Share this article on:
The Health Insurance Portability and Accountability Act (HIPAA) was signed into law in August 1996 and led to the development of the HIPAA Privacy Rule in 2003 and the HIPAA Security Rule in 2005, but how did the Health Information Technology for Economic and Clinical Health (HITECH) Act change HIPAA and what is the relationship between HITECH, HIPAA, and electronic health and medical records?
What is the Relationship Between HITECH and HIPAA and Medical Records?
Title I of HIPAA is concerned with the portability of health insurance and protecting the rights of workers between jobs to ensure health insurance coverage is maintained, which have nothing to do with the HITECH Act. However, there is a strong relationship between HITECH and HIPAA Title II. Title II of HIPAA includes the administrative provisions, patient privacy protections, and security controls for health and medical records and other forms of protected health information (PHI).
One of the main aims of the HITECH Act was to encourage the adoption of electronic health and medical records by creating financial incentives for making the transition from paper to digital records. The HITECH Act also strengthened the HIPAA Privacy and Security Rules with respect to electronic health and medical records.
The HITECH Act required the Secretary of the HHS to ensure guidance was issued annually to covered entities and business associates to help them implement appropriate technical safeguards to ensure the confidentiality, integrity, and availability of PHI. The technologically neutral nature of HIPAA had led to confusion about how best to protect PHI.
How did the HITECH Act Change HIPAA?
The HITECH Act made several changes to HIPAA and introduced new requirements for HIPAA-covered entities with notable changes for business associates. Some of the key updates to HIPAA by HITECH are detailed below:
Business Associates Directly Accountable for HIPAA Violations
The HITECH Act required business associates of HIPAA covered entities to enter into a business associate agreement (BAA) with HIPAA-covered entities and agree not to disclose PHI other than for reasons permitted by the HIPAA Privacy Rule. They were also required to agree to adhere to certain provisions of the HIPAA Security Rule, including the implementation of administrative, physical, and technical controls to safeguard the confidentiality, integrity, and availability of PHI.
The definition of business associate was also expanded to include all persons who receive PHI and subcontractors of business associates. The HITECH Act required business associates to enter into a BAA with their subcontractors. Business associates were made directly accountable for HIPAA violations and could be penalized financially for violating HIPAA Rules.
Increased Penalties for HIPAA Violations
In addition to fines for business associates, HIPAA-covered entities could also be fined for violations of HIPAA Rules by their business associates. The HITECH Act also required the HHS to investigate breaches and complaints to determine if there had been willful violations of HIPAA Rules.
The penalty structure for HIPAA violations was also amended by HITECH. HITECH allowed penalties to be issued for HIPAA violations that occurred without the knowledge of the covered entity or business associate if the covered entity/business associate should have been aware that HIPAA was violated by exercising reasonable due diligence. However, the HITECH Act prohibited the issuing of financial penalties if a violation was corrected within 30 days, provided the violation was not due to willful neglect.
Patients Given Option of Obtaining Health and Medical Records in Electronic Form
While the HIPAA Privacy Rule gave patients and health plan members the right to obtain copies of their PHI, the HITECH Act increased those rights to include the option of being provided with copies of health and medical records in electronic form, if the covered entity maintains health and medical records in electronic form and the information was readily producible in that format.
HITECH also prohibited the sale of PHI except in limited circumstances and closed the marketing loophole, prohibiting providers from receiving compensation in return for making treatment recommendations.
HITECH, HIPAA, and Breach Notifications
The HITECH Act introduced a new requirement for issuing notifications to individuals whose electronic protected health information was exposed in a security breach if the information was not encrypted. The definition of a breach was also broadened to include any unauthorized acquisition, access, use or disclosure of unsecured PHI which compromised the security or privacy of that information.
These updates formed the basis for the HIPAA Breach Notification Rule which requires HIPAA covered entities to send notifications to affected individuals if there is a significant risk of financial, reputational or other harm as a result of a breach. Those notifications need to be issued without unnecessary delay and no later than 60 days following the discovery of a breach.
The Department of Health and Human Services’ Office for Civil Rights must also be notified of breaches within the same time frame if the breach impacts 500 or more individuals. Small breaches must also be reported to OCR, but within 60 days of the end of the calendar year in which the breach was discovered.
HITECH Act Frequently Asked Questions (FAQs)
Why is the HITECH Act important?
In terms of HIPAA compliance, the HITECH Act is important because it addresses loopholes in the original legislation and gives the Department of Health & Human Services (HHS) more powers to enforce HIPAA. It also introduces accountability for Business Associates and vendors of personal health devices, who – in addition to HHS sanctions – can now be subject to civil and criminal penalties for data breaches.
What is the purpose of the HITECH Act?
The primary purpose of the HITECH Act is to improve the quality, safety, and efficiency of healthcare by expanding the adoption of health information technology. The measures included in the Act to make the enforcement of HIPAA more effective are there to ensure the adoption of health information technology is compliant with the HIPAA Privacy and Security Rules.
What are the goals of the HITECH Act?
The HITECH Act has several goals. By improving the quality, safety, and efficiency of healthcare in a HIPAA-compliant manner, the Act aims to improve care coordination, reduce disparities in the ways healthcare is administered, engage patients and their families in the decision-making process, and improve the public health by laying the foundations for a Nationwide Health Information Network.
How does the HITECH Act affect HIPAA?
The three most significant ways in which the HITECH Act affects HIPAA are the introduction of the Breach Notification Rule, the inclusion of Business Associates among who can be held accountable for data breaches, and the powers given to HHS to facilitate enforcement action. It is important to note that, although HITECH mostly focuses on information technology, HHS can still take enforcement action against a Covered Entity or Business Associate when a breach unrelated to technology occurs.
Who does the HITECH Act apply to?
In respect of expanding the adoption of health information technology, the HITECH Act applies to healthcare organizations and medical practices that benefit from the Medicare and Medicaid programs. In respect of the enhanced security and privacy provisions of HIPAA, the HITECH Act applies to Covered Entities, Business Associates, and software developers and/or vendors of personal health devices.