The HITECH Act And Health Care Attorneys

President Barack Obama executed The American Recovery and Reinvestment Act of 2009 (the “Stimulus Act”) on Feb. 17, 2009. Title XIII of the Stimulus Act, which is entitled, “The Health Information Technology for Economic and Clinical Health Act” (the “HITECH Act”), devotes significant resources to encouraging the use of electronic health records. A goal of the Act is the advancement of health information technology that will improve health care quality by reducing medical errors, health disparities, and health care costs that result from inefficiency. See the HITECH Act, ' 3001(b)(1-11). The Act's expansion of The Health Insurance Portability and Accountability Act's (HIPAA's) privacy regulations and its imposition of new restrictions and requirements are intended to protect patients against the increased risk of the unauthorized disclosure and use of the information that accompanies the electronic use of patient records.

The new legislation, while aimed at stimulating the economy and increasing patient safety, has another side that health law attorneys need to be aware of. In certain circumstances, the Act's provisions may apply to health care lawyers, who could find themselves subject to civil and criminal penalties if they fail to comply with its requirements.

The HITECH Act

The HITECH Act establishes an Office of the National Coordinator for Health Information Technology. The National Coordinator is responsible for reviewing and implementing standards that will enable the development of “a nationwide health information technology infrastructure that allows for the electronic use and exchange of information.” See the HITECH Act, ' 3001. The Coordinator is tasked with establishing a health information technology policy committee that will assist him or her with utilizing “a certified electronic health record for each person in the United States by 2014″ and the development of technologies that protect the privacy and security of the information. Id.

Safeguarding Patient Information

The HITECH Act's means of safeguarding patient information during the transition to electronic records has caused a bit of a stir among health care attorneys. It adopts HIPAA's protections against unauthorized use or disclosure of protected health information and addresses primarily the storage and transmission of protected health information by covered entities and their business associates. This is the significant part: The HITECH Act expands HIPAA's privacy regulations so that both the care providers and their business associates are tasked with working to prevent the unauthorized disclosure of protected health information, such as a patient's treatment records that are electronically transmitted or stored.

The term “business associate” encompasses any person who: “Provides, other than in the capacity of a member of the workforce of such covered entity, legal, actuarial, accounting, consulting, data aggregation (as defined in ' 164.501 of this subchapter), management, administrative, accreditation, or financial services to or for such covered entity ' where the provision of the services involves the disclosure of individually identifiable health information from such covered entity or arrangement, or from another business associate of such covered entity or arrangement, to the person.” 45 C.F.R. ' 160.13.

Business Associate Agreements

Effective Feb. 17, 2010, those who create or exchange protected health information pursuant to a contract or other written arrangement with covered entities will be required to enter into business associate agreements. Id. at ' 13404(a). The agreement must establish the permitted and required uses and disclosures of protected health information by the business associate, and provide that that business associate will not make unauthorized use or disclosure of the information. See 45 C.F.R. ' 164.502(e).

Additionally, the agreement must require that the business associate will implement the safeguards to protect information, report unauthorized uses or disclosures to the covered entity, and ensure that agents or subcontractors who use the information also agree to the same restrictions and conditions. Id. In accordance with 45 C.F.R.
' 164.308, the required administrative safeguards include conducting a risk analysis to assess the risks posed to the confidentiality and security of electronic health information, the implementation of security measures to reduces those risks, and the application of sanctions to employees who fail to comply with the security measures. See 45 C.F.R. ' 164.308(a). 45 C.F.R. ' 164.310 requires the implementation of physical safeguards to protect electronic health information. The required physical safeguards include the establishment and implementation of procedures that allow access to and restoration of data lost in disasters or emergencies; prevent unauthorized access to the facilities where the health information is maintained; control and validate persons who access the facilities; and document repairs and modifications to security features at the facilities. See 45 C.F.R. ' 164.310.

Technical Safeguards

45 C.F.R. ' 164.312 requires the implementation of technical safeguards that limit access to the systems that maintain the protected health information to persons and software programs that are granted access rights pursuant to 45 C.F.R. ' 164.308(a)(4). The safeguards identified in 45 C.F.R. ' 164.312 include assigning usernames to identify and track those who access the information, establishing procedures for obtaining the information during an emergency, and implementing procedures that terminate access to the information after a period of inactivity. Id. 45 C.F.R. 164.316 requires that these safeguards be documented and recorded in writing, and retained for six years. See 45 C.F.R. ' 164.316.

