Call Now 703-327-1800

Contact    Blog       About     Resources      Medical Billing Services


HITECH Act Privacy and Security

Health Insurance Companies Process 1 in 5 Claims Wrong

Changes to Current HIPAA Laws and Regulations

My colleague Jonathan Krasner at Business Engineering, Inc. in Reston, Virginia sent me the following information about HIPAA changes that take effect this week. His information pertains to physician offices, medical billing companies, hospitals and a host of other healthcare facilities and vendors.

Congress passed and President Barack Obama signed the American Recovery & Reinvestment Act (ARRA) in February, 2009.  The healthcare IT component of the ARRA is commonly referred to as the HITECH (Health Information Technology for Economic and Clinical Health) Act.  The HITECH Act covers a broad range of healthcare IT initiatives including providing over $20 billion in funding towards implementation of healthcare IT.

The HITECH Act also includes “Subtitle D” which focuses on privacy and modifies and broadens portions of the HIPAA Privacy and Security laws and regulations.  The following is a high level overview of how the HITECH Act impacts current HIPAA laws and regulations.  This first section is an overview of the changes that will go into effect on February 17, 2010; changes that were or will be effective on other dates are summarized on the second page of this document.

Application of Security/ Privacy Rules to Business Associates

Business Associates (BA’s – generally defined as those who do not work for a covered entity (CE) but handle protected health information (PHI)) will now be required to directly comply with the Administrative Safeguards, Physical Safeguards, Technical Safeguards and Policies and Procedures provisions of the existing HIPAA Security Rule.  Similarly, BA’s are now directly bound by the privacy rules in the existing HIPAA regulations.  They are also now directly subject to civil and criminal penalties for violations.  Previously BA’s were only indirectly regulated through BA agreements with CE’s.

Restrictions on Certain Disclosures

CE’s are required to grant a request from an individual to restrict disclosure of their PHI if the disclosure is to a health plan for purposes of either payment or health care operations and the PHI pertains to a service for which the individual paid in-full, out-of-pocket.  CE’s were not previously required to grant requests for restriction of any disclosure for payment or healthcare operations.

Disclosures Limited to the “Minimum Necessary”

CE’s are currently required to limit requests, use or disclosure of PHI to the “minimum necessary”.  The HITECH Act clarifies that the “minimum necessary” will only be satisfied if a CE or BA uses a “limited data set” which is defined in HIPAA as PHI that excludes a specific set of direct identifiers of the individual.  However, if using a “limited data set” is not practical then the “minimum necessary” guidance still applies.  This HITECH Act also clarifies that it is the CE or BA disclosing the PHI that determines the “minimum necessary”.

Access to PHI in Electronic Format

CE’s that use an EHR must provide individuals the option to receive an electronic copy of their PHI.  Any associated fee charged by the CE can only cover its labor costs for providing the electronic copy.  Previously there was no requirement that an electronic copy had to be made available to individuals.


Under HIPAA a CE generally must obtain authorization for any use or disclosure of PHI for marketing purposes except if the communication is for “health care operations”. This has been revised under HITECH. If a CE has received payment for making a communication, the communications for “health care operations” is allowed if (1) it relates to a drug or biologic that is currently being prescribed or (2) individual authorization has been obtained and or (3) a BA makes the communication on behalf of a CE that is within the framework of the BA agreement.


The requirement that a CE must, in any fundraising materials it sends to an individual, allow that individual to opt out of receiving any future fundraising communications is unchanged except that it is now a statutory requirement of the HITECH Act and not just a regulatory requirement.

Other HIPAA Changes in the HITECH Act

Clarification of Criminal Penalties (effective 2/17/2009)

The Department of Justice declared in a June 1, 2005 position paper that only CE’s could be directly liable for HIPAA criminal violations.  The HITECH Act clarifies this to include that individuals, whether or not they are employees of a CE, can now be criminally liable for violations of HIPAA.  BA’s are also now directly liable for violations of HIPAA or the HITECH Act.  A new set of tiered, significant civil monetary penalties have also been established.  Fines start at $100 per violation (max. $25K  per year) and go to $50K per violation ($1.5M per year), depending upon the violation type.

