Data breaches are a real problem in the healthcare industry. The HITECH Act was introduced in 2009 in the United States to strengthen HIPAA’s privacy and access goals even as it encouraged the adoption of electronic health records (EHRs).
HIPAA, introduced more than a decade ago in 1996, wasn’t written with the explosion of Internet and web applications in mind. So, the HITECH Act plugs the technology gap and puts the onus of securing PHI on healthcare organizations and related entities (with access to PHI).
The two are closely related and dovetail with each other even as they share a host of dissimilarities. In this article, we outline the essential aspects of the HITECH Act, its goals and applicability, and highlight the differences between HITECH and HIPAA.
Bonus: We also answer some of the commonly-asked questions on HITECH.
What is the HITECH Act in healthcare?
The HITECH Act is built on HIPAA and tightens its language to make sure third-party associates of HIPPA-certified organizations couldn’t flee the legal formalities and were, therefore, compliant too. HITECH also mandates that organizations notify health plan members or patients if their files get breached.
The Health Information Technology for Economic and Clinical Health Act, or the HITECH Act, is a US legislation enacted in 2009 to incentivize the adoption of electronic health records (EHR) and the supporting technology by the country’s healthcare industry.
It also bettered the efficacy of the existing HIPAA law by expanding the scope of HIPAA rules and enforcing stringent penalties for non-compliance, among other things.
What’s the importance of the HITECH Act?
The importance of the HITECH Act lies in how it incentivized the healthcare industry to transition from paper to digital medical records. And while doing so, it also strengthened the HIPAA Privacy and Security Rules concerning EHRs by mandating security audits of healthcare providers.
To best appreciate the importance of the HITECH Act, let’s quickly look at the limitations of HIPAA then.
Not aligned with technological development
As we mentioned earlier, HIPAA was created in 1996, before digitization disrupted businesses and our ways of life. So, when technology took over, eventually, HIPAA wasn’t enough to regulate the security and privacy of PHI.
HIPAA, when introduced, couldn’t hold business associates of HIPAA-covered entities fully responsible for data security and privacy. As a result of the loopholes, third-party vendors with access to PHI often had lower security standards and couldn’t always be held liable for it.
Leniency of penalties
HIPAA non-compliance fees needed to be more prohibitive to make healthcare organizations change their security standards. The 1996 HIPAA Act had a maximum fine of $25000, with most of the penalties hovering around $100 for each violation. HITECH changed that. More on that later.
The HITECH Act built off HIPAA and tightened its language to ensure third-party associates of HIPPA-certified organizations couldn’t escape the legal noose and were, therefore, compliant too. HITECH also mandates that organizations notify patients or health plan members if their files get breached.
Here are the three most notable ways in which the HITECH Act affects HIPAA
- Introduction of the Breach Notification Rule
- Inclusion of Business Associates among those who can be held accountable for data breaches
- Facilitation of enforcement action by vesting more power to the Department of Health and Human Services (HHS)
Broadly, the HITECH Act, split into four categories, helped fix these issues.
Subtitle A – Promotion of Health Information Technology
It deals with the creation of the new electronic healthcare infrastructure, including the adoption of EHRs and the application of these adopted standards.
Subtitle B – Testing of Health Information Technology
It defines eligibility for those who can apply for grants and funding to participate in this testing. Institutions of higher education, nonprofit entities, and federal laboratories may receive grant funds to research healthcare delivery and health information technologies.
Subtitle C – Grants and Loans Funding
It outlines how the grant and loan funds must be used, who ensures that the funds are appropriately used, and what standards must be met for health information technologies.
Subtitle D – Privacy
It deals with improved security and privacy provisions, the relationship of these to other laws, and the effective dates. This section also deals with non-HIPAA-covered entities, ensuring that they are held to the same regulations and standards.
What are the goals of the HITECH Act?
The 5 HITECH Act goals as described by the US healthcare system – improve safety, quality, and efficiency; increase coordination of care; engage patients in their care; improve the health status of the population; and ensure security and privacy.
The HITECH Act’s goals include the following:
- Incentivizing more healthcare providers to adopt EHR systems
- Plugging HIPAA loopholes
- Ensuring Business Associates of covered entities comply with HIPAA rules and regulations
- Notifying patients when their PHI gets compromised
- Enforcing prohibitive penalties for HIPAA non-compliance
- Improving the quality, safety, and efficiency of healthcare provided in a HIPAA-compliant manner
When the HITECH Act was introduced in 2009, 9 out of 10 healthcare professionals used paper documents for healthcare records (according to a report in the journal Health Affairs).
But now, more than 95% of hospitals and 90% of office-based physicians use EHR systems, patients get intimated about data breaches, and organizations, including third-party vendors with access to PHI, get levied heavy penalties for noncompliance (tiered penalties).
Who does the HITECH Act apply to?
