Strengthened HIPAA to address privacy impacts of the expanded use of electronic health records

Breach: Mustnotify individuals within60 days of discovery

· If more than 500 people, must notify HHS immediately

· If 500 or more in the same jurisdiction, must notify media

· All breaches requiring notice must be reported to HHS at least annually

· A breach applies only to “unsecured” information, and a covered entity can avoid liability if it utilizes encryption software to secure information

Penalties: Up to $1.5 mil for most willful violations

Disclosure: Must be the minimum amount necessary

Covered entities may not sell Electronic Health Records (EHR) without the consent of the patient

Covered entities and business associates have the burden of proof that an impermissible use or disclosure did not constitute a breach

HITECH applies to “personal health record” providers – Cloud services for storing an individual’s health records. Similar breach notices as for covered entity.

These requirements apply even if the provider does not seek electronic reimbursement from the U.S. government. Enforced by the Federal Trade Commission (FTC)

Limited data set- protected health information that includes direct identifiers of the individual

Patients who directly pay their provider for medical care may restrict their PHI from being disclosed to a health plan unless the disclosure is otherwise required by law