Improved Enforcement (effective 2/17/2009)

The HITECH Act now requires that HHS must investigate any complaint that may have resulted from “willful neglect” by a CE or BA.  Also, a methodology must be developed by which victims of privacy violations may receive a share of the collected penalties.  Finally, states’ attorneys general are also now permitted to bring a federal civil action on behalf of the residents of their states whom they believe have been adversely affected by a HIPAA violation.

Notification in Case of Breach of Confidentiality (effective 9/24/2009)

CE’s must now notify individuals whose unsecured protected health information (PHI) has been accessed or disclosed as a result of a breach.  BA’s must similarly notify CE’s who must then notify affected individuals.  Notification must be in writing within 60 days of discovery of the breach.  If more than 500 individuals are affected Health and Human Services (HHS) and prominent media outlets must also be notified.

Prohibition on Sale of PHI (regulations due by 8/16/2010, effective 6 months later)

CE’s and BA’s may only receive payment in exchange for PHI if the individual has signed an authorization that discloses that payment will be made to the CE or BA.  There are some exceptions including disclosures for public health, research, treatment, sales or mergers, payments to a BA for services performed for the CE or payments by an individual to obtain a copy of that individual’s record.  Previously, only sales of PHI for marketing purposes required an authorization that disclosed payment was involved.

Accounting of Disclosures (effective date varies by date CE implements EHR)

The HITECH Act will require that CE’s follow a detailed accounting  practice  not previously in place  under HIPAA. If an individual requests an accounting of electronic health records (EHRs), CE’s  must be able to provide to the individual disclosure information  for  the prior three years, if the disclosures were made for “treatment, payment or health care operations.”  This will be phased in between 2011 and 2014.

We have seen some of these changes already being enforced.  For instance, in January 2010, Connecticut Attorney General Richard Blumenthal sued Health Net for multiple HIPAA violations.  Protected private medical records and financial information on almost a half million Health Net enrollees in Connecticut were exposed for at least six months before Health Net notified appropriate authorities and consumers.

Note:  The foregoing is intended solely for informational purposes and should not be construed as legal advice.  Providers should consult with independent legal and accounting counsel before making any decisions.

is a 20 year veteran of healthcare having managed medical practices. He advises medical practices, physicians and practice administrators on how to run their practice and manage their medical billing and revenue cycle management. Manny speaks, blogs and makes videos at www.CaptureBilling.com, a blog that is tops in the medical billing and coding field. READ MORE

If You Liked This Post You Will Love These

Leave a reply

Who Are We?

Capture Billing helps medical practices by reducing their insurance accounts receivable and getting claims paid faster, allowing doctors to focus on providing quality healthcare to their patients without the stress of doing their own medical billing.

That’s why we developed Capture Billing’s Rapid Revenue Recovery System to keep our clients’ Accounts Receivables down and their revenue flowing.

Learn More


The analysis of any medical billing or coding question is dependent on numerous specific facts -- including the factual situations present related to the patients, the practice, the professionals and the medical services and advice. Additionally, laws and regulations and insurance and payer policies (as well as coding itself) are subject to change. The information that has been accurate previously can be particularly dependent on changes in time or circumstances. The information contained in this web site is intended as general information only. It is not intended to serve as medical, health, legal or financial advice or as a substitute for professional advice of a medical coding professional, healthcare consultant, physician or medical professional, legal counsel, accountant or financial advisor. If you have a question about a specific matter, you should contact a professional advisor directly. CPT copyright American Medical Association. All rights reserved. CPT is a registered trademark of the American Medical Association.

Learn how to outsource your Medical Billing today

CALL NOW  703-327-1800

Client Testimonials

Bob Laird


I would recommend Capture Billing to anyone who needs a billing company they can trust.

Bob Laird

Steve Rex

Family Practice

In a six month period Capture Billing increased our Practice’s income by over $100,000.

Steve Rex

Julie Reed-Humeniuk

Family Practice

Capture Billing goes over and beyond the call of duty for their clients to maximizing reimbursement.

Julie Reed-Humeniuk

CaptureBilling.com - Medical Billing Services

Capture Billing is a Medical Billing Company based in South Riding Virginia.

Join the other Doctors and Practice Managers that have benefited from our expert medical billing services.

Capture Billing & Consulting Inc.
25055 Riding Plaza #160
South Riding, VA 20152
Phone: (703) 327-1800