Sanctions to Be Aware Of

The civil and criminal penalties that the HITECH Act imposes can be significant. The Act not only applies civil and criminal penalties to business associates, but also expands the grounds for the imposition of the penalties under a tiered system. 45 U.S.C.A. ' 1320d-5 formerly authorized the Secretary of Health and Human Resources to impose a general penalty of up to $100 for each violation that constituted a failure to comply with the applicable requirements and standards. The amount that could be imposed in a calendar year was capped at $25,000. The Act's tiered system increases the range of the civil penalties authorized under 45 U.S.C.A. ' 1320d-5 from $25,000 per calendar year for unintentional violations to at least $1,500,000 per calendar year for violations that result from willful neglect and are not corrected. See the HITECH Act, ' 13410. In determining the amount of the penalty, the Secretary is to consider the “nature and extent of the violation and the nature and extent of the harm resulting from such violation.” Id.

45 U.S.C.A. ' 1320d-6 authorized the Secretary to impose fines for knowing violations that ranged from not more than $50,000 and imprisonment for up to a year, to $250,000 and imprisonment for up to 10 years. The HITECH Act revises this code section by adding the provision that “a person ' shall be considered to have obtained or disclosed individually identifiable health information in violation of this part if the information is maintained by a covered entity ' and the individual obtained or disclosed such information without authorization.” Id. at 13409.

The Department of Health and Human Services is authorized to collect the fees and use them to fund enforcement of the act. Business associates that discover a breach of protected health information are required to notify their covered entities about the breach, as well as each individual whose protected health information is affected by the breach. See the HITECH Act at
' 13402(b) Business associates have 60 days to report the breach, starting on the first day that he or shee knows or reasonably should know about the breach. Id. at ' 13402(c).

Health Law Attorney Responsibilities

An attorney who performs legal services on behalf of a covered entity that involves the use of electronic protected health information qualifies as a “business associate” who is subject to the requirements and potential liabilities that the HITECH Act imposes. The term “covered entity” includes all health care providers that electronically transmit patient information to another party for health care-related administrative or financial activities. 45 C.F.R. ' 160.13. “Electronic protected health information” includes an individual's treatment records that are either transmitted by electronic media or maintained on a computer's hard drive or any digital memory medium, such as a disc or memory card. Id.

Apparently, pursuant to the HITECH Act, attorneys who provide legal services to health care providers that involve the use of electronic protected health information are now required to undertake the same safety measures to protect the health information as care providers. If they fail to do so, they face the same civil and criminal penalties that HIPAA formerly imposed solely on health care providers.

It is possible to interpret these new requirements as saying that medical malpractice attorneys are precluded from obtaining a plaintiff's medical records unless they enter into business associate agreements directly with each care provider client and undertake the aforementioned terms. However, that may be unnecessary in light of HIPAA's provisions regarding medical records acquired during the course of litigation. Those provisions appear to allow attorneys to instead obtain the records by giving the patient the opportunity to object (i.e., requesting the records via a formal request for production of documents served on the patient via his or her attorney), obtaining authorization from the patient to obtain and use the records, or obtaining a court order. See 45 C.F.R. ' 164.510.

The administrative, physical, and technical safeguards that business associates must implement pursuant to the business associate agreements include training staff about the importance of unauthorized disclosures, limiting physical access to the information, and implementing security measures such as encryption to also limit access to information that is electronically stored. These measures also appear unnecessary in the context of medical malpractice litigation, unless the attorney actually stores medical records electronically and is concerned that the records will either be inadvertently transmitted or taken via a security breach.

The requirement that business associates ensure that their subcontractors safeguard protected health information does, however, appear particularly applicable to attorneys who are defending a provider client in medical malpractice litigation and wish to obtain an expert to review a plaintiff's medical records. Such attorneys should be sure to enter into business associate agreements with the experts to whom they provide the information. The authorizations should specify the limited use of the records and that they will be returned or destroyed once the need for the use has ended.

Conclusion

Many of the HITECH Acts requirements do not seem to apply to medical malpractice attorneys who do not retain medical records in an electronic format that is accessible to non-privileged persons or is susceptible to unauthorized disclosure through inadvertent disclosure or breach by an outside party. Medical malpractice attorneys can continue to obtain medical records through discovery methods, patient authorization, or court order. However, attorneys should undertake to enter into business associate agreements with any experts who they retain to review a plaintiff's medical records. The business associate agreements should obligate the expert to use the information only for the limited purposes of the litigation and either return or destroy the records once his or her involvement in the litigation has terminated.

Lee S. Atckinson is an attorney in Carlock, Copeland & Stair, LLP's Atlanta office. His practice is focused on General Litigation, including the areas of Medical Malpractice and Insurance Coverage.

