Understanding HIPAA and the HITECH Act

There is some confusion about HIPAA and the HITECH Act. HIPAA predates the HITECH Act by 13 years and is concerned with the portability of health insurance (ensuring employees do not lose coverage while between jobs), and the privacy and security of health data.

The HITECH Act updated HIPAA and is concerned with promoting the adoption of electronic health records and meaningful use of health information technology and is part of the American Recovery and Reinvestment Act of 2009.

Title XIII of the American Recovery and Reinvestment Act prompted the creation of the Health Information Technology for Economic and Clinical Health (HITECH) Act, which set aside money for creating a nationwide network of electronic health records and prompted the beginning of the Meaningful Use program. With the Meaningful Use program, healthcare providers were given incentives to use technology to improve healthcare.

The HITECH Act took the HIPAA Privacy and Security Rules into consideration. Subtitle D of HITECH addressed certain issues relating to the digital storage and transmission of medical records and made changes that allowed the enforcement of compliance with HIPAA Rules.

Revisions to HIPAA and the HITECH Act take the rules of both into consideration. For instance, the HITECH Act of 2009 increased penalties for HIPAA violations and strengthened criminal and civil enforcement of the HIPAA.

The HITECH Act also introduced changes that required Business Associates of HIPAA-covered entities to comply with the HIPAA Breach Notification Rule.

Enforcement of HIPAA and the HITECH Act of 2009

Arguably the most important changes to HIPAA made by the HITECH Act 2009 are concerned with enforcement of compliance and breach notification.

Before the HITECH Act was enacted, non-compliance with HIPAA could potentially attract a financial penalty of $100 up to a maximum fine of $25,000 for each violation. The Office for Civil Rights (OCR) was not issuing many fins for HIPAA violations due to a lack of resources for investigating HIPAA violations – which could be very labor intensive.

Also, the low fines meant that it was much cheaper for HIPAA-covered entities to simply pay fines rather than go through the expensive compliance process. The HITECH Act changed that with the introduction of penalty tiers for HIPAA violations, based on the seriousness of the violation and whether the covered entity had willfully violated HIPAA Rules.

Fines were increased to a maximum of $50,000 per violation, up to a maximum of $1.5 million per violation category, per year. Those fines provided an incentive to comply with HIPAA Rules.

The Breach Notification Rule

Since HIPAA was enacted in 1996, there has been a contractual obligation for Business Associates to preserve the integrity of ePHI, although legally, it was not possible to enforce compliance until the passing of the HITECH Act in 2009. HITECH introduced a legal requirement for Business Associates to comply with HIPAA, as was already the case with HIPAA-covered entities. That included the requirement to notify covered entities of a breach of PHI such as unauthorized access or impermissible disclosure.

According to the HIPAA Breach Notification Rule, covered entities must notify victims of a breach and the HHS’ Office for Civil Rights and, in certain cases, a media notification is required. Notices should be issued within 60 days of the discovery of a breach or the date when a business associate reports a breach to the covered entity. The exemption to this rule is if a breach impacts fewer than 500 people. – Notifications still need to be issued to breach victims within 60 days, but OCR only needs to be notified within 60 days of the end of the year in which the breach occurred.

HIPAA Versus HITECH

There is a subtle distinction between HIPAA and the HITECH Act. Both deal with the protection of electronic protected health information or ePHI and both are concerned with enforcement of HIPAA compliance, however the two Acts differ in terms of patients’ rights.

Before the HITECH Act, patients were unable to discover to whom their ePHI had been disclosed. In 2011, the Department of Health & Human Services released a HITECH Rule which gave patients the right to obtain access reports that show who accessed or viewed their ePHI, both authorized and unauthorized access, if the latter is known.

Which is More Important – HIPAA or HITECH?

Neither Act is deemed more important than the other. All covered entities and business associates are required to comply with both Acts when they create, use, transmit or retain ePHI. All organizations, regardless of whether they are a covered entity or business associate, must be knowledgeable of the requirements of both Acts and ensure policies and procedures are introduced to comply with the Acts.

Due to the complexity of both Acts, all covered entities and business associates should undergo HIPAA and HITECH Act training. OCR could penalize entities for violating either Act, even when no PHI breach or unauthorized PHI disclosure has occurred. The penalty tiers show that ignorance of HIPAA and the HITECH Act Rules is not a valid excuse for noncompliance.

What Should be Included in HIPAA and HITECH Act Training?

OCR has not defined any specific training requirements for compliance with HIPAA and the HITECH Act. Every covered entity and business associate must conduct internal audits and risk analyses to determine gaps in their compliance programs. HIPAA Security Rule risk analyses are currently a requirement for acceptance in the Meaningful Use program.

Employees of covered entities and business associates need to undergo training on HIPAA and the HITECH Act annually, with HIPAA and HITECH Act training tailored to an individual’s role and level of access to PHI. However, due to the complexity of compliance with HIPAA and the HITECH Act, more frequent training sessions and refresher training is strongly recommended.