Many were excited by the passing of Title XIII of ARRA, also known as the Health Information Technology for Economic and Clinical Health Act (HITECH Act). It was billed as providing up to $22 billion dollars for taxpayer money to, “advance the use of health information technology.” What was not so well trumpeted during all of the excitement, were the massive increases in enforcement, penalties, the changing of the HIPAA enforcement responsibility from CMS to the Office of Civil Right and the extension of the HIPAA Rules to business associates of covered entities. This law was said to be so the U.S. will be able to be on a platform of electronic or eHealth records by 2014 as announced by President Obama.
Since 2003, the HIPAA Privacy and Security Rules, 45 CFR Part 160 and Subparts A and E of Part 164, have applied to healthcare providers or “covered entities”. Well, to the surprise of many, as of the passing of the Health Information Technology & Economic Clinical Health Act or (HITECH), much has changed. With the making of new rules by HHS, HIPAA now applies to all covered entities (regardless of size), their business associates, and now potentially, those business associates’ sub-contractors.
Individuals, organizations, and agencies that are covered entities under HIPAA must comply with the Rules’ requirements to protect the privacy, security and integrity of protected health information. It provides for individuals rights with respect to their health information. If an individual does not meet the definition of a covered entity, then the entity does not have to comply with the Privacy Rule or the Security Rule. However, be VERY CAREFUL, in your assessment of whether you are a covered entity. Keep in mind that there are many state and federal laws that have strict privacy and security requirements for ANY personally identifiable information, including, but not limited to, personal health information. Above all, when in doubt. Call Alvaka and we can help.