Prior to HITECH, only covered entities such as health care providers and health plans were subject to HIPAA and business associates were subject only to contractual obligations. However, Effective February 17, 2010, the rules are changed. Under HITECH, any entity that performs a service or process on behalf of a covered entity that involves the handling or disclosure of PHI is directly subject to HIPAA’s privacy and security rules. This means that HITECH now holds business associates to the same standard as covered entities. In addition, if a business associate incurs a possible “breach”, the covered entity is charged with discovery at the same time as the business associate. This means that the 60 day time clock to notify each affected individual begins ticking.

The Health Information Technology for Economic and Clinical Health Act (“HITECH”) made momentous changes to HIPAA, including noteworthy administrative requirements pertaining to Protected Health Information (“PHI”). Employers/Covered entities must now comply with the onerous “breach notification” rule established by the U.S. Department of Health and Human Services (“HHS”). This notification rule is triggered by the discovery of a “breach” of unsecured PHI, which is PHI that is not rendered indecipherable to unauthorized individuals through NIST level encryption or destruction. This protection applies to ALL PHI that is used or disclosed by covered entities, whether it is communicated in oral, written or electronic form.

The interim final regulations published by the HHS require all HIPAA covered entities to provide notification to every affected individual whose unsecured PHI has been, or is reasonably believed to have been accessed, acquired, used or disclosed as a result of the breach within 60 days after the breach was discovered by the covered entity OR business associate. In certain situations, notification must be given to the Secretary of HHS or even the media!