About Us | Chapters | Advertising | Join
The Legal Department articles are not intended to serve as legal advice and are offered for educational purposes only. The information provided should not be used as a substitute for independent legal advice and it is not intended to address every situation that could potentially arise. Please be aware that laws, regulations and technical standards change over time. As a result, it is important to verify and update any reference or information that is provided in the article.
This article is important for MFTs who are covered providers under HIPAA. All MFTs, including trainees and interns, should have a working knowledge of it so that they will have a context for understanding changes likely to occur in the health care milieu in the coming years.
by David G. Jensen, JD
former Staff Attorney
On February 17, 2009, President Obama signed The American Recovery and Reinvestment Act, and this federal legislation contains The Health Information Technology for Economic and Clinical Health Act (“HITECH Act”). Although the HITECH Act is part of legislation designed to revive the American economy, there are provisions in it affecting the security and privacy components of HIPAA, specifically, and the health care milieu, generally. It is important to note at the outset that the underlying goals of the HITECH Act are to improve health care quality, safety, and efficiency. The president promised change, and we are starting to get it.
Although the information summarized in this article is most important for MFTs who are covered providers under HIPAA, all MFTs, including trainees and interns, should have a working knowledge of it so that they will have a context for understanding changes likely to occur in the health care milieu in the coming years. None of these changes require MFTs who are covered providers to do anything right now. Rather, the information summarized here is probably best thought of as a soft spring rain seeping into the aquifer of your mind for later use. So, sit back, relax, and just think about getting acquainted with some of the key provisions of the HITECH Act.
In terms of HIPAA, the HITECH Act changes the privacy and security regulations in the following ways:
1. Breaches in Security
There is a new requirement for reporting breaches in security affecting a patient’s personal health information (“PHI”).1 This change is one that could directly affect MFTs who are covered providers, especially if they are not careful about addressing privacy and security issues within their practices. Under this law, a covered provider must notify a patient of any unauthorized access, acquisition, or disclosure of the patient’s “unsecured” PHI that compromises the patient’s privacy rights and the security or integrity of the patient’s PHI.2
At this time, within the HITECH Act, the concept of “unsecured” PHI is somewhat nebulous, but the essence of it seems to be patient information that is not secured by a technology that makes such information unusable, unreadable, or indecipherable to unauthorized individuals.3 But, does such a technology exist? Or, will such technology ever exist? In this age of “computer hackers,” “spyware,” and “malware,” the challenge of securing PHI is going to be ongoing and difficult. This is likely to be an issue hotly debated by experts in these fields as new regulations are thought-through and enacted.
The HITECH Act mandates the Secretary of Health and Human Services (“HHS”)to issue guidance “specifying the technologies and methodologies that render PHI unusable, unreadable, or indecipherable to unauthorized individuals.”;4 The HHS has made available on its website (www.hhs.gov/ocr) the Guidance to Render Unsecured Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals. The guidance describes certain technology and methodology a covered entity can use to make PHI indecipherable to unauthorized individuals. Encryption is one method specified in the guidance. While covered entities are not required to follow the guidance, those that have secured PHI through the described methods are relieved of their notification obligations under the HITECH Act. For instance, if you are a covered entity and you inadvertently send an encrypted e-mail containing a client’s PHI to your family member, you would not have to comply with the breach notification requirements set forth in the HITECH Act, if the e-mail was not decrypted or otherwise compromised. In terms of the larger picture, the lesson should be clear: covered providers must give careful attention to their security and privacy obligations! This vigilance must be on-going to meet the standard of care. The failure to be vigilant in these matters could result in much trouble under HIPAA.
The HITECH Act also prescribes the methods, timeframes, and verbiage for the notice that must be sent to a patient upon a breach.6 Individual patients can be notified of breaches via first-class mail sent to the patient’s last known address, or via electronic mail, if the patient has expressed that as the preferable way of communicating with the patient.7 Covered providers certainly want to review their records to determine how a particular patient desires to be communicated with when receiving communications from the provider and then act accordingly.8
The notification required by this law is supposed to be made to the patient “without unreasonable delay,” but within sixty days from the discovery of the breach by the covered provider being the outlying deadline for making the notification.9 The notification must include a description of what happened; a description of the type of unsecured PHI involved in the breach; steps the patient can take to protect himself or herself from potential harm resulting from the breach; a description of what you, as the covered provider, is doing to investigate the breach, mitigate losses, and protect against further breaches; and, contact information so that the patient can communicate with you regarding any question the patient has about the breach.10
2. Patient’s Right to Restrict Access
There is a new requirement concerning a patient’s right to restrict access to his or her PHI. Under HIPAA, patients can request restrictions, but providers do not have to agree to be bound by them. Under the new law, a covered provider must accept the restriction if the disclosure is to a health plan for purposes of carrying out payment or health care operations, but not treatment, and the PHI pertains to a service for which the covered provider has been paid for out of pocket in full.11 This new rule essentially allows a patient to pare down, but not eliminate, information that gets reported to health plans. Covered providers under HIPAA will have to account for this information on applicable forms.
