Skip to Content

Print PDF

HITECH Act Increases HIPAA Compliance Requirements for Group Health Plans

February 11, 2009


The February, 2009 stimulus included the Health Information technology for Economic and Clinical Health (HITECH) Act. The HITECH Act imposed significant new compliance obligations on employers by expanding the HIPAA privacy and security requirements which apply to group health plans and other “covered entities”. Some of these new requirements are already in effect. Many others will become effective on February 17, 2010. A “hit list” of these new requirements follows.

  • Increased Civil Penalties

Effective February 17, 2010, but applicable to violations after February 17, 2009, the HITECH Act significantly increases the civil penalties for violation of the HIPAA privacy or security regulations, increasing the maximum civil penalty for multiple violations to $1,500,000. The Act also establishes a series of tiered penalties based upon whether the violation was not known to the group health plan or other covered entity, was due to reasonable cause or was due to willful neglect.

  • New Notice Obligations In Event of Prohibited Protected Health Information Disclosure

Although the HIPAA privacy regulations require that a covered entity, such as a group health plan, take reasonable steps to mitigate any known harmful effect of a disclosure of protected health information (PHI) in violation of the regulations, the privacy regulations do not contain a specific requirement that a group health plan notify affected individuals of a privacy or security breach involving their protected health information (PHI). The HITECH Act requires that a group health plan take specific steps to notify affected individuals of a privacy or security breach if the breach involves “unsecured” protected health information. These provisions become effective September 23, 2009.

In the event of a privacy or security breach involving “unsecured” PHI, a group health plan must, within 60 calendar days after discovery of the breach, provide written notice which satisfies the HITECH Act to the affected individuals. If the group health plan sponsor has insufficient or out-of-date contact information for 10 or more individuals to whom notice must be provided, it is required to post a conspicuous notice on its website home page regarding the breach or publish a notice in major print or broadcast media, including major media in the geographic areas where the affected individuals are likely to reside. The notice must include a toll-free number where an individual can learn whether his/her PHI may be included in the breach. If the breach involves the PHI of more than 500 residents of a particular state or jurisdiction, the group health plan sponsor must also provide notice to “prominent media outlets” serving that state or jurisdiction. Notice must also be provided to the Secretary of Health and Human Services of the breach.

  • Individual’s Right to Restrict Disclosures of PHI

Although the HIPAA privacy regulations permit an individual not disclose his/her PHI for purposes of treatment, payment or health care operations, a group health plan may decline this request. Effective February 17, 2010, the HITECH Act will require that a group health plan comply with an individual’s request that his/her PHI not be disclosed if the disclosure is for payment or health care operations and the PHI pertains solely to an item for which the individual has paid the health care provider out of pocket and in full.

  • Access to Electronic PHI

Effective February 17, 2010, if a group health plan uses or maintains an electronic health record containing an individual’s PHI, the HITECH Act expressly grants an individual access to his/her electronic PHI as well as the ability to request that the electronic PHI be transferred to a third party designated by the individual. The group health plan from which the electronic health record (or a summary or explanation of that record) is requested is only permitted to charge for the labor costs associated with producing that information.

  • Right to Receive Accounting of PHI Disclosures

Presently, an individual has the right to obtain an accounting of disclosures by a group health plan of his/her PHI for the previous six years, except for disclosures made to carry out payment, treatment or health care operations. The HITECH Act greatly broadens this right to an accounting by extending it to disclosures for payment, treatment or health care operations during the previous three years, provided that the disclosures were made via an electronic health record. This change has different effective dates depending upon whether the covered entity presently uses electronic health records.

  • Tightening of “Minimum Necessary” Requirement

The privacy regulations generally require that group health plans make reasonable efforts to limit the disclosure of PHI to the “minimum necessary” to accomplish the intended purpose of the disclosure. The “minimum necessary standard is generally applicable when disclosing PHI or requesting it from another covered entity. This standard is not applicable to (1) disclosures to or requests by a health care provider for treatment; (2) uses or disclosures made to the individual who is the subject of the PHI; (3) uses or disclosures made pursuant to an authorization by the individual; and (4) uses or disclosures that are required by law.

Effective February 17, 2009, the definition of what is considered the “minimum necessary” has been limited by the HITECH Act. The Act provides that, by August 17, 2010, the Secretary of Health and Human Services will issue regulations defining what constitutes the “minimum necessary”. Pending issuance of these regulations, the Act directs group health plans to define the “minimum necessary” as either (a) a “limited data set” or (b) if needed by the group health plan, the “minimum necessary” to accomplish the intended purpose of the use, disclosure or request. A limited data set excludes most identifiers, such as name, address, social security number, telephone number, fax number, medical record number, health plan beneficiary number, or account number.

  • New Business Associate Agreement Requirements

Prior to the changes made by the HITECH Act, business associates were bound to comply with the privacy and security regulations only through their contracts with group health plans or other covered entities. Also, the HIPAA privacy regulations were more liberal as to the methods used by business associates to satisfy those requirements. Effective February 17, 2010, the HITECH Act applies many of the requirements of the HIPAA privacy and security regulations, including the penalty provisions, directly to business associates. Business associate agreements must also be revised to reflect these new requirements. Also, effective February 17, 2010, the HITECH Act requires that organizations that provide data transmission of PHI to a group health plan or other covered entity (or its business associate) and that require access on a routine basis to such PHI and certain other vendors to enter into business associate agreements with the covered entity.


Article Originally Published: November 2009

The information contained in this article is not intended to be legal advice. Readers should not act or rely on this information without consulting an attorney.