HIPAA Changes in the HITECH Act of 2009: Studies, Reports, Guidance

House bill Sec. 4424
Senate
bill Sec. 13424
Conference agreement Sec. 13424

This text is from the Conference Committee Report

Current Law

Any person who believes a covered entity is not complying
with the privacy rule may file a complaint with HHS. The rule
authorizes the Secretary to conduct investigations to
determine whether covered entities are in compliance. HIPAA
does not require the Secretary to issue a compliance report.

The HIPAA Administrative Simplification standards apply to
individual and group health plans that provide or pay for
medical care; health care clearinghouses (i.e., entities that
facilitate and process the flow of information between health
care providers and payers); and health care providers. In
addition, the privacy and security standards apply to
business associates with whom covered entities share health
information. They do not apply directly to other entities
that collect and maintain health information, including
Health Information Exchanges, RHIOs, and PHR vendors, unless
they are acting as providers or plans.

The HIPAA standards are intended to protect individually
identifiable health information; de-identified information is
not subject to the regulations. Under the privacy rule,
health information is de-identified if 18 specific
identifiers (e.g., name, social security number, address)
have been removed, or if a qualified statistician, using
accepted principles, determines that the risk if very small
that the individual could be identified.

Generally, plans and providers may use and disclose health
information for the purpose of treatment, payment, and other
health care operations without the individual's authorization
and with few restrictions. Covered entities may, but are not
required, to obtain an individual's general consent to use or
disclose PHI for treatment, payment, or health care
operations.

House Bill

The Secretary would be required annually to submit to
specified Congressional Committees and post online a
compliance report containing information on (1) the number
and nature of complaints of alleged violations and how they
were resolved, including the imposition of civil fines, (2)
the number of covered entities receiving technical assistance
in order to achieve compliance, as well as the types of
assistance provided, (3) the number of audits performed and a
summary of their findings, and (4) the Secretary's plan for
the following year for improving compliance with and
enforcement of the HIPAA standards and the provisions of this
subtitle.

The House bill would require the Secretary, within one year
and in consultation

with the Federal Trade Commission (FTC), to study the
application of health information privacy and security
requirements (including breach notification) to non-HIPAA
covered entities and report the findings to specified House
(Ways and Means, Energy and Commerce) and Senate (Finance,
HELP) Committees. The report should include an examination of
PHR vendors and other entities that offer products and
services through the websites of PHR vendors and covered
entities, provide a determination of which federal agency is
best equipped to enforce new requirements for non-HIPAA
covered entities, and include a time frame for implementing
regulations.

The House bill would require the Secretary, within one year
of enactment and in consultation with stakeholders, to issue
guidance on how best to implement the HIPAA privacy rule's
requirements for de-identifying PHI.

The House bill would require GAO, within one year, to
report to the House Ways and Means and Energy and Commerce
Committees and the Senate Finance Committee on best practices
related to the disclosure of PHI among health care providers
for the purpose of treatment. The report must include an
examination of practices implemented by states and other
entities, such as health information exchanges, and how those
practices improve the quality of care, as well as an
examination of the use of electronic informed consent for
disclosing PHI for treatment, payment, and health care
operations.

Senate Bill

The Senate bill includes the same provisions, with the
additional requirement that GAO, within one year, report to
Congress and the Secretary on the impact of the bill's
privacy provisions on health care costs.

Conference Agreement

The conference agreement maintains most all study language
and add a study to requires the Secretary to review the
definition of ``psychotherapy notes'' with regard to
including test data that are part of a mental health
evaluation. The Secretary may revise the definition by
regulation based on the recommendations of the study. In
addition, the conference agreement broadened the study added
by the Senate on the impact of the bill's privacy provisions
on health care costs. It requires the GAO to study all impact
of all the provisions of the HITECH Act on health care costs,
adoption of electronic health record by providers, and
reductions in medical errors and other quality improvements.

 

Jump to Page

Necessary Cookies

Necessary cookies enable core functionality such as security, network management, and accessibility. You may disable these by changing your browser settings, but this may affect how the website functions.

Analytical Cookies

Analytical cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.