3. Patient’s Right to an Accounting of Disclosures
There is a new requirement concerning a patient’s right to an accounting of disclosures of their PHI. Under HIPAA, a patient has a right to receive an accounting of disclosures, except for disclosures made for treatment, payment, and healthcare operation’s purposes, made within six years of the date of the patient’s request for such accounting. Under the new law, if a covered entity keeps an electronic health record, a patient can request an accounting of disclosures going back three years from the date of the request, and the accounting must include disclosures made for treatment, payment, and healthcare operations purposes.12
By definition in law, this requirement need only be met by LMFTs who are covered providers and who maintain “electronic health records” as opposed to maintaining patient records on paper. So, if you are a covered provider who keeps paper records, you would still comply with the original HIPAA rule. An “electronic health record” means an electronic record of health-related information on an individual that is created, gathered, managed, and consulted by authorized health care clinicians and staff.13 If you choose to use “electronic health records” in your practice, compliance with this requirement will not be necessary until sometime after 2011.14
4. New Requirements for Business Associates
There is a new requirement that extends HIPAA’s security provisions to business associates; consequently, business associates, for the first time, must implement administrative safeguards; physical safeguards; and, technical safeguards, just as covered providers have to do.15 Covered providers should add this requirement to their business associate agreements, and business associates need to be aware that violating HIPAA’s provisions can result in civil and criminal penalties being assessed against them for violating HIPAA.16 For further reading on the new requirements pertaining to business associates, read Neither You Nor Your Business Associates Can Afford to be Lax About Complying with HIPAA Requirements, which can be accessed on the CAMFT website, under Resource Center.
5. Prohibition on Selling a Patient’s PHI
There is a new requirement that, in general, prohibits a covered entity from receiving remuneration for selling PHI without a patient’s authorization.17 Of course, this requirement essentially prohibits an activity psychotherapists do not usually engage in anyway, but it is nice to see PHI being protected in the larger health care milieu.
Certain remuneration for obtaining patient records, however, is allowed under this rule. For instance, it is permissible to receive reasonable remuneration to provide patient information for public health activities; for research purposes; for treatment of the individual; for the sale, transfer, or merger of part or all of a covered entity; for exchanges of PHI arising from a business associate agreement; and, for patients who request copies of their records.18
6. HIPAA Violations
There is a new standard for assessing the severity of HIPAA violations. Under the new law, there is a three-tiered approach, with Tier 1 being “without knowledge;” Tier 2 being “due to reasonable cause;” and, Tier 3 being “due to willful neglect.”19 This three-tiered approach will allow for varying amounts of civil monetary penalties, and the fines for violating HIPAA have been restructured. For a Tier 1 violation, civil monetary penalties start at $100 per violation; for Tier 2 violations such penalties start at $1,000 per violation; and, for Tier 3 violations, such penalties start at $10,000 per violation. Moreover, there is now more of an incentive for an aggrieved patient to file a complaint against a covered provider because such patient may be allowed to receive a percentage of any civil monetary penalties assessed by the government.20
7. Private Cause of Action
There is a new provision that creates a private cause-of-action against covered entities who fail to comply with HIPAA. In California, this private cause of action would be brought by the California Attorney General on behalf of an aggrieved patient or patients, and the Attorney General would seek to enjoin further violations by the defendant and to obtain damages on behalf of the aggrieved patient or patients.21
8. Guidance for HIPAA Compliance
There are new provisions calling for the Secretary, after consulting with stakeholders, to offer more guidance for complying with HIPAA. For instance, look for the Secretary to identify the most effective and appropriate technical safeguards to adopt to secure PHI22; to identify the technologies and methodologies that render PHI unusable, unreadable, and indecipherable to unauthorized users 23 ; to identify what constitutes “minimum necessary” for disclosing PHI;24 and, to identify the proper ways to de-identify PHI.25 As discussed above, the Guidance is now available on the HHS website at www.hhs.gov/ocr.
The Health Care Milieu Generally
In terms of the health care milieu generally, the HITECH Act will alter it in the following ways:
1. Office of the National Coordinator for Health Information Technology
Within the Department of Health & Human Services, there is now established an Office of the National Coordinator for Health Information Technology, with this office being headed by a National Coordinator.
