Chapter 8: Medical Privacy

HITECH: Penalties, Limited Data, and EHRs

HITECH increased penalties (up to $2 million for willful violations, even without knowledge) and extended criminal liability to individuals. It encourages limited data sets and minimum-necessary disclosures, funds EHR meaningful use, and bars selling EHRs or receiving marketing payments without patient consent.

HITECH allows penalties up to $2 million for the most willful violations, extends criminal liability to individuals who misuse PHI, and permits penalties even if the covered entity did not know of the violation.

Disclosures should comply with the Limited data set definition, defaulting to minimum necessary if infeasible. Patients who pay their provider directly may restrict disclosure of that PHI to a health plan unless otherwise required by law.

EHR rights and limits

HITECH funded Meaningful use of Electronic health records (EHRs). Covered entities must give individuals a copy of their EHR on request and account for nonverbal disclosures within three years. EHRs may not be sold without patient consent, and CEs cannot receive payment for certain marketing plans.

Key terms - quick answers

What is “Limited data set”?

PHI stripped of most direct identifiers, which covered entities should aim to use for disclosures, defaulting to minimum necessary if a limited data set is not feasible.

What is “Electronic health records (EHRs)”?

Digital medical records whose meaningful use HITECH funded with $19 billion in provider incentives.

What is “Meaningful use”?

The standard providers must meet in using EHRs to qualify for HITECH incentive funds.

← HITECH and Breach Notification Confidentiality of Substance Use Disorder Patient Records Rule →