HITECH and its Effect on Privacy and Security for Covered Entities and Business Associates 

The HITECH Act is a section of the ARRA (American Recovery and Reinvestment Act) that spells out new privacy and security requirements for both Covered Entities (CEs) and Business Associates (BAs) that store or exchange PHI.  Privacy and security laws became effective on November 30, 2009 and a February 17, 2010 deadline has been established for revisions of BA Agreements to reflect the new requirements under HITECH and for CEs and BAs to become fully HITECH compliant.

Additionally, HITECH has imposed new breach notification requirements which became effective in September, 2009.  Each CE and BA is required to have a formal Breach Notification Plan, which requires the individual (or patient) effected to be notified of a breach within 60 days of its discovery.  BAs are to notify CEs if the breach violation is from the BA.  If 500 or more individuals are affected by the breach (either by CE or BA), media outlets and HHS must be notified, press releases issued and notification must be posted on the BA and CEs websites.  Further, if any 10 individuals involved in a breach cannot be located for notification purposes, the rules pertaining to 500 apply, making BAs (and their CEs) holding older medical records particularly vulnerable.  

Finally, unsecured electronic “data at rest” must be encrypted according to both National Institute of Standards and Technology (NIST) standards and Federal Information Processing Standard (FIPS) for “data in transit”.  These standards are comprehensive and will require BAs and CEs to significantly change the way electronic data is managed and transferred.

To ensure compliance, a new penalty structure has been established under HITECH for violations of the HIPAA laws.  They are:

1. $100 per violation/$25,000 per calendar year if the violation is not willful or without the violator’s knowledge.
2. $1,000 per violation/$100,000 per calendar year if due to reasonable cause and not willful neglect
3. $10,000 per violation/$250,000 per calendar year if due to willful neglect but corrected by the violator within 30 days
4. $50,000 per violation/$1.5 million per calendar year if due to willful neglect and the violator does not correct the situation within 30 days

States may also join in the recovery process as HITECH permits each state’s attorney general to sue on behalf of its residents who have complaints about a breach.   
 


Measures BAs and CEs Should Take for HITECH Compliance

1. Encrypt data in transit with SSL 256 bit encryption
2. Encrypt data at rest with AES 256 bit encryption
3. Back up all secure data (co-location, if possible)
4. Whole drive encrypt all laptop computers containing PHI
5. Disable all USB and writable drives on network PCs
6. Switch to encrypted “jump drives”
7. Examine “up time” on internet provider
8. Limit all PCs to 5 minute screensaver with strong network passwords
9. Place anti-virus software with automatic definition updates on all PCs
10. Limit or block internet access on any network or production PCs
11. Employ network protection firewall applications: 1) Perimeter protection from outside 2) Additional protection from within the network
12. Employ intrusion protection software for hosted data
13. Implement NIST and FIPS security standards according to HITECH requirements
14. Estimate and plan for up time in event of critical network failure
15. Estimate and plan for up time for full data restoration in the event of network failure
16. Ensure hosted PHI is housed within a fire-rated, fully secure, discreet, climate controlled location
17. Utilize dedicated electrical circuits for network and data server power
18. Employ generator backup for network power with weekly testing in the event of power failure affecting network and any health data
19. Utilize plenum (fire-rated) network cable throughout network
20. Utilize halon or other non-water fire suppression for data servers
21. Create and deploy a comprehensive Data Disaster Recovery Plan
22. All CDs and DVDs mailed to customers should be encrypted with AES 256 bit encryption in the event of loss in transit

Measures BAs and CEs Should Take for HIPAA/HITECH Privacy Compliance

1. All PHI stored in limited access, security monitored and fire controlled facility
2. Implement mandatory non-employee sign-in/sign-out and escorts for all production areas
3. Implement access control between non-production and production areas of building interior
4. Deploy 24-hour security cameras on key entry positions on building exterior and interior
5. Conduct HIPAA/HITECH training for all employees – yearly
6. Conduct employee background checks at hire
7. Conduct employee drug testing – yearly
8. Employ a credentialed Compliance Officer (Requirement per HITECH)
9. Employ a HIPAA Privacy Officer (Requirement per HITECH)
10. Prohibit the use of employee cell phones in any areas where PHI is available
11. Employ a HIPAA privacy policy and procedure manual (Requirement per HITECH)
12. Create and deploy a Breach Notification Plan (Requirement per HITECH)