The Health Information Technology for Economic and Clinical Health Act or HITECH was passed by the Congress three years ago. Among its provisions, HITECH sought to strengthen privacy and security measures over health information. Specifically, it added new privacy and security requirements for business associates, established new breach notification requirements, and enhanced enforcement efforts.

1. HITECH: Three Years
Later
Linda D. Koontz
Alison R. Brunelle
Tuesday, April 3, 2012 | Track 2 | 3:45 PM to 4:15 PM
For Interconnected Health 2012 © 2012 The MITRE Corporation. All rights reserved.

2. HIPAA Then and Now:
What Has HITECH Changed?
Breach Business
Notification Associate Liability
Enhanced Privacy
Audit Programs
and Security
Enforcement
Actions
Page 2
For Interconnected Health 2012 © 2012 The MITRE Corporation. All rights reserved.

3. HITECH Timeline of Events
Management
Services
Organization
(“MSO”) agrees
to settle for
potential "Meaningful Funding
HIPAA privacy We are
Use" opportunities
Passage of and security requirement in here projected to
ARRA rule violations effect end
2009 2010 2011 2012 2015
Grant awards Cignet Health HHS
to states faces first anticipates
commences HIPAA completing 150
penalties for audits by the
violating end of 2012
Privacy Rule
Source: Adapted from Minnesota e-Health Initiative Public Meeting on the HITECH ACT on March 18, 2009.
Page 3
For Interconnected Health 2012 © 2012 The MITRE Corporation. All rights reserved.

4. Meaningful Use: Privacy Considerations
Capture and
Stage 1
Share Data
• Electronic
Decision
Proposed Stage 2
copies of
protected Support
health Care
information
• Certified EHR
Outcomes
TBD Stage 3
(PHI) to
patients adoption with • Systems
• Secure all clinical interoperability
messaging information • Access to
documented comprehensive
• Health patient data
information from all
exchange available
• Patient sources
engagement • Advanced
patient
engagement
Page 4
For Interconnected Health 2012 © 2012 The MITRE Corporation. All rights reserved.

5. Backup
Page 5
For Interconnected Health 2012 © 2012 The MITRE Corporation. All rights reserved.

6. HIPAA 101: What Information Is Protected?
Rule
Protected Health Information (PHI)
Law
All "individually identifiable health information” (IIHI)
• Held or transmitted by a covered entity or its business associate, in
any form or media, whether electronic, paper, or oral.
• Excludes from PHI employment records that a covered entity
maintains in its capacity as an employer and education and certain
other records subject to, or defined in, the Family Educational
Rights and Privacy Act.
Two
De-Identified Health Information Ways
• There are no restrictions on the use or disclosure of de-identified
health information.
Source: U.S. Department of Health and Human Services (HHS), Office of Civil Rights (OCR) , Website, The HIPAA Privacy Rule.
Page 6
For Interconnected Health 2012 © 2012 The MITRE Corporation. All rights reserved.

7. HIPAA 101: Core Concepts
• Title I of HIPAA protects health
insurance coverage for workers and
their families when they change or
lose their jobs.
• Title II of HIPAA, known as the
Administrative Simplification (AS)
Health Insurance provisions, requires the
establishment of national standards
Portability and for electronic health care transactions
and national identifiers for providers,
Accountability health insurance plans, and
(HIPAA) of 1996 employers.
Source: Health Insurance Portability and Accountability Act of 1996, Pub. L. No. 104-191 (1996), (codified in scattered sections of title 42 U.S. Code); 45 C.F.R. parts
160 and 164 (HIPAA Privacy and Security Rules).
Page 7
For Interconnected Health 2012 © 2012 The MITRE Corporation. All rights reserved.

8. HIPAA 101: The Privacy Rule
• Establishes national standards to protect individuals’ medical
records and other personal health information and applies to health
Openness and
plans, health care clearinghouses, and those health care providers
Transparency, that conduct certain health care transactions electronically.
Accountability
• Requires appropriate safeguards to protect the privacy of personal
health information, and sets limits and conditions on the uses and
Safeguards,
disclosures that may be made of such information without patient
Collection, Use, and authorization.
Disclosure Limitation
• Gives patients rights over their health information, including rights
to examine and obtain a copy of their health records, and to request
Individual Access and corrections.
Choice, Correction
Source: U.S. Department of Health and Human Services (HHS), Office of Civil Rights (OCR) , Website, The HIPAA Privacy Rule.
Page 8
For Interconnected Health 2012 © 2012 The MITRE Corporation. All rights reserved.

9. HIPAA 101: The Security Rule
• Establishes national standards to
protect individuals’ electronic personal
health information that is created,
received, used, or maintained by a
Accountability
Covered Entity.
• Requires appropriate administrative,
physical and technical safeguards to
ensure the confidentiality, integrity, and
Safeguards, security of electronic protected health
Data Quality
and Integrity information.
Source: U.S. Department of Health and Human Services (HHS), Office of Civil Rights (OCR) , Website, The HIPAA Security Rule.
Page 9
For Interconnected Health 2012 © 2012 The MITRE Corporation. All rights reserved.

10. HIPAA 101: The Enforcement Rule
• Contains provisions
relating to compliance
and investigations, the
imposition of civil money
penalties for violations of
the HIPAA Administrative
Accountability Simplification Rules, and
procedures for hearings.
Source: U.S. Department of Health and Human Services (HHS), Office of Civil Rights (OCR) , Website, The HIPAA Enforcement Rule.
Page 10
For Interconnected Health 2012 © 2012 The MITRE Corporation. All rights reserved.

11. HITECH 101: Core Concepts
• Enacted as part of the American Recovery and
Reinvestment Act (ARRA) of 2009, is designed to
promote the widespread adoption and
standardization of health information technology.
• Requires the Department of Health and Human
Services (HHS) to modify the HIPAA Privacy,
Security, and Enforcement Rules to strengthen
Health Information the privacy and security protections for health
information and to improve the workability and
Technology for effectiveness of the HIPAA Rules.
• Mandated the Office of the National Coordinator
Economic and for Health Information Technology (ONC)
Clinical Health originally created under an Executive Order in
2004.
(HITECH) Act of 2009
Source: U.S. Department of Health and Human Services (HHS), Office of Civil Rights (OCR) , Website, The HIPAA Breach Notification Rule.
Page 11
For Interconnected Health 2012 © 2012 The MITRE Corporation. All rights reserved.

12. HITECH 101: The Breach Notification Rule
• Establishes an expansive protocol requiring
HIPAA Covered Entities and their Business
Associates to provide notice when an
Openness and individual's “unsecured” protected health
Transparency, information has been breached.
Accountability
• Requires appropriate breach notification
must be provided to individuals, HHS, and/or
the media depending on the circumstances.
Accountability
Source: U.S. Department of Health and Human Services (HHS), Office of Civil Rights (OCR) , Website, The HIPAA Breach Notification Rule.
Page 12
For Interconnected Health 2012 © 2012 The MITRE Corporation. All rights reserved.