President Barack Obama executed The American Recovery and Reinvestment Act of 2009 (the “Stimulus Act”) on Feb. 17, 2009. Title XIII of the Stimulus Act, which is entitled, “The Health Information Technology for Economic and Clinical Health Act” (the “HITECH Act”), devotes significant resources to encouraging the use of electronic health records. A goal of the Act is the advancement of health information technology that will improve health care quality by reducing medical errors, health disparities, and health care costs that result from inefficiency. See the HITECH Act, ' 3001(b)(1-11). The Act's expansion of The Health Insurance Portability and Accountability Act's (HIPAA's) privacy regulations and its imposition of new restrictions and requirements are intended to protect patients against the increased risk of the unauthorized disclosure and use of the information that accompanies the electronic use of patient records.

The new legislation, while aimed at stimulating the economy and increasing patient safety, has another side that health law attorneys need to be aware of. In certain circumstances, the Act's provisions may apply to health care lawyers, who could find themselves subject to civil and criminal penalties if they fail to comply with its requirements.

The HITECH Act

The HITECH Act establishes an Office of the National Coordinator for Health Information Technology. The National Coordinator is responsible for reviewing and implementing standards that will enable the development of “a nationwide health information technology infrastructure that allows for the electronic use and exchange of information.” See the HITECH Act, ' 3001. The Coordinator is tasked with establishing a health information technology policy committee that will assist him or her with utilizing “a certified electronic health record for each person in the United States by 2014″ and the development of technologies that protect the privacy and security of the information. Id.

Safeguarding Patient Information

The HITECH Act's means of safeguarding patient information during the transition to electronic records has caused a bit of a stir among health care attorneys. It adopts HIPAA's protections against unauthorized use or disclosure of protected health information and addresses primarily the storage and transmission of protected health information by covered entities and their business associates. This is the significant part: The HITECH Act expands HIPAA's privacy regulations so that both the care providers and their business associates are tasked with working to prevent the unauthorized disclosure of protected health information, such as a patient's treatment records that are electronically transmitted or stored.

The term “business associate” encompasses any person who: “Provides, other than in the capacity of a member of the workforce of such covered entity, legal, actuarial, accounting, consulting, data aggregation (as defined in ' 164.501 of this subchapter), management, administrative, accreditation, or financial services to or for such covered entity ' where the provision of the services involves the disclosure of individually identifiable health information from such covered entity or arrangement, or from another business associate of such covered entity or arrangement, to the person.” 45 C.F.R. ' 160.13.

Business Associate Agreements

Effective Feb. 17, 2010, those who create or exchange protected health information pursuant to a contract or other written arrangement with covered entities will be required to enter into business associate agreements. Id. at ' 13404(a). The agreement must establish the permitted and required uses and disclosures of protected health information by the business associate, and provide that that business associate will not make unauthorized use or disclosure of the information. See 45 C.F.R. ' 164.502(e).

Additionally, the agreement must require that the business associate will implement the safeguards to protect information, report unauthorized uses or disclosures to the covered entity, and ensure that agents or subcontractors who use the information also agree to the same restrictions and conditions. Id. In accordance with 45 C.F.R.
' 164.308, the required administrative safeguards include conducting a risk analysis to assess the risks posed to the confidentiality and security of electronic health information, the implementation of security measures to reduces those risks, and the application of sanctions to employees who fail to comply with the security measures. See 45 C.F.R. ' 164.308(a). 45 C.F.R. ' 164.310 requires the implementation of physical safeguards to protect electronic health information. The required physical safeguards include the establishment and implementation of procedures that allow access to and restoration of data lost in disasters or emergencies; prevent unauthorized access to the facilities where the health information is maintained; control and validate persons who access the facilities; and document repairs and modifications to security features at the facilities. See 45 C.F.R. ' 164.310.

Technical Safeguards

45 C.F.R. ' 164.312 requires the implementation of technical safeguards that limit access to the systems that maintain the protected health information to persons and software programs that are granted access rights pursuant to 45 C.F.R. ' 164.308(a)(4). The safeguards identified in 45 C.F.R. ' 164.312 include assigning usernames to identify and track those who access the information, establishing procedures for obtaining the information during an emergency, and implementing procedures that terminate access to the information after a period of inactivity. Id. 45 C.F.R. 164.316 requires that these safeguards be documented and recorded in writing, and retained for six years. See 45 C.F.R. ' 164.316.

