What is the Relationship Between HITECH, HIPAA, and Electronic Health and Medical Records?
The relationship between HITECH, HIPAA, and electronic health and medical records is primarily that certain provisions of the HITECH Act amended HIPAA to support the Meaningful Use of electronic health and medical record adoption. A second relationship between HITECH, HIPAA and electronic health and medical records is that HITECH was responsible for introducing the Breach Notification Rule into HIPAA, which changed the burden of proof for demonstrating the harm had occurred/not occurred following a breach of unsecured PHI.
What is the Relationship Between HITECH and HIPAA and Medical Records?
There is a strong relationship between HITECH and HIPAA as Title II of HIPAA includes the administrative simplification provisions that led to the development of the Privacy and Security Rules, while one of the main aims of the HITECH Act was to encourage the adoption of electronic health and medical records by creating financial incentives for making the transition from paper to digital records.
In order to enable the increased adoption of electronic health and medical records and keep the data maintained in these devices secure, the HITECH Act strengthened the HIPAA Privacy and Security Rules, required Business Associates to comply with the HIPAA Security Rule, and introduced the Breach Notification Rule – with increased financial penalties for those who failed to comply.
How did the HITECH Act Change HIPAA?
The HITECH Act made several changes to HIPAA and introduced new requirements for HIPAA-covered entities with notable changes for business associates. Some of the key updates to HIPAA by HITECH are detailed below:
Get The FREE HITECH & HIPAA Checklist
Includes The 20 Ways The Hitech Act Affected HIPAA
Delivered via email so please ensure you enter your email address correctly.
Your Privacy Respected
HIPAA Journal Privacy Policy
Business Associates Directly Accountable for HIPAA Violations
The HITECH Act required business associates of HIPAA covered entities to enter into a business associate agreement (BAA) with HIPAA-covered entities and agree not to disclose PHI other than for reasons permitted by the HIPAA Privacy Rule. They were also required to adhere to provisions of the HIPAA Security Rule, including the implementation of administrative, physical, and technical controls to safeguard the confidentiality, integrity, and availability of ePHI.
The definition of business associate was also expanded to include all organizations that perform a service for or on behalf of a Covered Entity that involves a disclosure of PHI. The HITECH Act required business associates to enter into a BAA with their subcontractors and made business associates directly accountable for HIPAA violations – potentially resulting in financial penalties for violating HIPAA Rules.
Increased Penalties for HIPAA Violations
In addition to fines for business associates, HIPAA-covered entities could also be fined for business associate violations if it transpired that a breach of unsecured PHI could have been avoided had the covered entity conducted reasonable and appropriate due diligence and ensured adequate protections were in place before disclosing PHI to the business associate. This includes ensuring the business associate provides appropriate HIPAA training to all members of the workforce.
The penalty structure for HIPAA violations was also amended by HITECH. Prior to HITECH, the only time a financial penalty could be issued by HHS´ Office for Civil Rights was if the agency could prove a breach of unsecured PHI was attributable to willful neglect. Subsequent to HITECH, a four tier penalty structure is used to determine the minimum and maximum penalties for violations of HIPAA. Once adjusted for inflation, these penalties are now:
| Level of Culpability | Minimum Penalty per Violation Type | Maximum Penalty per Violation Type | Annual Penalty Limit |
| Lack of Knowledge | $141 | $35,581 | $35,581 |
| Lack of Oversight | $1,424 | $71,162 | $142,355 |
| Willful Neglect | $14,232 | $71,162 | $355,808 |
| Willful Neglect not Corrected within 30 days | $71,162 | $2,134,831 | $2,134,831 |
Workforce Penalties for the Misuse of PHI
The HITECH Act did not only increase the fines that could be imposed on covered entities and business associates for HIPAA violations. It also clarified that workforce members could face civil and criminal consequences for the wrongful disclose of individually identifiable health information under §1177 of the Social Security Act.
This clause of the Social Security Act not only applies to workforce members who deliberately and knowingly misuse PHI for their own personal benefit, it also applies to workforce members who disclose individually identifiable health information to another person without authorization. Depending on the motive and whether or not the violation is committed under false pretenses, the penalties for violating §1177 of the Social Security Act can be a fine of up to $250,000 and imprisonment for up to ten years.
Patients Given Option of Obtaining Health and Medical Records in Electronic Form
While the HIPAA Privacy Rule gave patients and health plan members the right to obtain copies of their PHI, the HITECH Act increased those rights to include the option of being provided with copies of health and medical records in electronic form, if the Covered Entity maintains health and medical records in electronic form and the information was readily producible in that format.
Covered Entities are also required to maintain an “accounting of disclosures” so patients could see who their PHI had been disclosed to, what it had been used for, and why. This was in addition to changes to other patients´ rights which allowed them to access and correct PHI held by a Business Associate as well as a Covered Entity.
