HITECH Act: What you need to know about new data-breach guidelines

Healthcare providers and others handling sensitive patient data are now finding the stakes raised if they suffer a data breach because of a new law known as the "Health Information Technology for Economic and Clinical Health Act," or HITECH Act.

Passed by Congress in February, the HITECH Act is now coming into enforcement by the U.S. Department of Health and Human Services (HHS) and the Federal Trade Commission (FTC), which each have been given a role to play under the law, potentially levying punishments and fines on organizations that stumble in protecting personal health information.

Depending on whether a data breach arises from a simple mistake to willful theft, fines will range in tiers from as low as $100 per violation for a slip-up regarding unencrypted data to $1.5 million or more for knowingly and willfully violating the data-breach rules, say those familiar with the HITECH Act.

"Under the HHS rule, you have to figure out if you had a data breach," says Rebecca Fayed, attorney-at-law firm Sonnenschein, Nath & Rosenthal's healthcare group division in Washington, D.C.. But the new rules, which cover both electronic and paper formats, are far from simple.

 Healthcare organizations find IT cures for identity and security 

The HITECH Act, devised by Congress primarily to address electronic medical records, is being noted for its impact in adding a tough data-breach notification requirement to the long list of long-existing Health Information Portability and Accountability Act (HIPPA) security and privacy rules.

Like HIPAA, the HITECH Act covers healthcare providers, insurers, clearinghouses and also business associates handling personal information about patient health, as well as other protected information, including name, Social Security number, address and insurance account numbers.

Fayed says there's often the misperception that the HITECH Act will require public disclosure of any data breach of unencrypted personal health information (PHI) but the fine print actually says the data breach has to have impacted at least 500 people in one state. "Then you have to notify the media," she says. If the data breach "is only five people, HHS doesn’t want you calling them," though you will have to inform the individuals impacted.

And it appears there's no need to report an employee unintentionally accessing a record by mistake in the course of doing his  job. A lot of the talk about HITECH is centering on encryption because the breach notification only applies to "unsecured PHI," Fayed says. The HHS guidelines set forth two basic ways to secure that data, "encryption" for electronic data and "destruction" applied as a means to destroy electronic data or paper.

When it comes to encryption and stored data security, guidelines from the National Institute of Standards and Technology are referenced, including NIST’s FIPS 140-2 for certification of encryption products. Though encryption isn't mandatory under HITECH Act, just by bringing encryption technology into the discussion of a data breach the federal government is raising the bar about what's implied about best practices, Fayed notes.