Health Information Technology for Economic and Clinical Health Act (HITECH)

The Health Insurance Portability and Accountability Act (HIPAA) requires encryption of health information communicated over any network on which the transmitter cannot control access. If an unencrypted e-mail containing protected health information (PHI) is sent across the internet, a violation of HIPAA may have occurred even if the e-mail was not intercepted. The mere fact that this content is available for review by an internet service provider or other third party can expose an organization to penalties.

A provision of the American Recovery and Reinvestment Act of 2009 (ARRA) the Health Information Technology for Economic and Clinical Health Act (HITECH) significantly expands HIPAA coverage to encompass business partners of covered entities, including attorneys, accounting firms, and external billing services. These associates are liable for government penalties under this new law and proceeds from any civil penalties are deposited with the Office of Civil Rights Enforcement within the Department of Health and Human Services. Additionally, individuals and lawyers can now collect fines for violations of the HIPAA Security Rule, dramatically increasing the incentive to sue privately when data is breached.

Penalties for HIPAA violations have been expanded dramatically: if a covered entity or one of its business associates experiences a data breach involving 500 or more patient records that have not been encrypted, they must immediately notify the affected individuals, HHS, and a prominent media outlet. Fines for violations can now reach as high as $1.5M per calendar year.

Law firms that have access to or transfer HIPAA information over public networks will need to appoint individuals to manage security policies, will need to deploy appropriate technologies to protect data at rest and during transmission, and will need to dramatically beef up their security posture for messaging, managed file transfer, real-time communications, data preservation, and other parts of their infrastructure.