What is the Relationship Between HITECH, HIPAA, and Electronic Health and Medical Records?

The Health Insurance Portability and Accountability Act (HIPAA) was signed into law in August 1996 and led to the development of the HIPAA Privacy Rule in 2003 and the HIPAA Security Rule in 2005, but how did the Health Information Technology for Economic and Clinical Health (HITECH) Act change HIPAA and what is the relationship between HITECH, HIPAA, and electronic health and medical records?

What is the Relationship Between HITECH and HIPAA and Medical Records?

There is a strong relationship between HITECH and HIPAA as Title II of HIPAA includes the administrative simplification provisions that led to the development of the Privacy and Security Rules, while one of the main aims of the HITECH Act was to encourage the adoption of electronic health and medical records by creating financial incentives for making the transition from paper to digital records.

In order to enable the increased adoption of electronic health and medical records and keep the data maintained in these devices secure, the HITECH Act strengthened the HIPAA Privacy and Security Rules, required Business Associates to comply with the HIPAA Security Rule, and introduced the Breach Notification Rule – with increased financial penalties for those who failed to comply.

How did the HITECH Act Change HIPAA?

The HITECH Act made several changes to HIPAA and introduced new requirements for HIPAA-covered entities with notable changes for business associates. Some of the key updates to HIPAA by HITECH are detailed below:

Business Associates Directly Accountable for HIPAA Violations

The HITECH Act required business associates of HIPAA covered entities to enter into a business associate agreement (BAA) with HIPAA-covered entities and agree not to disclose PHI other than for reasons permitted by the HIPAA Privacy Rule. They were also required to agree to adhere to certain provisions of the HIPAA Security Rule, including the implementation of administrative, physical, and technical controls to safeguard the confidentiality, integrity, and availability of PHI.

The definition of business associate was also expanded to include all persons who receive PHI and subcontractors of business associates. The HITECH Act required business associates to enter into a BAA with their subcontractors. Business associates were made directly accountable for HIPAA violations and could be penalized financially for violating HIPAA Rules.

Increased Penalties for HIPAA Violations

In addition to fines for business associates, HIPAA-covered entities could also be fined for violations of HIPAA Rules by their business associates. The HITECH Act also required the HHS to investigate breaches and complaints to determine if there had been willful violations of HIPAA Rules.

The penalty structure for HIPAA violations was also amended by HITECH. HITECH allowed penalties to be issued for HIPAA violations that occurred without the knowledge of the covered entity or business associate if the covered entity/business associate should have been aware that HIPAA was violated by exercising reasonable due diligence. However, the HITECH Act prohibited the issuing of financial penalties if a violation was corrected within 30 days, provided the violation was not due to willful neglect.

Patients Given Option of Obtaining Health and Medical Records in Electronic Form

While the HIPAA Privacy Rule gave patients and health plan members the right to obtain copies of their PHI, the HITECH Act increased those rights to include the option of being provided with copies of health and medical records in electronic form, if the Covered Entity maintains health and medical records in electronic form and the information was readily producible in that format.

Additionally, Covered Entities were required to maintain an “accounting of disclosures” so patients could see who their PHI had been disclosed to, what it had been used for , and why. This was in addition to changes to other patients´ rights which allowed them to access and correct PHI held by a Business Associate as well as a Covered Entity.

HITECH, HIPAA, and Breach Notifications

The HITECH Act introduced a new requirement for issuing notifications to individuals whose electronic protected health information was exposed in a security breach if the information was not secured (i.e., by encryption). The definition of a breach was also broadened to include any unauthorized acquisition, access, use or disclosure of unsecured PHI which compromised the security or privacy of that information.

These updates formed the basis for the HIPAA Breach Notification Rule which requires HIPAA covered entities to send notifications to affected individuals if there is a significant risk of financial, reputational or other harm as a result of a breach. Those notifications need to be issued without unnecessary delay and no later than 60 days following the discovery of a breach.

The Department of Health and Human Services’ Office for Civil Rights must also be notified of data breaches within the same time frame if the breach impacts 500 or more individuals. Smaller data breaches must also be reported to OCR, but within 60 days of the end of the calendar year in which the breach was discovered.

HITECH Act Frequently Asked Questions (FAQs)

Why is the HITECH Act important?

In terms of HIPAA compliance, the HITECH Act is important because it addresses gaps in the original legislation and gives the Department of Health & Human Services (HHS) more powers to enforce HIPAA. It also introduces accountability for Business Associates and vendors of personal health devices, who – in addition to HHS sanctions – can now be subject to civil and criminal penalties for data breaches.

What is the purpose of the HITECH Act?

The primary purpose of the HITECH Act is to improve the quality, safety, and efficiency of healthcare by expanding the adoption of health information technology to facilitate (among other things) Health Information Exchanges. The measures included in the Act to make the enforcement of HIPAA more effective are there to ensure the adoption of health information technology is compliant with the HIPAA Privacy and Security Rules.

What are the goals of the HITECH Act?

The HITECH Act has several goals. By improving the quality, safety, and efficiency of healthcare in a HIPAA-compliant manner, the Act aims to improve care coordination, reduce disparities in the ways healthcare is administered, engage patients and their families in the decision-making process, and improve the public health by laying the foundations for a Nationwide Health Information Network.

How does the HITECH Act affect HIPAA?

The three most significant ways in which the HITECH Act affects HIPAA are the introduction of the Breach Notification Rule, the inclusion of Business Associates among who can be held accountable for data breaches, and the powers given to HHS to facilitate enforcement action. It is important to note that, although HITECH mostly focuses on information technology, HHS can still take enforcement action against a Covered Entity or Business Associate when a breach unrelated to technology occurs.

Who does the HITECH Act apply to?

In respect of expanding the adoption of health information technology, the HITECH Act applies to healthcare organizations and medical practices that benefit from the Medicare and Medicaid programs. In respect of the enhanced security and privacy provisions of HIPAA, the HITECH Act applies to Covered Entities and Business Associates. However, software developers and vendors of personal health devices are also required to comply with HITECH – their compliance is monitored by the Federal Trade Commission (FTC).

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.