Whether you love it or loathe it, HIPAA's teeth have dulled over the years. President Obama's Health Information Technology for Economic and Clinical Health (HITECH) Act, however, is sharpening its bite.

"I think the whole idea of HITECH literally infuses new life, new vigor into what the original intents of HIPAA were," said John Parmigiani, a healthcare consultant and the former director of enterprise standards at the Centers for Medicare and Medicaid Services.

With new vigor comes greater scrutiny, and stakeholders from all areas of healthcare are poring over provisions and voicing their comments. The general consensus? It's an improvement. But lagging loopholes and ongoing rulemaking leave plenty to contest.

Tighter Enforcement
Before HITECH, business associates (BAs) were bound only by their agreements with covered entities (CEs). Now, they answer to the government.

"That just closed a loop I think a lot of folks had been complaining about for a long time," said Pam Dixon, executive director, World Privacy Forum.

Still, Dixon noted one loophole that troubles the industry: Business outsourced overseas is beyond the law's reach, so a U.S. base can be held accountable for a breach, but employees overseas won't be penalized.

For many BAs, the new rules won't change much operationally; contracts with CEs often include obligations to follow HIPAA, according to Dixie Baker, PhD, chief technology officer of health solutions at Science Applications International Corporation (SAIC), an organization based in San Diego that specializes in providing information technology solutions.

The biggest adjustment, Baker said, is knowing the government's watching.

"To come under direct regulation and be directly subject to penalties, by definition, requires an additional degree of risk," she explained.

In the event of a breach, explicit rules will dictate how the provider or company - including personal health record (PHR) vendors - should respond. Healthcare organizations and PHR vendors directly tied to hospitals must notify affected patients within 60 days. If more than 500 patients are involved, the breach must be reported to the Department of Health and Human Services (HHS) and the media. Stand-alone PHRs, like Google Health, must follow similar rules but report to the Federal Trade Commission (FTC).

According to Parmigiani, it's good to get the FTC involved. As a former HHS employee, Parmigiani believes the agency has been too lenient in its enforcement of HIPAA.

"The FTC, however, comes down pretty hard," he said.

Dixon made similar observations about the rules FTC and HHS handed down for breach notification. While the FTC's rules are "fantastic," regulations from HHS are "weak," Dixon said.

Dixon also flagged another issue with breach notification. A single PHR vendor could fall under both FTC and HHS jurisdiction, she said. For example, Google Health has contracted accounts with hospitals and stand-alone accounts with users, which could make breach notification tricky.

"I think these issues remain to be worked out," she said.

In addition to business leaders, employees will want to take note of HIPAA changes. Individuals, not just the larger organization, will now be penalized for privacy violations.

What's more, HHS can take action against any violators who are not convicted by the Department of Justice (DOJ) for wrongful exposure.

"If there's some terrible, egregious thing the DOJ doesn't prosecute - they can't prosecute everything - now the secretary of HHS can go after it," Dixon said. "And that's such an improvement."

Patient Empowerment
As healthcare organizations face heightened enforcement, they'll also have to accommodate more patient demands. This has generated questions and qualms.

One of HITECH's provisions requires CEs and BAs to provide an account of disclosures at a patient's request. In the past, providers have been required to only track disclosures not related to treatment or billing. Now, anytime a patient's information is released - even to a doctor or health plan - that disclosure must be noted.

"We're really happy about this," Dixon said. For medical identity theft victims, she said, it means they can find out who looked at their hospital records, which can help the investigation.

CEs and BAs are less enthused. For them, it means a lot of hassle for little return.

"I don't think there are a lot of people who ask for [accountings]," Parmigiani said, adding that he's spoken with HIM professionals who said they rarely get asked for a list of disclosures.

The legislation doesn't define what information must be included, either. That means CEs and BAs will have to find a balance to track disclosures without overtaxing systems.

One disclosure patients shouldn't (theoretically) worry about is the sale of private health information (PHI). Under the new provisions, providers cannot accept payment for patient details without the individual's consent.

It seems straightforward on the surface, but privacy advocates are holding their judgment. According to Dixon, some of the definitions are "sloppy" and need more refinement.

"We like the prohibition on sale, but we're also a little concerned about how it could be interpreted," she said.

Baker is glad HITECH closed the loophole on marketing operations, but isn't convinced marketing companies are out of the picture.

"I'm sure they'll create loopholes," she said, noting it's impossible to predict how regulations can be misinterpreted.

Dixon already sees a new area that's vulnerable to marketers.

The HITECH Act gives patients the right to request a copy of their EHRs, and they can send EHR information to a third party, such as a PHR company. While this provision is celebrated for improving patient access, privacy advocates worry EHRs will end up in the wrong hands.

According to Dixon, marketing companies could include patient authorization in fine print, which could be turned over to a provider for a copy of the patient's EHR.

"If the patient has given authorization, that healthcare provider will have no choice but to hand [the EHR] over," Dixon said.

She worries that without further clarification, the provision could become a "Pandora's box" for marketing schemes.

Wait And See
With several provisions in limbo and rulemaking to be doled out, most stakeholders are tiptoeing their stance on HITECH's changes.

"It's really going to be sensitive to the rulemaking," Dixon said.

Experts will be keeping an eye on clarification of prohibition of sale, details on accounting for disclosures and finalization of breach notification. But they're not exactly holding their breath; in fact, they're airing their thoughts through public comments.

According to Baker, if you know a certain rule will hamper your workflow, now's the time to let the government know.

Feedback will be essential to crafting the right rules, Parmigiani said, and the agencies know it.

"There's a real, concerted effort underway to get this right on the part of the regulations writers," he noted. "It really is a foundation piece as we move into a more robust e-health environment. Comments are being solicited not only on currently issued guidance and proposed rules, but also on alternative approaches to accomplish the intent."

Cheryl McEvoy is an editorial assistant with ADVANCE.