Skip to main content
Full access
Professional News
Published Online: 1 January 2010

FAQs About HIPAA and HITECH: What Physicians Need to Know

Abstract

This is the first of a two-part article on the new HITECH law. Interpretation of this law is still evolving, and there are many unanswered questions.
The HITECH (Health Information Technology for Economic and Clinical Health) Act is Title 13 of the American Recovery and Reinvestment Act of 2009 (ARRA). While the various subtitles of HITECH cover many topics relevant to physicians (for example, financial incentives for health information technology), this article will address only Subtitle D of HITECH amending the privacy and security rules under HIPAA (Health Insurance Portability and Accountability Act of 1996).
HIPAA's privacy and security rules established floors of confidentiality and security protections for patients' demographic and health information in all forms—paper, oral, and electronic. The development of health information technology (for example, electronic health records, personal health records, health information exchanges) has resulted in additional risks; HITECH builds on the privacy and security rules to address these new risks.
•. 
Who must comply with the HITECH amendments to HIPAA?
Covered entities and business associates under HIPAA must comply with HIPAA, as amended by HITECH.
•. 
Isn't every physician a covered entity under HIPAA?
No. Only providers who electronically submit specific transactions electronically are covered by (required to comply with) HIPAA. The most common transaction that makes a provider covered is the electronic submission of claims to health plans. The Department of Health and Human Services (HHS) has useful resources to determine the applicability of the federal HIPAA regulations posted at <www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/index.html>.
•. 
What is a business associate?
Under the privacy rule, a business associate is a person who provides a function on behalf of a covered entity (other than as part of the covered entity's workforce) that involves the use of protected health information (PHI). Examples of this type of business associate include billing services, transcription services, and answering services. A business associate is also a person who provides specified services involving the use of PHI to a covered entity. The specified services are legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, and financial services. The HHS Web site at <www.hhs.gov/ocr/privacy> has much more information on entities that are, and are not, business associates.
Business associates may use and disclose PHI, but only in compliance with the business associate agreement evidencing the business associate's promise to maintain the confidentiality and security of PHI. Under existing law, business associates only have contractual liability with the covered entity via the business associate agreement. As of February 2010, business associates must comply with the security rule and will be subject to government enforcement.
•. 
What does HITECH say about HIPAA?
There are many changes to HIPAA under HITECH, but not all of the provisions have the same effective date. See Summary Timeline for HITECH Requirements for Providers Covered Under HIPAA for a summary timeline showing the implications of the major HITECH provisions on HIPAA-covered entities.
The most significant provisions of HITECH include the following:
•. 
Increasing enforcement of existing HIPAA regulations (privacy and security rules).
•. 
Increasing penalties for violations of existing HIPAA regulations.
•. 
Adding a new federal breach notification law.
•. 
Subjecting business associates to government enforcement.
Part 2 of this article will include FAQs on enforcement and compliance with HIPAA, as well as breach notification. Please note that nothing in this article should be construed as legal advice.

Information & Authors

Information

Published In

History

Published online: 1 January 2010
Published in print: January 1, 2010

Authors

Details

Donna Vanderpool, M.B.A., J.D.

Notes

Donna Vanderpool, M.B.A., J.D., is assistant vice president, risk management, at Professional Risk Management Services Inc. (PRMS Inc.).

Metrics & Citations

Metrics

Citations

Export Citations

If you have the appropriate software installed, you can download article citation data to the citation manager of your choice. Simply select your manager software from the list below and click Download.

For more information or tips please see 'Downloading to a citation manager' in the Help menu.

Format
Citation style
Style
Copy to clipboard

View Options

View options

Login options

Already a subscriber? Access your subscription through your login credentials or your institution for full access to this article.

Personal login Institutional Login Open Athens login

Not a subscriber?

Subscribe Now / Learn More

PsychiatryOnline subscription options offer access to the DSM-5-TR® library, books, journals, CME, and patient resources. This all-in-one virtual library provides psychiatrists and mental health professionals with key resources for diagnosis, treatment, research, and professional development.

Need more help? PsychiatryOnline Customer Service may be reached by emailing [email protected] or by calling 800-368-5777 (in the U.S.) or 703-907-7322 (outside the U.S.).

Media

Figures

Other

Tables

Share

Share

Share article link

Share