The Health Insurance Portability and Accountability Act (HIPAA) was enacted in August 1996. It was updated in 2003 with the HIPAA Privacy Rule and it was updated again in 2005 with the HIPAA Security Rule. The introduction of the Health Information Technology for Economic and Clinical Health (HITECH) Act also had implications for HIPAA, but how is the HITECT Act related to HIPAA and the management of electronic health and medical records?
Title I of HIPAA covers the portability of health insurance and safeguarding the rights of employees when they are in between jobs. Title I makes sure that health insurance coverage is maintained, something not covered by the HITECH Act. Title II of HIPAA consists of provisions for administrative controls, patient privacy, and the security of medical records.
One of the primary goals of the HITECH Act was to promote the use of electronic health and medical records by giving monetary rewards to healthcare providers who transition from physical to digital records. The HITECH Act additionally improved the HIPAA Privacy and Security Rules in relation to electronic health and medical records.
The HITECH Act required the Secretary of the HHS to issue guidance every year to covered entities and business associates to aid them in implementing proper technical controls to ensure confidentiality, integrity, and availability of PHI. Because of the technological neutrality of HIPAA, some entities were confused about how best to secure PHI so guidance was necessary.
How was HIPAA changed by the HITECH Act?
The HITECH Act was introduced on January 25, 2013 and made a number of changes to HIPAA for healthcare providers, health plans healthcare clearinghouses – HIPAA-covered entities – but especially business associates of HIPAA-covered entities. A few of the key changes to HIPAA that the HITECH Act introduced are specified below:
Business associates directly accountable for HIPAA violations
As per the HITECH Act, business associates of HIPAA covered entities need to sign a business associate agreement (BAA) with HIPAA-covered entities. They must agree not to share PHI except for the permitted uses allowed by the HIPAA Privacy Rule. They must also adhere to selected provisions of the HIPAA Security Rule, such as the setting up of administrative, technical and physical controls to ensure the confidentiality, integrity, and availability of PHI.
Business associates, under the HITECT Act, now refers to all individuals who access PHI, including subcontractors of business associates. The HITECH Act requires business associates to sign a BAA with their subcontractors. Business associates are directly accountable for HIPAA violations and may be fined for breaking HIPAA Rules.
Penalties for HIPAA violations increased
Business associates can be fined directly for HIPAA violations, but so too can HIPAA-covered entities for business associates’ HIPAA violations. The HITECH Act mandated the HHS to look into reported breaches and complaints to figure out if HIPAA Rules had been willfully violated.
The HITECH Act also changed the penalty structure for violations of HIPAA. Penalties can be issued even if the covered entity or business associate did not know about the HIPAA violation, if, with reasonable due diligence, they should have been aware that HIPAA Rules were being violated. Further, if a violation was remedied within 30 days, and did not involve willful neglect of HIPAA Rules, financial penalties will be avoided.
Patients now have the option to get health and medical records in digital format
Under the HIPAA Privacy Rule, patients and health plan members have the right to get copies of their PHI. Under the HITECH Act, the option of getting copies of health and medical records in digital form was made available. That is, if the covered entity keeps such records in electronic form and copies can be readily produced in that format.
HITECH likewise disallowed the selling of PHI except under certain circumstances, and closed the marketing loophole by barring providers from getting paid for treatment recommendations.
HITECH changes on breach notifications
The HITECH Act introduced a new requirement for sending notifications to persons whose electronic protected health information (ePHI) was compromised in a security breach. There’s also a broadened definition of breach, which includes the unauthorized acquisition, viewing, use or sharing of unsecured PHI that jeopardizes the security of PHI.
These updates affected the HIPAA Breach Notification Rule which instructs HIPAA covered entities to send breach notices to affected persons when there is a substantial risk of monetary, reputational or other form of damage. Those notifications must be sent without unnecessary delay and no later than 60 days after the breach is discovered.
The Department of Health and Human Services’ Office for Civil Rights must also be advised about any breaches of more than 500 records within 60 days. Small breaches need to be reported to OCR as well, but they have 60 days from the end of the calendar year when the breach was identified.