DOWNLOAD: HITECH Terminology Quick Reference
Make sense of the alphabet soup of acronyms
When the Health Information Technology for Economic and Clinical Health Act became law last year as part of the American Recovery and Reinvestment Act, it extended the HIPAA privacy and security requirements to the business associates of health care companies, set aside money to encourage health care providers to use electronic records systems, and enhanced Health Insurance Portability and Accountability Act enforcement mechanisms.
At the same time, the HITECH Act also includes the first federal data breach notification requirement. Advocates were pleased that Congress saw fit to include the measure, but when the U.S. Department of Health and Human Services published its interim final rule for reporting health data breaches, it immediately saw a problem.
The final version of the HITECH Act includes a provision that allows the health care organization to determine after its own internal review whether any breach actually harmed anyone. If they determine that there is no potential for harm, there is no need to disclose anything to anybody.
Consumer and patient privacy groups set to work convincing HHS that the "harm standard" did not adequately protect patient rights, and this week, the agency took action. According to the HHS website, the final rule has been withdrawn for "further consideration." The statement reads, in part:
This is a complex issue and the [a]dministration is committed to ensuring that individuals' health information is secured to the extent possible to avoid unauthorized uses and disclosures, and that individuals are appropriately notified when incidents do occur.
Patient Privacy Rights hails the change as "a huge step in the right direction."