The HITECH Act applies to all healthcare organizations that
- Benefit from the Medicare and Medicaid programs.
- HIPAA’s Covered Entities and Business Associates
If you are a Business Associate, here’s how HITECH adds more layers to your HIPAA compliance.
Improved HIPAA Security Rule for ePHI
Here are some aspects of HIPAA’s Security Rule that got included/updated post the introduction of the HITECH Act to protect ePHI.
- Access Control
- Access Log Usage
- Audit Monitoring
- Risk Assessments
Also check out: HIPAA Compliance Audit
Extension of HIPAA Privacy Rule to EHR
The HITECH Act also extended the HIPAA privacy and access rights of individuals to EHRs. As Business Associates, you must have provisions in place to provide individuals with a copy of the EHRs when requested and secure access and privacy of their ePHI at all times.
Payment of HIPAA/ HITECH fines on non-compliance
Since HITECH broadened the scope of HIPAA to include Business Associates too in its ambit, you become liable to any HIPAA/HITECH fines and penalties if you share PHI with unauthorized parties (for instance, in the event of a data breach).
What are the three components of the HITECH Act?
Business Associate HIPAA Compliance: The HITECH Act introduced strict requirements for Business Associates, including enforcing business associate agreements, higher penalties for non-compliance, and responsibilities for intimating breach notification.
Willful Neglect and Auditing: HITECH mandated security audits of healthcare providers and introduced a tiered violation penalty and fine system.
Meaningful Use Program: Created by the HHS, the Meaningful Use Program centered on improving quality, safety, efficiency, and reducing health disparities in the country.
What were the key changes to HIPAA when the Omnibus Rule under HITECH got included?
In January 2013, the HHS issued the Omnibus Rule (aka Final Rule), implementing the HITECH Act modifications to HIPAA’s Privacy Rule and other rules.
The HITECH Act introduced multiple privacy provisions that integrated into HIPAA via the Final Omnibus Rule. These include:
- Expansion of patients’ rights to receive copies of and amend PHI
- Modification of the requirements for Notices of Privacy Practices
- Enablement of access to PHI by families and authorized parties
- Addition of limitations on permitted disclosures of PHI
- Restriction of disclosures for the private payment of treatment
- Extension of the list of disclosures for which consent is required
- Expansion of HIPAA’s Business Associate requirements by expanding the definition of a Business Associate
- Imposition of legal obligation on Business Associates to enter into business associate agreements with Covered Entities
- Extension of HIPAA’s Security Rule to Business Associates with regard to administrative, physical and technical safeguards
- Expansion of the definition of ‘breach’ resulting in more situations in which Covered Entities and Business Associates must provide notice of a breach
HITECH vs HIPAA
The critical difference between HITECH and HIPAA stems from the changes in penalty structure and the vesting of responsibility for breach notification.
While HIPAA laid the foundational guidelines for breach notification, HITECH built on it by extending the legal liability to a broader set of organizations; any entity that handles PHI or ePHI.
HITECH also outlines notification requirements for covered entities to abide by in the event of unsecured breaches. It requires HIPAA-covered entities to alert affected individuals after any level of a data breach.
No time limit is prescribed for reporting a breach that affects less than 500 individuals. For a breach that affects more than 500 individuals, there is a 60-days time limit from discovering the unauthorized access.
The earlier fine structures allowed non-compliant organizations to pay the fines and continue business as usual; the penalties weren’t prohibitive enough. The HITECH Act introduced harsher fines that forced organizations to take notice and mend their ways.
HITECH brought in a tiered penalty system; with fines ranging from $100 to $50,000 per violation while setting the maximum fine at $1.5 million.
As EHR systems get increasingly complex, it also adds to their cybersecurity risk. As Business Associate, you must stave off such threats and secure ePHI by implementing the necessary guardrails.
And it would be best if you did all this without losing focus on growing your business! We understand that securing ePHI and managing the many requirements of the regulation can take away a chunk of your engineering team’s time and productivity. Automating your HIPAA compliance with Sprinto can solve that.
Sprinto allows you to stay on top of your HIPAA game without wasting your top talents’ time and energy. Sprinto’s continuous monitoring feature, in-app employee training and tracking for HIPAA, integrated risk assessments, and reliable and anytime support from compliance experts ensure you are always on the right side of HIPAA.
Talk to us to know how you can implement Sprinto to become HIPAA-compliant in a breeze.
What are the three components of the HITECH Act?
The three main components of the HITECH Act are as follows:
- Business Associate HIPAA Compliance
- Willful Neglect and Auditing
- Meaningful Use Program
Why was HITECH enacted?
The HITECH Act is part of US legislation enacted in 2009 to incentivize the use of electronic health records (EHR) as well as the supporting technology by the country’s healthcare industry. It also helped improve security and privacy protections for healthcare data.