Health care providers and health plans create, receive, use and disclose health information to treat patients, conduct their business operations and make and receive payment for services.
While these activities were once conducted exclusively on paper, electronic transactions are the "new norm" and have a tremendous impact on health care effectiveness and efficiency. However, health care providers and health plans must address concerns about the privacy, security, integrity and availability of personally-identifiable health information.
The federal Standards for Privacy of Individually Identifiable Health Information (HIPAA Privacy Rule) established rules for the use and disclosure of individually-identifying health information by "covered entities" (health care providers, health plans and health care clearinghouses), as well standards for individual rights regarding this information, such as the right to access and amend. The Security Rule requires that covered entities implement administrative, technical and physical safeguards to ensure the confidentiality, integrity and security of electronic health information. The Security Rule also requires that covered entities conduct a risk analysis to evaluate their security practices.
While many fundamental elements of the HIPAA privacy and security rules have remained unchanged since their inception, recent changes brought about through the HITECH Act require HIPAA covered entities to revisit their policies and practices. Covered entities must now investigate, evaluate and notify individuals and the Department of Health and Human Services of breaches and security incidents involving protected health information. "Business associates" of covered entities – which now include subcontractors – are now directly liable for many aspects of Privacy Rule and Security Rule compliance. Including genetic information in the definition of protected health information, heightening restrictions on the sale of health information and the limits on the use or disclosure of health information for marketing or fundraising purposes, and lowering the threshold for determining when a breach has occurred for reporting purposes are but a few examples of the changes to and expansion of HIPAA because of HITECH.