The Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009, part of the American Recovery and Reinvestment Act (ARRA), advances the electronic exchange of large amounts of health information and expands the reach of the HIPAA data privacy and security requirements to ensure the security of ePHI. The HIPAA Security Rule covers health plans, healthcare clearinghouses and healthcare providers. As of February 17, 2010, under the HITECH Act, business associates are also required to comply with the security rule requirements. HITECH establishes mandatory federal security breach reporting requirements, along with expanded criminal and civil penalties for non-compliance.
HITECH Breach Notification Requirements
The HITECH Act requires that covered entities and business associates disclose breaches of "unsecured PHI," which is defined as “protected health information that is not secured through the use of a technology or methodology specified by the Secretary in guidance.”
The U.S. Department of Health and Human Services guidance states that “encryption and destruction [are] the two technologies and methodologies for rendering protected health information unusable, unreadable, or indecipherable to unauthorized individuals.” In addition, it states that “we do not believe that access controls meet the statutory standard of rendering protected health information unusable, unreadable, or indecipherable to unauthorized individuals.”
While 98 percent of survey respondents have a policy in place to limit the disclosure of Protected Health Information (PHI), only 52 percent employ encryption technologies to render data unreadable or unusable in the case of unauthorized access.1
Computer Sciences’ (CSC) Healthcare Group, 2010