HITECH Act Enforcements and Modifications

Need multiple seats for your university or lab? Get a quote
The page below is a sample from the LabCE course HIPAA Privacy and Security Rules. Access the complete course and earn ASCLS P.A.C.E.-approved continuing education credits by subscribing online.

Learn more about HIPAA Privacy and Security Rules (online CE course)
HITECH Act Enforcements and Modifications

The Omnibus Rule strengthened the ideas proposed by the HITECH Act.
Business Associate Liability
The HITECH Act ruled that business associates had increased liability. The Omnibus Rule took it a step further and mandated that business associates are audited and fined directly for non-compliance rather than placing the blame on their covered entity.
Breach Notification Rule
The HITECH Act ruled for specific breach notifications when less than or greater than 500 patients' PHI are leaked. The Omnibus Rule modified the rule from providing evidence to prove there was a breach to presuming a breach occurred and completing follow-up steps to determine to what extent the PHI was compromised, if at all. This involves that covered entities and business associates:
1. Evaluate the nature and extent of PHI involved in a breach.
Sensitive PHI includes payment information like credit card and social security numbers and health information like diagnosis and medical history information. If this information was breached, it increases the necessity to signal a breach notification. If the information was not sensitive in nature, then the other factors must also be considered before notifying a breach.
2. Consider the unauthorized person who used or received PHI.
If the unauthorized person works in a covered entity and must abide by HIPAA, then it can be reasonably ascertained that the PHI is still secure and private. This would not cause concern for a breach notification.
3. Investigate if the PHI was actually received, viewed, or further disclosed.
If a PHI-containing laptop was stolen, it would be necessary to see if the PHI was accessed or viewed at all. The opportunity was there, but if the PHI was determined to be kept private, then a breach notification is not necessary.
4. Mitigate the PHI risk and resolve any security infraction.
Covered entities and business associates should outline how they follow up on potential PHI breaches. This includes formal documentation stating to what extent the PHI was compromised (if at all) and assuring the PHI will not be further used or disclosed by unauthorized personnel.