HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

HIPAA and HITECH

The relationship between HIPAA and HITECH began in 2009 with the American Recovery and Reinvestment Act. Division A Title XIII and Division B Title IV of the American Recovery and Reinvestment Act – together known to as the Health Information Technology for Economic and Clinical Health Act (HITECH) – set aside funds for the creation of a nationwide network of Health Information Exchanges and signaled the start of the Meaningful Use program.

As the Meaningful Use program incentivized healthcare providers to adopt technology in the provision of healthcare, HITECH had to take into account the HIPAA Privacy and Security Rules. Subtitle D of HITECH consequently addresses concerns about the electronic transmission and storage of medical records, strengthens existing Privacy and Security Rule provisions and introduces measures for the effective enforcement of HIPAA.

Subsequent updates to both HIPAA and HITECH frequently take each other’s regulations into account. For example, the HITECH Act 2009 strengthened the civil and criminal enforcement of HIPAA by enabling State Attorney Generals to pursue cases for HIPAA violations on behalf of citizens and established the HIPAA Breach Notification Rule. The HIPAA Final Omnibus Rule 2013 expanded the Business Associate Breach Notification Rules by extending their criteria.

HIPAA and HITECH Act 2009: Enforcement

The most significant changes to HIPAA in the HITECH Act 2009 related to the Enforcement and Breach Notification Rules. Prior to HITECH, financial penalties for non-compliance with HIPAA were minor ($100 per violation up to a maximum of $25,000). Few fines were issued by the Office for Civil Rights (OCR) due to a lack of resources to investigate unauthorized uses and disclosures of Protected Health Information (PHI) and the failure to respond to patient access requests.

Get The Checklist

Free and Immediate Download
HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

The introduction of “violation tiers” plus increased financial penalties meant it was no longer cheaper for Covered Entities to pay the fines rather than go through the process of becoming HIPAA compliant. The increased value of the fines (from $100 to $50,000 per violation up to a maximum of $1.5 million – subsequently adjusted for inflation) gave the OCR more resources to pursue non-compliant Covered Entities and enforce HIPAA.

What is the HITECH Act - Financial penalties for Violations of HIPAA 2022

However, as a further incentive for Covered Entities and Business Associates to take their compliance obligations seriously, an amendment to the HITECH Act in 2021 gave the Department of Health and Human Services´ Office for Civil Rights (OCR) the discretion to waive or reduce the financial penalties for HIPAA violations if it could be demonstrated that the offending party had implemented a recognized security framework prior to a data breach or other security-related violation.

HIPAA and HITECH Act 2009: Breach Notification

Since the passage of HIPAA in 1996, Business Associates had a contractual obligation to maintain the integrity of PHI, but no legal requirement. With the passage of the HITECH Act 2009, Business Associates now had the same legal requirement to comply with HIPAA and HITECH as Covered Entities, and are now required to inform the Covered Entity who has shared PHI with them of any unauthorized disclosures.

The HIPAA Breach Notification Rule requires Covered Entities to notify individuals, OCR, and – in some cases – the media of an unauthorized disclosure of PHI. Notifications must be provided within sixty days of the discovery of a breach or when it is reported to the Covered Entity by the Business Associate. The exception to the sixty-day rule is when a breach affects fewer than 500 individuals.

What is the Difference between HIPAA and HITECH?

The difference between HIPAA and HITECH is subtle. Both Acts address the security of electronic Protected Health Information (ePHI) and measures within HITECH support the effective enforcement of HIPAA – most notably the Breach Notification Rule and the HIPAA Enforcement Rule. However, there is a difference between HIPAA and HITECH with regards to patients´ rights.

Prior to HITECH, patients were unable to find out who their ePHI had been disclosed to (both authorized and unauthorized where known). In 2011, the Department of Health & Human Services published a HITECH-required Rule that allows patients to request access reports. These reports explain to patients who accessed and viewed their ePHI and under what authority.

HIPAA vs HITECH: Which is Most Important?

When it comes to “HIPAA vs HITECH”, neither Act is more important than the other. Covered Entities and Business Associates (since the HITECH Act 2009) have to comply with both Acts if they create, use, transmit or store Protected Health Information. What the HITECH Act 2009 effectively did for HIPAA was give OCR the powers to enforce the Breach Notification Rule and extend it to Business Associates.

