What is the HITECH Act?
The HITECH Act – or Health Information Technology for Economic and Clinical Health Act – was part of an economic stimulus package introduced during the Obama administration. The HITECH Act was primarily created to promote and expand the adoption of health information technology, and the Department of Health & Human Services (HHS) was given a budget in excess of $25 billion to achieve its goals.
HHS used some of the budget to fund the Meaningful Use program – a program that incentivized care providers to adopt EHRs. In order to qualify for federal funds, care providers not only had to adopt EHRs but demonstrate compliance with the HIPAA Security and Privacy Rules by conducting risk assessments. The subsequent failure rate indicated tougher enforcement of HIPAA was required.
The Legal Requirement for BAs to be HIPAA Compliant
When HIPAA was originally passed in 1996, Business Associates (BAs) had a “contractual obligation” to comply with HIPAA. As there was no enforcement of the obligation, and Covered Entities could avoid sanctions (in the event of a breach of PHI by the BA) by saying they did not know the BA was not HIPAA-compliant, many BAs failed to meet the regulatory guidelines – placing millions of health records at risk.
The HITECH Act applied the HIPAA Security and Privacy Rules to BAs and gave them the same legal requirements to protect PHI, detect breaches and report violations of HIPAA as Covered Entities. BAs were also subject to the same mandatory HIPAA audits as Covered Entities, and the same civil and criminal penalties for failing to comply with HIPAA.
How the Act Led to the Effective Enforcement of HIPAA
Prior to the HITECH Act, as well as Covered Entities avoiding sanctions by claiming they or their BAs were unaware they were violating HIPAA, the sanctions HHS could impose were little more than a slap on the wrist ($100 for each violation up to a maximum fine of $25,000). The Act strengthened the HHS´ powers by introducing “violation tiers” and raising the maximum fine to $1.5 million per violation.
The consequence of new $1.5 million ceiling was that Covered Entities and Business Associates began to take more notice of the HIPAA regulations. With a much-enhanced income source, HHS was able to dedicate more resources to investigating the cause of PHI breaches and, in 2011, launched the first phase of its audit program. The second phase was concluded in 2016 and Phase 3 is expected soon.
Other HIPAA-Relevant Provisions in the HITECH Act
A new Breach Notification Rule and revised requirements for the authorized disclosure of PHI were also included in the HITECH Act. Under the new Breach Notification Rule, Covered Entities have to report breaches of more than five hundred records to affected patients and the HHS within sixty days. The Rule also required BAs to notify Covered Entities of a breach for the Covered Entity to report it to the HHS.
The revised requirements for the authorized disclosure of PHI tightened up the language of the HIPAA Privacy Rule, prevented BAs from using PHI for marketing purposes without authorization and gave patients the right to revoke authorizations. These changes effectively allowed the HHS to bring criminal charges for violations of HIPAA if PHI was stolen or disclosed without authorization for personal gain.
Further Information about the HITECH Act
For further information about the HITECH Act, the national minimum standards enforced by HITECH, and the changes to relationships between Covered Entities and BAs that were a consequence of HITECH, you are invited to download our “HIPAA Compliance Guide”. Our guide also contains a link to the full 2013 Omnibus Final Rule that expands on the definitions within the HITECH Act.