HIPAA or the Health Insurance Portability and Accountability Act is a set of practices that govern the privacy of individual health records. You may have heard of data sets that would be covered under HIPAA such as Personally Identifiable Information, Electronic Protected Health Information, or Protected Health Information (PII, ePHI, and PHI). While HIPAA applies from 1996, the HITECH act or the Health Information Technology for Economic and Clinical Health Act only came into effect in 2009. The HITECH act is part of an economic stimulus package created to promote and expand the adoption of health information technology, specifically the use of Electronic Health Records (EHRs) by healthcare providers.
Bottomline: HIPAA protects patient privacy. HITECH promotes health technology through funding.
Why is the HITECH Act Important to HIPAA Compliance?
Prior to HITECH Act, only 9% of hospitals and healthcare facilities had adopted EHRs. To boost efficiency and patient care coordination between different entities, electronic health records were adopted. The initial cost of implementing the new technology proved to be too much for many healthcare providers wanting to make the transition from paper records to electronic health records and the HITECH Act introduced incentives to encourage healthcare providers to make the change. The ACT increased the rate of adoption to EHRs from 3.2% to 86% in nine years.
HITECH did not make HIPAA compliance mandatory as that was already a requirement once established in 1996 but it did make sure that entities found not to be in compliance could be issued with a substantial fine. The Act also helped to ensure organizations were complying with HIPAA privacy and security rules by implementing safeguards to keep health information such as Protected Health Information (PHI) private and confidential, restricting uses and disclosures of health information.
The main differences between HITECH and HIPAA are the penalty structures and the responsibility of breach notifications.
Breach Notifications Prior to The Act, organizations covered by healthcare insurance were only obligated contractually to comply with the breach notification rule. The Breach Notification Rule was issued by Health and Human Services (HHS) were regulations requiring health care providers, health plans, and other entities covered by HIPAA to notify individuals when their health information is breached. If a breach affected less than five-hundred individuals, there is no time limit for reporting it. For any breach in excess of that number, there is a sixty-day time limit from discovering the unauthorized access. Essentially, HITECH extends legal liability to any entity that handles PHI or ePHI.
The HITECH Compliance Act and its relationship to HIPAA and EMRs requires that patients be notified of any unsecured breach. If a breach impacts 500 patients or more then HHS must also be notified. In this instance, local media will need to be notified as well. Lastly, the State Privacy Officer will need to be notified. All breached patients will need to receive a first class mailing that addresses personally what happened and what steps are being taken to resolve the breach, with the entity sometimes paying for the breached patients to have free access to their credit reports.
Penalty Structures The HITECH Act works with HIPAA Compliance in dealing with noncompliant Covered Entities. Previously, the fine structures that were in place allowed companies who were noncompliant to pay the fines and continue. HITECH increased much harsher fines that ensured companies could no longer simply opt for just paying the fines by introducing violation tiers. These tiers increased fines from $100 to $50,000 per violation while setting the maximum fine at $1.5 million. At this point, healthcare organizations and Covered Entities could no longer afford to be non-compliant with HIPAA and HITECH requirements.
What Fines Come with Ignoring the Rules?
The following are primary tiers as provided by the HIPAA Journal concerning HIPAA violations:
Unaware of the HIPAA violation and by exercising reasonable due diligence would not have known HIPAA Rules had been violated
- Penalty: $100 – $50,000 per violation with a maximum of $1.5 million per year
Reasonable cause that the covered entity knew about or should have known about the violation by exercising reasonable due diligence
- Penalty: $1,000 – $50,000 per violation with a maximum of $1.5 million per year
Willful neglect of HIPAA Rules with the violation corrected within 30 days of discovery
- Penalty: $10,000 – $50,000 per violation with a maximum of $1.5 million per year
Willful neglect of HIPAA Rules and no effort made to correct the volition within 30 days of discovery
- Penalty: $50,000 per violation with a maximum of $1.5 million per year
Note that there is an emphasis on exercising reasonable due diligence in Tier 1 and 2. If the entity decides not to exercise due diligence and are aware of the violations, then it could place them in Tier 3 or 4 category because of willful neglect. Knowing where the gaps are is half the battle, and ensuring you have a healthy plan of action can help you save a lot of money in the event there is an issue.
For healthcare organizations, developing technologies that cater to HIPAA & HITECH compliance requirements isn’t new. Securing patient data remains critically important to healthcare professionals as a data breach can cause unrepairable damages to both patients and facilities. HITECH addressed the shortcomings of HIPAA and forced entities to acknowledge the importance of securing patient data and proactively establishing control systems.
Partnering with a healthcare IT provider like Corsica Technologies helps you focus on that goal by guiding you to the best path forward. Our number one priority is ensuring that your systems are protected and reducing the risk of your organization becoming a news headline for a data breach. If you are interested in learning more about services and how we can help your workforce meeting HITECH compliance, you can read more here or schedule a call with one of our security professionals.