Note: The health reform law makes no major revisions to legislation enacted in 2009 to strengthen the standards for health information privacy and security. However, because protection of individuals’ interests in the privacy and security of their health information is foundational to the implementation of many aspects of health reform, this entry summarizes the key provisions of the 2009 law and describes the process of implementation as well as activities to date.

Background

The development of health information technology (HIT) and electronic health records (EHRs) has been accompanied by much debate regarding the appropriate means of protecting the privacy of personal health information. National opinion surveys show that most consumers prefer their physicians to have access to all of their health information, recognizing the value of a complete medical record in providing care. At the same time, research has found that patients have serious concerns about the privacy of their health information, especially when the information is in electronic format.^[1]

The Health Information Technology for Economic and Clinical Health (HITECH) Act provisions included in the American Recovery and Reinvestment Act (ARRA)^[2] build on and strengthen federal health information privacy laws, in particular the HIPAA Privacy Rule, promulgated pursuant to the Health Insurance Portability and Accountability Act (HIPAA).^[3] The statute broadens HIPAA’s reach, strengthens its privacy and security standards, and adds new provisions related to enforcement as well as to entities not covered by HIPAA.

HITECH established the Office of the National Coordinator for HIT (ONC) to oversee HIT implementation efforts and created the Health Information Technology Policy and Standards Committees, Federal Advisory Committees charged with making recommendations to ONC on HIT policy issues and standards.^[4] HITECH requires that, in general, the committees’ recommendations should relate to the implementation of a nationwide HIT infrastructure.

Some of HITECH’s most significant provisions related to privacy and security are:

• Strengthening an individual’s control over and access to personal health information (PHI)^[5] by specifying that when a covered entity^[6] uses an EHR containing PHI, the individual has a right to a copy of the record in electronic format, as well as the right to have a copy sent to another person.^[7] Additionally, the statute makes it mandatory for a covered entity to comply with an individual’s request not to disclose information to a health plan for payment or operations purposes if a procedure was paid for out of pocket in full^[8];
• Adding new enforcement provisions, including tiered penalties based on the nature and extent of a violation and harm caused, and empowering state attorneys general to bring civil suits to enforce HIPAA in federal court on behalf of states’ citizens^[9];
• Extending the reach of government enforcement beyond covered entities by making business associates (BAs)^[10] directly responsible for compliance with most of the HIPAA Security Rule and all of the new privacy provisions in HITECH, in addition to security and privacy provisions included in their BA agreement.^[11] The statute also clarifies which entities will be considered BAs, including requiring health information exchanges and other organizations that transmit PHI and require routine access to PHI to enter into BA agreements^[12] ;
• Creating notification requirements in the event of breaches of unsecured PHI^[13] ;
• Placing further restrictions on the marketing and sale of PHI, clarifying that patient consent is required for marketing communications unless they describe a drug or biologic currently prescribed for the patient and generally prohibiting a covered entity or BA from selling PHI without specific authorization, with exceptions for public health activities, research and population registries^[14] ; and
• Requiring development of guidance regarding the minimum necessary standard^[15].

HITECH also requires the following studies and reports related to privacy protections^[16]:

• Application of privacy and security requirements to non-HIPAA covered entities (in consultation with the FTC);
• Guidance on implementing the requirements for de-identification of PHI; and
• Expansion of the definition of “psychotherapy notes” to include test data that are part of a mental health evaluation.

The implementation of HITECH’s provisions has progressed on an accelerated basis, although some regulations, guidelines, reports and studies remain to be released. See “Recent Agency Action” below for a summary of the regulations released to date.

In addition, a number of HITECH provisions became effective on February 17, 2010 that did not require rulemaking:

• Applying HIPAA requirements and penalties directly to business associates^[17] ;
• Defining business associate to include health information exchanges or organizations transmitting PHI to covered entities or business associates and requiring routine access to PHI^[18] ; and
• Defining safe-harbor status for limited data sets as meeting the minimum necessary standard.^[19]

Changes Made by the Health Reform Law

The health reform law makes no further changes to HITECH.

Implementation

Agency and Timeline

Within HHS, ONC oversees HIT policy. Additionally, HITECH requires various reports, guidance or other action by agencies including the Federal Trade Commission and the Government Accountability Office.^[20] HITECH included a detailed timeline for implementation of its privacy provisions, with many of the key deliverables due either one year or 18 months after enactment. As described herein, however, a number of its requirements remain outstanding.

Process

HITECH authorizes implementation by the Secretary of HHS, who has used both rulemaking and policy guidance to implement the provisions of ARRA.

