On February 17, 2009, President Obama signed into law the American Recovery and Reinvestment Act (ARRA) of 2009. While the legislation dealt primarily with economic stimulus, it does contain several modifications to the HIPAA requirements for both privacy and security. Additionally, the legislation imposed increased penalties for non-compliance. This is the part of ARRA named the HITECH Act.
In the next two years the Department of Health and Humans Services (DHHS) is mandated by the HITECH Act to release four guidance documents and six regulations related to the new privacy and security provisions.
There are a number of changes to the individual rights under the HITECH Act HIPAA privacy and security modifications and updates. They include:
- Notification to you in the Event of a Breach;
- Your Right of Accounting from electronic records;
- Your Right of Access to electronic records;
- Your Right to Restrict Disclosure of PHI if you pay your physician in cash;
- A Further Prohibition on Sale of PHI; and
- Additonal Restrictions on Marketing.
Many of these new individual rights will be outlined in an updated Notice of Privacy Practices that you will be receiving from your doctors' office and your hospital.
Notifications in the Event of a Breach
The HITECH Act states that any breach of protected health information (PHI) is a major concern. This part of the HITECH Act is a federal identity theft law focused on your medical information. You will receive a letter in the mail if your doctor, hospital or health plan use or disclose your PHI the wrong way.
This is the first issue where there is a regulation that has been released by HHS. If you get such a notification it will include the following information:
- A brief description of what happened, including the date of the improper use or disclosure and the date of the discovery of the breach, if known;
- It will describe the types of information disclosed; such as name, date of birth, social security number, and what types, if any, of medical information;
- It will describe steps you should take to monitor any suspicious activity; such as reporting to a credit agency, reviewing your credit card bill more thoroughly, plus deleting any suspicious emails;
- A brief description of what your doctor's office, hospital, or health plan is doing to investigate and fix any losses; and
- Specific contact procedures for you to ask questions; this should include a name and/or phone number to call with your questions and concerns.
Notification to you in case of a PHI breach is only the first in the new individual rights that you have under the HITECH Act HIPAA privacy and security modifications and updates. Look for all the new individual rights in future HIPAA Blues articles as their guidance documents and regulations are released by HHS.