HIPAA and HITECH
The relationship between HIPAA and HITECH began in 2009 with the American Recovery and Reinvestment Act. Title XIII of the American Recovery and Reinvestment Act – the Health Information Technology for Economic and Clinical Health Act (HITECH) – set aside funds for the creation of a nationwide network of electronic health records and signaled the start of the Meaningful Use program.
As the Meaningful Use program incentivized healthcare providers to adopt technology in the provision of healthcare, HITECH had to take into account the HIPAA Privacy and Security Rules. Subtitle D of HITECH consequently addresses concerns about the electronic storage and transmission of medical records and introduces measures for the effective enforcement of HIPAA.
Subsequent updates to both HIPAA and HITECH frequently take each other’s regulations into account. For example, the HITECH Act 2009 strengthened the civil and criminal enforcement of HIPAA and established breach notification rules for Business Associates. The HIPAA Final Omnibus Rule 2013 expanded the Business Associate Breach Notification Rules by extending their criteria.
HIPAA and HITECH Act 2009: Enforcement
The most significant changes to HIPAA in the HITECH Act 2009 related to the Enforcement and Breach Notification Rules. Prior to HITECH, financial penalties for non-compliance with HIPAA were minor ($100 per violation up to a maximum of $25,000). Few fines were issued by the Office for Civil Rights (OCR) due to a lack of resources to investigate unauthorized disclosures of Protected Health Information (PHI).
The introduction of “violation tiers” plus increased financial penalties meant it was no longer cheaper for Covered Entities to pay the fines rather than go through the process of becoming HIPAA compliant. The increased value of the fines (from $100 to $50,000 per violation up to a maximum of $1.5 million) gave the OCR more resources to pursue non-compliant Covered Entities and enforce HIPAA.
HIPAA and HITECH Act 2009: Breach Notification
Since the passage of HIPAA in 1996, Business Associates had a contractual obligation to maintain the integrity of PHI, but no legal requirement. With the passage of the HITECH Act 2009, Business Associates now had the same legal requirement to comply with HIPAA and HITECH as Covered Entities, and are now required to inform the Covered Entity of any unauthorized disclosure of PHI.
The HIPAA Breach Notification Rule requires Covered Entities to notify individuals, OCR, and – in some cases – the media of an unauthorized disclosure of PHI. Notifications must be provided within sixty days of the discovery of a breach or when it is reported to the Covered Entity by the Business Associate. The exception to the sixty-day rule is when a breach affects fewer than 500 individuals.
The Difference between HIPAA and HITECH
The difference between HIPAA and HITECH is subtle. Both Acts address the security of electronic Protected Health Information (ePHI) and measures within HITECH support the effective enforcement of HIPAA – most notably the Breach Notification Rule and the HIPAA Enforcement Rule. However, there is a difference between HIPAA and HITECH with regards to patients´ rights.
Prior to HITECH, patients were unable to find out who their ePHI had been disclosed to (both authorized and unauthorized where known). In 2011, the Department of Health & Human Services published a HITECH-required Rule that allows patients to request access reports. These reports explain to patients who accessed and viewed their ePHI and under what authority.
HIPAA vs HITECH: Which is Most Important?
When it comes to “HIPAA vs HITECH”, neither Act is more important than the other. Covered Entities and Business Associates (since the HITECH Act 2009) have to comply with both Acts if they create, use, transmit or store Protected Health Information. What the HITECH Act 2009 effectively did was give OCR the powers to enforce the Breach Notification Rule and extend it to Business Associates.
Therefore, if your business is a Covered Entity or Business Associate, and it is not up to speed with the requirements of both Acts, it is recommended the business undergoes HIPAA HITECH training. OCR can issue fines for non-compliance with either Act even if there is no breach of PHI or unauthorized disclosure. A lack of knowledge about HIPAA vs HITECH is not an acceptable excuse.
What Does HIPAA HITECH Training Consist Of?
There is no set HIPAA HITECH training prescribed by OCR and, in order to be compliant with HIPAA and HITECH, each individual Covered Entity and Business Associate will have to conduct risk assessments in order to determine where gaps in their compliance efforts exist. HIPAA Security Rule risk assessments are now also a condition of acceptance in the Meaningful Use program.
Employees of Covered Entities and Business Associates are required by law to have annual HIPAA HITECH training. Most authorities believe HIPAA HITECH training should be more tailored to individual employees´ roles and their access to PHI. It is also recommended training is conducted more frequently than once a year due to the complexities of HIPAA and HITECH Act regulations.
Find Out More about HIPAA and HITECH
If you are unsure about whether your business is subject to HIPAA and HITECH Act regulations, or what rules from each apply to your business operations, you are invited to download and read our free “HIPAA Compliance Guide” – a helpful booklet that outlines the key points of HIPAA and HITECH Act regulations in order to help Covered Entities and Business Associates achieve compliance with both.
Our guide explains more about the HIPAA Enforcement Rule and HIPAA Breach Notification Rule and who it applies to. Ideally, this information will help you determine if your business requires HIPAA HITECH training. One section that should not be overlooked is the structure of financial penalties for breach HIPAA and the ten HIPAA breach costs businesses need to be aware of.