Foster Swift Employment, Labor & Benefits E-News
Employment, Labor & Benefits Practice Group

HITECH: February 17, 2010 Deadline Approaching

On February 17, 2010, most of the Health Information Technology for Economic and Clinical Health Act ("HITECH") becomes binding on the health care industry.  The HITECH Act was passed as part of the American Recovery and Reinvestment Act to promote utilization of electronic health records ("EHR").  Along with providing monetary incentives for the utilization of EHR, the HITECH Act imposes an extensive regulatory scheme to protect EHR.

Security and Privacy Requirements for Business Associates

Specifically, HITECH applies portions of the Health Insurance and Portability Act ("HIPAA") to entities ("Business Associates") that receive protected health information ("PHI") when providing services to Covered Entities.  Previously, only health care providers, health care clearinghouses, and health plans ("Covered Entities") were subject to HIPAA's regulations and civil and criminal penalties.  But as of February 17, 2010, Business Associates will be required to comply with the HIPAA security regulations as well as additional HITECH Act privacy and security requirements. The security requirements fall into three specific categories: administrative, physical, and technical safeguards.

Administrative safeguards include:

  • implementing security management processes (including risk analysis and management, applying sanctions for violations, and information system activity reviews)
  • assigning security responsibility
  • implementing workforce security (including authorization processes, workforce clearance procedure, and terminating access procedures)
  • establishing information access management
  • implementing security awareness training programs for the entire workforce
  • implementing security procedures, monitoring, and updates
  • establishing a contingency plan
  • doing periodic evaluations of the policies and procedures
  • establishing business associate contracts with covered entities

Physical Safeguards include establishing:

  • policies and procedures to limit physical access to information systems (including contingency and facility security plans, access control and validation of access to the facility and equipment, and maintenance records)
  • workstation use and security
  • device and media controls

Technical safeguards include implementing:

  • access controls (such as unique user identification and emergency access procedures)
  • audit controls
  • integrity controls
  • person/entity authentication
  • transmission security

Additionally, the HITECH Act requires a Business Associate to notify the Covered Entity following the discovery of an unauthorized acquisition, access, use or disclosure of PHI.  The HITECH Act also requires a Business Associate to take action if a Covered Entity consistently fails to comply with the Business Associate Agreement.  Specifically, the Business Associate must take reasonable steps to end the violation.  Otherwise, the Business Associate must terminate the contract or report the problem.

Impact on Covered Entities

Covered Entities as well as Business Associates should change (or if applicable, adopt) their current Business Associate Agreements to ensure compliance with the HITECH Act.  Covered Entities should also ensure that all of their Business Associate relationships are indeed covered by Business Associate Agreements as the civil penalties for "reasonable cause" and "willful neglect" have increased to a potential fines of $100,000 and $1.5 million respectively.

Jump to Page

Foster Swift Collins & Smith PC Cookie Preference Center

Your Privacy

When you visit our website, we use cookies on your browser to collect information. The information collected might relate to you, your preferences, or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. For more information about how we use Cookies, please see our Privacy Policy.

Strictly Necessary Cookies

Always Active

Necessary cookies enable core functionality such as security, network management, and accessibility. These cookies may only be disabled by changing your browser settings, but this may affect how the website functions.

Functional Cookies

Always Active

Some functions of the site require remembering user choices, for example your cookie preference, or keyword search highlighting. These do not store any personal information.

Form Submissions

Always Active

When submitting your data, for example on a contact form or event registration, a cookie might be used to monitor the state of your submission across pages.

Performance Cookies

Performance cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.

Powered by Firmseek