HITECH, HIPAA, and Breach Notifications
The HITECH Act introduced a new requirement for issuing notifications to individuals whose protected health information is exposed in a security breach if the information was not secured (i.e., by encryption). The definition of a breach was also broadened to include any unauthorized acquisition, access, use, or disclosure of unsecured PHI which compromised the security or privacy of that information.
These updates formed the basis for the HIPAA Breach Notification Rule which requires HIPAA covered entities to send notifications to affected individuals if there is a significant risk of financial, reputational, or other harm as a result of a breach. Those notifications need to be issued without unnecessary delay and no later than 60 days following the discovery of a breach.
The Department of Health and Human Services’ Office for Civil Rights must also be notified of data breaches within the same time frame if the breach impacts 500 or more individuals. Smaller data breaches must also be reported to OCR, but within 60 days of the end of the calendar year in which the breach was discovered.
HITECH Act Frequently Asked Questions (FAQs)
Why is the HITECH Act important?
The HITECH Act is important because it addresses gaps identified in the existing HIPAA Rules and gives the Department of Health & Human Services (HHS) more powers to enforce HIPAA. It also introduces accountability for Business Associates and vendors of personal health devices, who – in addition to HHS sanctions – can now be subject to civil and criminal penalties for data breaches.
What is the purpose of the HITECH Act?
The primary purpose of the HITECH Act is to improve the quality, safety, and efficiency of healthcare by expanding the adoption of health information technology to facilitate (among other things) Health Information Exchanges. The measures included in the Act to make the enforcement of HIPAA more effective are there to ensure the adoption of health information technology is compliant with the HIPAA Privacy and Security Rules.
What are the goals of the HITECH Act?
The goals of the HITECH Act are to improve the quality, safety, and efficiency of healthcare in a HIPAA-compliant manner. The Act aims to achieve its goals by improving care coordination, reducing disparities in the ways healthcare is administered, engaging patients and their families in the decision-making process, and improving the public health by laying the foundations for a Nationwide Health Information Network.
How does the HITECH Act affect HIPAA?
The HITECH Act affects HIPAA in a number of ways. Among them are the introduction of the Breach Notification Rule, the inclusion of Business Associates among who can be held accountable for data breaches, and the powers given to HHS to facilitate enforcement action. It is important to note that, although HITECH mostly focuses on information technology, HHS can still take enforcement action against a covered entity or business associate when a breach unrelated to technology occurs.
Who does the HITECH Act apply to?
The HITECH Act applies to healthcare organizations and medical practices that benefit from the Medicare and Medicaid programs (in respect of expanding the adoption of health information technology). In respect of the enhanced security and privacy provisions of HIPAA, the HITECH Act applies to Covered Entities and Business Associates. However, software developers and vendors of personal health devices are also required to comply with HITECH – their compliance is monitored by the Federal Trade Commission (FTC).
What is the relationship between HITECH and HIPAA with regards to medical records?
The relationship between HITECH and HIPAA with regards to medical records is that HIPAA’s administrative simplification provisions led to the development of the Privacy and Security Rules. The HITECH Act aimed to encourage the adoption of electronic health and medical records, providing financial incentives for the transition from paper to digital. The HITECH Act strengthened the HIPAA Privacy and Security Rules to account for the transition and introduced the Breach Notification Rule.
How did the HITECH Act change HIPAA?
The HITECH Act changed HIPAA by making Business Associates directly accountable for HIPAA violations, increasing penalties for HIPAA violations, and giving patients the option to obtain their health and medical records in electronic form. Additionally, the HITECH Act introduced the Breach Notification Rule – which, among other provisions, reversed the burden of proof from OCR (to prove that a breach had occurred) to organizations (to prove a breach had not occurred).
How did the HITECH Act change the penalty structure for HIPAA violations?
The HITECH Act changed the penalty structure for HIPAA violations by introducing a four-tier penalty structure that determined minimum and maximum penalties based on the level of culpability. Previously, HHS’ Office for Civil Rights could only pursue civil monetary penalties if the agency could demonstrate a willful neglect of HIPAA compliance.
What right did the HITECH Act give patients in relation to their medical records?
The HITECH Act gave patients the right to obtain copies of their health and medical records in electronic form provided the covered entity maintained such records electronically and the information was readily producible in the requested format. This change to patients’ rights paved the way for CMS subsequent Interoperability Rules which allow patients to access PHI via an application of their choice.
What was the purpose of the HITECH Act with regards to electronic health records?
The purpose of the HITECH Act with regards to electronic health records was to incentivize the adoption of electronic health records via the Meaningful Use program. The changes to Privacy and Security Rules – and the introduction of the Breach Notification Rule – came about because it was felt the incentivization program would lead to more PHI being transmitted electronically and that further controls were necessary to prevent unauthorized disclosures of electronic PHI.
