: up to $1.5 mil for most willful violations

Disclosure: Must be minimum amount necessary

Covered entities may not sell Electronic Health Records (EHR) without the consent of the patient

Genetic Information Nondiscrimination Act of 2008 (GINA)

Created new national limits on the use of genetic information in health insurance and employment

Prohibits employers from requiring, requesting, or purchasing such genetic information about employees or family members except:

• • Such a request if inadvertent o Request is part of an employer-wellness program and voluntary o Request is made to comply with the Family and Medical Leave Act (FMLA) o Employer purchases commercially and publicly available info o The information is used for legally required genetic monitoring for toxin exposure in the