HIPAA and HITECH
The relationship between HIPAA and HITECH began in 2009 with the American Recovery and Reinvestment Act. Title XIII of the American Recovery and Reinvestment Act – the Health Information Technology for Economic and Clinical Health Act (HITECH) – set aside funds for the creation of a nationwide network of electronic health records and signaled the start of the Meaningful Use program.
As the Meaningful Use program incentivized healthcare providers to adopt technology in the provision of healthcare, HITECH had to take into account the HIPAA Privacy and Security Rules. Subtitle D of HITECH consequently addresses concerns about the electronic storage and transmission of medical records and introduces measures for the effective enforcement of HIPAA.
Subsequent updates to both HIPAA and HITECH frequently take each other’s regulations into account. For example, the HITECH Act 2009 strengthened the civil and criminal enforcement of HIPAA and established breach notification rules for Business Associates. The HIPAA Final Omnibus Rule 2013 expanded the Business Associate Breach Notification Rules by extending their criteria.
HIPAA and HITECH Act 2009: Enforcement
The most significant changes to HIPAA in the HITECH Act 2009 related to the Enforcement and Breach Notification Rules. Prior to HITECH, financial penalties for non-compliance with HIPAA were minor ($100 per violation up to a maximum of $25,000). Few fines were issued by the Office for Civil Rights (OCR) due to a lack of resources to investigate unauthorized disclosures of Protected Health Information (PHI).
The introduction of “violation tiers” plus increased financial penalties meant it was no longer cheaper for Covered Entities to pay the fines rather than go through the process of becoming HIPAA compliant. The increased value of the fines (from $100 to $50,000 per violation up to a maximum of $1.5 million) gave the OCR more resources to pursue non-compliant Covered Entities and enforce HIPAA.
HIPAA and HITECH Act 2009: Breach Notification
Since the passage of HIPAA in 1996, Business Associates had a contractual obligation to maintain the integrity of PHI, but no legal requirement. With the passage of the HITECH Act 2009, Business Associates now had the same legal requirement to comply with HIPAA and HITECH as Covered Entities, and are now required to inform the Covered Entity of any unauthorized disclosure of PHI.
The HIPAA Breach Notification Rule requires Covered Entities to notify individuals, OCR, and – in some cases – the media of an unauthorized disclosure of PHI. Notifications must be provided within sixty days of the discovery of a breach or when it is reported to the Covered Entity by the Business Associate. The exception to the sixty-day rule is when a breach affects fewer than 500 individuals.
The Difference between HIPAA and HITECH
The difference between HIPAA and HITECH is subtle. Both Acts address the security of electronic Protected Health Information (ePHI) and measures within HITECH support the effective enforcement of HIPAA – most notably the Breach Notification Rule and the HIPAA Enforcement Rule. However, there is a difference between HIPAA and HITECH with regards to patients´ rights.
Prior to HITECH, patients were unable to find out who their ePHI had been disclosed to (both authorized and unauthorized where known). In 2011, the Department of Health & Human Services published a HITECH-required Rule that allows patients to request access reports. These reports explain to patients who accessed and viewed their ePHI and under what authority.
HIPAA vs HITECH: Which is Most Important?
When it comes to “HIPAA vs HITECH”, neither Act is more important than the other. Covered Entities and Business Associates (since the HITECH Act 2009) have to comply with both Acts if they create, use, transmit or store Protected Health Information. What the HITECH Act 2009 effectively did was give OCR the powers to enforce the Breach Notification Rule and extend it to Business Associates.
Therefore, if your business is a Covered Entity or Business Associate, and it is not up to speed with the requirements of both Acts, it is recommended the business undergoes HIPAA HITECH training. OCR can issue fines for non-compliance with either Act even if there is no breach of PHI or unauthorized disclosure. A lack of knowledge about HIPAA vs HITECH is not an acceptable excuse.
What Does HIPAA HITECH Training Consist Of?
There is no set HIPAA HITECH training prescribed by OCR and, in order to be compliant with HIPAA and HITECH, each individual Covered Entity and Business Associate will have to conduct risk assessments in order to determine where gaps in their compliance efforts exist. HIPAA Security Rule risk assessments are now also a condition of acceptance in the Meaningful Use program.
Employees of Covered Entities and Business Associates are required by law to have HIPAA HITECH training. Most authorities believe HIPAA HITECH training should be more tailored to individual employees´ roles and their access to PHI. It is also recommended training is conducted more frequently than once a year due to the complexities of HIPAA and HITECH Act regulations.
Find Out More about HIPAA and HITECH
If you are unsure about whether your business is subject to HIPAA and HITECH Act regulations, or what rules from each apply to your business operations, you are invited to download and read our free “HIPAA Compliance Guide” – a helpful booklet that outlines the key points of HIPAA and HITECH Act regulations in order to help Covered Entities and Business Associates achieve compliance with both.
Our guide explains more about the HIPAA Enforcement Rule and HIPAA Breach Notification Rule and who it applies to. Ideally, this information will help you determine if your business requires HIPAA HITECH training. One section that should not be overlooked is the structure of financial penalties for breach HIPAA and the ten HIPAA breach costs businesses need to be aware of.
HIPAA and HITECH FAQS
What are the four violation tiers for non-compliance with HIPAA?
The four violation tiers relate to the level of culpability following a HIPAA violation. They range from violations that realistically could not have been avoided with a reasonable amount of care to willful neglect where no attempt has been made to correct the violation. Each tier has its own minimum and maximum penalty range, which is adjusted each year to account for inflation. You can find out more information about the violation tiers and their respective penalties in this article.
Can Covered Entities be fined even when no data breach has occurred?
Although the Office for Civil Rights prefers to resolve HIPAA violations with corrective action when no data breach has occurred, the agency has recently cracked down on Covered Entities that fail to provide patients with access to their PHI within the 60 days allowed. In November 2020, the University of Cincinnati was fined $65,000 for the failure to provide timely access to patient records. This was the twelfth financial penalty in 2020 for right of access failures.
Which report allows patients to know who accessed and viewed their ePHI?
Under HIPAA, patients can request an “Accounting of Disclosures” report which lists any disclosures made to third parties over the previous six years for purposes other than treatments, payments, or operations. This list can include (but is not limited to) disclosures made to public health agencies, law enforcement officers, workers´ compensation programs, and coroners. Many states have additional requirements for what can be included in an accounting of disclosures document.
What HIPAA HITECH training are employees required to have by law?
Employee training is covered by 45 CFR § 164.530 and 45 CFR § 164.308. Respectively these standards stipulate staff must be trained on HIPAA policies and procedures, and that all members of the workforce must undergo security and awareness training. It is recommended by compliance professionals that refresher training is provided at least annually on HIPAA policies and procedures, while security and awareness training should be an ongoing program.
How is it possible to tailor HIPAA HITECH training to individual employees´ roles?
Although it may be impractical to tailor training to each individual´s role in a large organization, groups of employees with similar roles can be trained on common policies and procedures. For example, employees with public-facing roles should be trained on policies relating to the minimum necessary standard and patients´ rights, while office-based employees should receive training to reduce susceptibility to phishing and other online threats.