Health Insurance
 
 

 
HIPAA Regulations Update – HITECH FAQs

October 2009

The Health Information and Technology for Economic and Clinical Health Act (HITECH), which is Title XIII of the American Recovery and Reinvestment Act, was enacted by Congress on February 17, 2009.

HITECH increases your responsibilities regarding the requirements of existing HIPAA privacy and security provisions. The following questions and answers are provided to assist you in navigating HITECH and the HIPAA-related amendments.

Q. Does the HITECH Act apply to me?
A. If you are a Business Associate under HIPAA, you are required to implement certain privacy as well as physical, technical and administrative safeguards, as required by HIPAA privacy and security regulations. The effective date for compliance is February 17, 2010.

Q. How do I know if I am a Business Associate?
A. If you receive, transmit, create or maintain protected health information (PHI) or if you signed a Business Associate Agreement (BAA) with us, you are likely considered a Business Associate for purposes of HIPAA. Examples of Business Associates include, but are not limited to, third-party administrators, sales agents/brokers and vendors who have access to PHI.

Q. Are there other provisions of HITECH that a Business Associate must follow?
A. For the most part a Business Associate must comply with all provisions of HITECH. Therefore, we suggest you read it carefully. For example, a Business Associate must comply with the security breach notification provisions. If you experience a security breach as defined in HITECH, you must notify us in a timely manner and work with us to give notice to the affected individuals.

Q. HITECH mandates that Business Associates comply with a broad range of requirements found in the HIPAA privacy and security rules. What types of measures should I have in place?
A. A Business Associate should have privacy and security policies that address:
administrative, physical and technical safeguards;

  • privacy and security training programs;
  • confidentiality and/or nondisclosure agreements;
  • reporting of privacy and/or security breaches;
  • return/destruction of information upon termination of the BAA;
  • process for providing an accounting of disclosures when requested or required;
  • limiting the use, disclosure and request of PHI to the minimum necessary;
  • and prohibiting the sale of PHI in exchange for remuneration without an individual’s authorization.

Q. What happens if I do not comply with the new legal requirements?
A. Under HITECH, the fines have increased and are based on a new, tiered approach. As a Business Associate, you may be held accountable and fined in the event of a violation. The fine can range from $100 per violation to $50,000 per violation with a maximum fine amount of $1.5 million for willful misconduct. Additionally, HITECH gives the State Attorneys General the ability to enforce HIPAA violations with injunctions and civil damages.

Q. What do I need to do if I am aware of an incident or breach?
A. When a Business Associate discovers a security breach of unsecured PHI, he or she must notify Assurant Health Privacy Officer Judy Titera at 414-299-1140 or at judy.titera@assurant.com immediately upon discovery of the breach. This new breach notification requirement does not replace existing breach notification state laws. Business Associates must comply with both the new federal requirements as well as applicable state law requirements.

Q. What types of incidents would be considered a HIPAA security incident or breach?
A. Any unauthorized acquisition, access, use or disclosure of PHI that compromises the security or privacy of the PHI would be considered a HIPAA security incident or breach. Examples include: a lost laptop that is not encrypted, lost or stolen paper applications and misdirected mail.

Q. What happens if I do not comply with these security breach requirements?
A. If you experience a security breach and you have not implemented the HIPAA privacy and security rules, you may be fined by the Department of Health and Human Services.

Q. What if I have more questions about HITECH — where else can I look?
A. We recommend that you contact an attorney or seek legal advice about your legal responsibility under HITECH, because every situation is different. Also you can reference many resources on the internet, including www.cms.hhs.gov and www.hhs.gov/ocr/privacy/.

Key Terms:

Business Associate: A business associate is a person or entity that performs a function, activity or service on behalf of a covered entity.

Covered Entity: A covered entity includes certain health care providers, health plans and health care clearinghouses.

HITECH: The Health Information and Technology for Economic and Clinical Health Act (HITECH), which is Title XIII of the American Recovery and Reinvestment Act, was enacted by Congress on February 17, 2009. HITECH amends the HIPAA privacy and security rules.


 
 

©  2004 - 2009 Assurant, Inc. All rights reserved. Assurant Health is the brand name used for products underwritten and issued by Time Insurance Company, John Alden Life Insurance Company and Union Security Insurance Company. California license numbers: 08109 (Time Insurance Company), 08107 (Union Security Insurance Company) and 3894 (John Alden Life Insurance Company).  Legal Notice | Privacy Policy