Therefore, if your business is a Covered Entity or Business Associate, and it is not up to speed with the requirements of both Acts, it is recommended the business undergoes HIPAA HITECH training. OCR can issue fines for non-compliance with either Act even if there is no breach of PHI or unauthorized disclosure. A lack of knowledge about HIPAA vs HITECH is not an acceptable excuse.

What Does HIPAA HITECH Training Consist Of?

There is no set HIPAA HITECH training prescribed by OCR and, in order to be compliant with HIPAA and HITECH, each individual Covered Entity and Business Associate will have to conduct risk assessments in order to determine where gaps in their compliance efforts exist. HIPAA Security Rule risk assessments are now also a condition of acceptance in the Meaningful Use program.

Covered Entities and Business Associates are required by law to provide training to members of their workforces. Covered Entities have to train members of their workforces on policies and procedures developed to comply with the Privacy Rule, while both Covered Entities and Business Associates are required to provide an ongoing security and awareness program to all members of their workforces – even if some members of the workforce have no interaction with PHI.

HIPAA and HITECH Privacy and Security Rules

In conclusion, it is sometimes stated that Business Associates only have to comply with the HIPAA Security Rule. That´s not the case. Since the passage of HITECH and the amendments to HIPAA introduced by the Final Omnibus Rule, Business Associates have to comply with the HIPAA Security Rule, the Breach Notification Rule, and the patients´ rights provisions of the HIPAA Privacy Rule.

It may also be the case that organizations not covered by HIPAA are subject to the Breach Notification Rule. Vendors of Personal Health Records (PHRs), PHR-related entities, and third party service providers are required to report disclosures of unsecured PHI to the Federal Trade Commission, and therefore it is advisable that any organization with access to PHI is aware of the HIPAA and HITECH Privacy and Security Rules.

Find Out More about HIPAA and HITECH

If you are unsure about whether your business is subject to HIPAA and HITECH Act regulations, or what rules from each apply to your business operations, you are invited to download and read our free “HIPAA Compliance Guide” – a helpful booklet that outlines the key points of HIPAA and HITECH Act regulations in order to help Covered Entities and Business Associates achieve compliance with both.

Our guide explains more about the HIPAA Enforcement Rule and HIPAA Breach Notification Rule and who it applies to. Ideally, this information will help you determine if your business requires HIPAA HITECH training. One section that should not be overlooked is the structure of financial penalties for breach HIPAA and the ten HIPAA breach costs businesses need to be aware of.

HIPAA and HITECH FAQS

What are the four violation tiers for non-compliance with HIPAA?

The four violation tiers relate to the level of culpability following a HIPAA violation. They range from violations that realistically could not have been avoided with a reasonable amount of care to willful neglect where no attempt has been made to correct the violation. Each tier has its own minimum and maximum penalty range, which is adjusted each year to account for inflation. You can find out more information about the violation tiers and their respective penalties in this article.

Can Covered Entities be fined even when no data breach has occurred?

Although the Office for Civil Rights prefers to resolve HIPAA violations with corrective action when no data breach has occurred, the agency has recently cracked down on Covered Entities that fail to provide patients with access to their PHI within the 60 days allowed. In November 2020, the University of Cincinnati was fined $65,000 for the failure to provide timely access to patient records. This was the twelfth financial penalty in 2020 for right of access failures.

Which report allows patients to know who accessed and viewed their ePHI?

Under HIPAA, patients can request an “Accounting of Disclosures” report which lists any disclosures made to third parties over the previous six years for purposes other than treatments, payments, or operations. This list can include (but is not limited to) disclosures made to public health agencies, law enforcement officers, workers´ compensation programs, and coroners. Many states have additional requirements for what can be included in an accounting of disclosures document.

What HIPAA HITECH training are employees required to have by law?

Employee training is covered by 45 CFR § 164.530 and 45 CFR § 164.308. Respectively these standards stipulate staff must be trained on HIPAA policies and procedures, and that all members of the workforce must undergo security and awareness training. It is recommended by compliance professionals that refresher training is provided at least annually on HIPAA policies and procedures, while security and awareness training should be an ongoing program.

How is it possible to tailor HIPAA HITECH training to individual employees´ roles?

Although it may be impractical to tailor training to each individual´s role in a large organization, groups of employees with similar roles can be trained on common policies and procedures. For example, employees with public-facing roles should be trained on policies relating to the minimum necessary standard and patients´ rights, while office-based employees should receive training to reduce susceptibility to phishing and other online threats.