Sanctions to Be Aware Of

The civil and criminal penalties that the HITECH Act imposes can be significant. The Act not only applies civil and criminal penalties to business associates, but also expands the grounds for the imposition of the penalties under a tiered system. 45 U.S.C.A. ' 1320d-5 formerly authorized the Secretary of Health and Human Resources to impose a general penalty of up to $100 for each violation that constituted a failure to comply with the applicable requirements and standards. The amount that could be imposed in a calendar year was capped at $25,000. The Act's tiered system increases the range of the civil penalties authorized under 45 U.S.C.A. ' 1320d-5 from $25,000 per calendar year for unintentional violations to at least $1,500,000 per calendar year for violations that result from willful neglect and are not corrected. See the HITECH Act, ' 13410. In determining the amount of the penalty, the Secretary is to consider the “nature and extent of the violation and the nature and extent of the harm resulting from such violation.” Id.

45 U.S.C.A. ' 1320d-6 authorized the Secretary to impose fines for knowing violations that ranged from not more than $50,000 and imprisonment for up to a year, to $250,000 and imprisonment for up to 10 years. The HITECH Act revises this code section by adding the provision that “a person ' shall be considered to have obtained or disclosed individually identifiable health information in violation of this part if the information is maintained by a covered entity ' and the individual obtained or disclosed such information without authorization.” Id. at 13409.

The Department of Health and Human Services is authorized to collect the fees and use them to fund enforcement of the act. Business associates that discover a breach of protected health information are required to notify their covered entities about the breach, as well as each individual whose protected health information is affected by the breach. See the HITECH Act at
' 13402(b) Business associates have 60 days to report the breach, starting on the first day that he or shee knows or reasonably should know about the breach. Id. at ' 13402(c).

Health Law Attorney Responsibilities

An attorney who performs legal services on behalf of a covered entity that involves the use of electronic protected health information qualifies as a “business associate” who is subject to the requirements and potential liabilities that the HITECH Act imposes. The term “covered entity” includes all health care providers that electronically transmit patient information to another party for health care-related administrative or financial activities. 45 C.F.R. ' 160.13. “Electronic protected health information” includes an individual's treatment records that are either transmitted by electronic media or maintained on a computer's hard drive or any digital memory medium, such as a disc or memory card. Id.

Apparently, pursuant to the HITECH Act, attorneys who provide legal services to health care providers that involve the use of electronic protected health information are now required to undertake the same safety measures to protect the health information as care providers. If they fail to do so, they face the same civil and criminal penalties that HIPAA formerly imposed solely on health care providers.

It is possible to interpret these new requirements as saying that medical malpractice attorneys are precluded from obtaining a plaintiff's medical records unless they enter into business associate agreements directly with each care provider client and undertake the aforementioned terms. However, that may be unnecessary in light of HIPAA's provisions regarding medical records acquired during the course of litigation. Those provisions appear to allow attorneys to instead obtain the records by giving the patient the opportunity to object (i.e., requesting the records via a formal request for production of documents served on the patient via his or her attorney), obtaining authorization from the patient to obtain and use the records, or obtaining a court order. See 45 C.F.R. ' 164.510.

The administrative, physical, and technical safeguards that business associates must implement pursuant to the business associate agreements include training staff about the importance of unauthorized disclosures, limiting physical access to the information, and implementing security measures such as encryption to also limit access to information that is electronically stored. These measures also appear unnecessary in the context of medical malpractice litigation, unless the attorney actually stores medical records electronically and is concerned that the records will either be inadvertently transmitted or taken via a security breach.

The requirement that business associates ensure that their subcontractors safeguard protected health information does, however, appear particularly applicable to attorneys who are defending a provider client in medical malpractice litigation and wish to obtain an expert to review a plaintiff's medical records. Such attorneys should be sure to enter into business associate agreements with the experts to whom they provide the information. The authorizations should specify the limited use of the records and that they will be returned or destroyed once the need for the use has ended.

Conclusion

Many of the HITECH Acts requirements do not seem to apply to medical malpractice attorneys who do not retain medical records in an electronic format that is accessible to non-privileged persons or is susceptible to unauthorized disclosure through inadvertent disclosure or breach by an outside party. Medical malpractice attorneys can continue to obtain medical records through discovery methods, patient authorization, or court order. However, attorneys should undertake to enter into business associate agreements with any experts who they retain to review a plaintiff's medical records. The business associate agreements should obligate the expert to use the information only for the limited purposes of the litigation and either return or destroy the records once his or her involvement in the litigation has terminated.

Lee S. Atckinson is an attorney in Carlock, Copeland & Stair, LLP's Atlanta office. His practice is focused on General Litigation, including the areas of Medical Malpractice and Insurance Coverage.