Key Implementation Issues

Key implementation issues include the following:

• How will HITECH’s breach notification requirements be implemented with respect to business associates, which were not previously required to provide notification? Specific issues to be addressed include how to evaluate unintentional disclosures and when the breach poses a “significant risk of harm.”
• How will the privacy and security standards developed for the definition of meaningful use under the EHR incentive programs influence the application of privacy and security regulations under HIPAA?
• How will personal health records (PHRs) be regulated? Regulations will address PHRs provided by covered entities, but additional clarification will be needed regarding the role of PHRs held by patients and other parties who do not contract with covered entities.^[21]
• What does “minimum necessary” mean for different types of disclosures and how should entities subject to the “minimum necessary” rule determine what is necessary in a particular case? The NPRM requested public comment on this issue.^[22]

Recent Agency Action

• In August 2009, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) issued an Interim Final Rule (IFR) implementing breach notification requirements applicable to covered entities^[23], while the Federal Trade Commission (FTC) issued similar requirements applicable to personal health record (PHR) vendors not covered by HIPAA.^[24] The regulations became effective on September 23, 2009; enforcement of the law began on February 22, 2010. A revised final rule was submitted to the Office of Management and Budget (OMB) for administrative review on May 14, 2010, but HHS withdrew the revision to allow for further consideration; thus the IFR remains in effect.^[25] As of August 31, 2010, OCR had 174 open complaints and compliance reviews pursuant to the requirements.^[26]
• In February 2010, GAO released a study required by HITECH on best practices related to the disclosure of PHI to providers for purpose of treatment.^[27]
• In March 2010, HHS held a workshop on de-identification of PHI in furtherance of the HITECH requirement to issue guidance on its proper use pursuant to HIPAA. The workshop solicited feedback from stakeholders, including experts with technical and policy experience. A summary of the workshop and guidance on de-identification of PHI will be released in the future.
• On May 14, 2010, HHS submitted a revised final rule implementing HITECH’s breach notification requirement to the Office of Management and Budget (OMB) for review but then withdrawn the revised rule to allow for further consideration.^[28] Until the rule is finalized, the Interim Final Rule that became effective on September 23, 2009, remains in effect.
• In July 2010, the Centers for Medicaid and Medicare Services (CMS) issued a final rule providing a definition of meaningful use of EHR technology.^[29] The rule will phase in more robust criteria in three stages, with the first stage beginning in 2011 and focusing on capturing health information in a coded format, tracking health information and key clinical conditions, and communicating that information for care purposes and quality reporting.^[30]
• At the same time, OCR issued an NPRM regarding changes to the HIPAA Privacy Rule that generally follows the language of the HITECH legislation.^[31] In a number of areas, the NPRM specifically requests public comment, including comments regarding the application of the minimum necessary standard to the disclosure of personal health information.^[32] The public comment period on the NPRM ended September 13, 2010.
• Also in July 2010, HHS announced the launch of a privacy website to educate consumers regarding HHS privacy efforts.^[33] HHS also posted the first annual guidance on the most effective and appropriate technical safeguards for health information in July, as required by HITECH.^[34]
• The HIT Policy Committee formed a Privacy and Security Tiger Team (Tiger Team) workgroup to focus on a series of issues related to the exchange of personally identifiable health information as required in order to qualify for incentive payments under Stage 1 of meaningful use.^[35] Some of the issues addressed included the ability of patients to consent to participation in identifiable health information exchange at a general level (i.e., yes or no), and how consent should be implemented; and the ability of technology to support more granular patient consents (i.e., authorizing exchange of specific pieces of information while excluding other records). As part of the foundation for recommendations on these issues, the Tiger Team sponsored a Consumer Choice Technology Hearing on June 29, 2010, that focused on the use of technology to implement individual choice, examining both its capabilities and limitations in that respect.^[36] The Tiger Team submitted recommendations regarding more granular consent and other issues to the HIT Policy Committee, which approved the recommendations and forwarded them to ONC on September 1, 2010.^[37]
• As required by HITECH, HHS has posted a list of breaches of unsecured PHI affecting 500 or more individuals.^[38] This list is posted online in a searchable format that allows users to sort through the breaches and view summaries of the cases that OCR has investigated and closed, as well as the names of providers who have reported breaches.

Authorized Funding Levels

HITECH provided ONC with $2 billion to carry out its work, including the work of the HIT Policy Committee.^[39]Subtitle D, which contains the amendments to HIPAA and other privacy provisions, is not specifically funded. HIPAA will continue to be enforced by the Office for Civil Rights within HHS, but no additional funding is authorized by HITECH.