The National Coordinator is going to be the individual responsible for developing a nationwide health information infrastructure that will allow for the use and exchange of information, among providers, health plans, and the government, within the health care milieu.26
The goals of this nationwide health information system include: ensuring that each patient’s health information is secure and protected; improving health care quality; reducing health care costs; providing appropriate information to help guide medical decisions; improving the coordination of care; facilitating clinical research; promoting early detection, prevention, and management of chronic diseases; and, improving efforts to reduce health disparities.27
2. Expansion of the Federal Bureaucracy
In addition to creating the new Office of the National Coordinator for Health Information Technology, the HITECH Act also empowers the National Coordinator to establish a “governance mechanism” for the nationwide health information network,28 although the details of such governance mechanism were not stated in the HITECH Act.
The HITECH Act also calls for the following changes to the health care landscape:
a. The appointment of a Chief Privacy Officer of the Office of the National Coordinator,29
b. The creation of two new national committees: the Health Information Technology Policy Committee, to make recommendations to the National Coordinator about the implementation of the nationwide health information technology infrastructure, and the Health Information Technology Standards Committee, to make recommendations to the National Coordinator about standards, implementation specifications, and certification criteria for the electronic exchange and use of health information.30
c. The creation of the Health Information Technology Extension Program to assist providers in adopting, implementing, and using certified EHR technology.
d. The creation of a Health Information Technology Research Center to provide technical assistance and to develop “best practices” to support and accelerate efforts to adopt, implement, and effectively utilize health information technology within the standards and certifications established by the federal government.
e. The creation of a Health Information Technology Regional Extension Centers to provide, on a regional basis, technical assistance and to develop “best practices” to support and accelerate efforts to adopt, implement, and effectively utilize health information technology within the standards and certifications established by the federal government.
f. The designation of regional privacy officers in each of the regional offices of the Department of Health and Human Services to offer guidance and education to covered entities.31
3. Funding to Strengthen the Health Information Technology Infrastructure
Under the HITECH Act, the Secretary has the authority to spend billions of dollars to invest in the infrastructure necessary to allow for and promote the electronic exchange and use of health information for each individual in the United States.32 Writ large, the expenditure of this money demonstrates a commitment by the federal government to move the health care milieu towards a completely electronic system.
4. Areas of Future Study
Under the HITECH Act, the federal government has identified some areas of the health care milieu warranting further inquiry. For psychotherapists, the areas of inquiry most germane include: studying the application of privacy and security requirements to non- HIPAA covered entities33 ; studying the definition of “psychotherapy notes,” especially with regard to including test data that is related In closing, this article is meant to acquaint you with the major provisions of the HITECH Act and how they relate to LMFTs and the health care milieu.
David Jensen, JD, is a Staff Attorney for CAMFT. He is available to answer member calls regarding business, legal, and ethical issues.
1 HITECH Act § 13 402
2 HITECH Act § 13 402
3 HITECH Act § 13 402(h)
4 HITECH Act § 13 402(h)(2)
5 HITECH Act § 13 402(h)(1)(B)
6 HITECH Act § 13 402(d), (e), and (f )
7 HITECH Act § 13 402 (e)(1)
8 See the Request for Restrictions on the Manner or Method of Confidential Communications form in the HIPAA section of CAMFT’s website.
9 HITECH Act § 13 402 (d)(1)
10 HITECH Act § 13 402 (f )
11 HITECH Act § 13 405(a)
12 HITECH Act § 13 405(c)
13 HITECH Act § 13 400(5)
14 HITECH Act § 13 405(c)(4)
15 HITECH Act § 13 401(a)
16 HITECH Act §§ 13 401(b) and 13 404(c)
17 HITECH Act § 13 405(d)
18 HITECH Act § 13 405(d)(2)
19 HITECH Act § 13 410(d)
20 HITECH Act § 13 410(c)(3)
21 HITECH Act § 13 410(e)
22 HITECH Act § 13 401(c)
23 HITECH Act § 13 402(h)(2)
24 HITECH Act § 13 405(b)(1)(B)
25 HITECH Act § 13 424(c)
26 HITECH Act § 3001(a)
27 HITECH Act, § 3001(b)
28 HITECH Act, § 3001(c)(8)
29 HITECH Act, § 3001(e)
30 HITECH Act, § 3003(a)
31 HITECH Act, § 13 403(a)
32 HITECH Act, § 3011 (a)
33 HITECH Act, § 13 424(b)(1)
34 HITECH Act, § 13 424(f )
35 HITECH Act, § 13 424(d)