|Health Information Technology for Economic and Clinical Health Act|
|CITATION||42 U.S.C. §§ 17931 - 39|
The HITECH Act is part of the American Recovery and Reinvestment Act of 2009. The HITECH Act is intended to promote the use of information technology. The law focuses on the establishment of a national health infrastructure and on providing incentives for the adoption of electronic health records. The Act also provides for enhanced privacy protections. The HITECH Act now applies to both the HIPAA Privacy Rule and Security Rule.
Section D of HITECH addresses the privacy and security concerns associated with the electronic transmission of health information. Section D also implements new rules for the disclosure of patient health information if a breach takes place.
Overall, the HITECH Act significantly modifies the Health Insurance Portability and Accountability Act of 1996. HITECH expands HIPAA’s definition of “business associates” and provides that the HIPAA security standards that apply to health plans and health care providers will also apply directly to business associates. The HITECH Act also makes the HIPAA privacy provisions applicable to business associates.
|DATA COVERED||Healthcare records including those related to clinical conditions, clinical decisions support for disease and medication management, specific clinical and public health data; clinical quality measures and records related to the overall quality of healthcare.|
There are 4 categories of violations that reflect increasing levels of culpability. There are also several levels of penalties. A maximum penalty of $1.5 million for all violations. The penalties are provided for in the HIPAA Administrative Simplification: Enforcement, located at 45 CFR Part 160.
If the violation was due to reasonable cause and not to willful neglect, the penalty is at least one thousand dollars ($1,000) per violation not exceeding one hundred thousand dollars ($100,000) per calendar year, but not more than fifty thousand dollars ($50,000) per violation with the total not exceeding one million five hundred thousand dollars ($1,500,000). Finally, if the violation was due to willful neglect and the violation is corrected, a penalty that is at least ten thousand dollars ($10,000) per violation with the total not exceeding two hundred fifty thousand dollars ($250,000) per calendar year but not more than fifty thousand dollars ($50,000) per violation and the total may not exceed one million five hundred thousand dollars ($1,500,000). On the other hand, if the violation is not corrected, the penalty amount will be at least two hundred fifty thousand dollars ($250,000) per violation with the total not exceeding one million five hundred thousand dollars ($1,500,000).
As for the criminal penalty provisions, a person will be guilty if that person knowingly and in violation of wrongful disclosure of IIHI (1) uses or causes to be used a unique health identifier; (2) obtains IIHI relating to an individual; and (3) discloses IIHI to another person. 42 U.S.C. § 1320d-6. That person can be fined not more than fifty thousand dollars ($50,000), imprisoned not more than 1 year, or both. If the crime was committed under false pretenses, that person can be fined not more than one hundred thousand dollars ($100,000), imprisoned not more than 5 years, or both. The most severe criminal penalty is imposed when an offense is committed with intent to sell, transfer, or use IIHI for commercial advantage where that person can be fined not more than two hundred fifty thousand dollars ($250,000), imprisoned not more than 10 years, or both.