The HITECH Act: Putting the “Force” Into HIPAA Enforcement

Whether you call it "HIPAA on steroids" or just another expansion, the HITECH Act gave organizations tougher security requirements as well as backs it up with increased penalties for HIPAA noncompliance.

What is the HITECH Act?

In the first decade of following the release of the act, complying with HIPAA was easy. The threat of an audit was low, penalties for PHI breaches were relatively mild, and enforce by the Office of Civil Rights was practically nonexistent. However, all of that changed thanks to the passage of the HITECH Act in 2009.

HITECH stands for the“Health Information Technology for Economic and Clinical Health” Act and was signed into law in February 2009 as part of the American Recovery and Reinvestment Act by President Obama, with the primary purpose of encouraging healthcare providers to adopt Electronic Healthcare Records and supporting technology. It foresaw the potential impact, both good and bad, of the growth of the exchange of electronic protected health information (ePHI) between doctors, hospitals, and vendors that store ePHI. The act also removed some ambiguity in the HIPAA law by clearing up some language of the act, working to ensure that business associates were complying with HIPAA standards and were notifying affected parties when their PHI was compromised

To help encourage healthcare providers to adopt EHR technologies, the act included financial incentives for early adoption of those technologies until 2015. After 2015, it began to levy financial penalties in the form of reductions of Medicare and Medicaid reimbursement for physicians who had not adopted EHR technologies.

Incentives for Electronic Medical Record Access

Prior to the HIPAA HITECH act, only a small percentage of hospitals had adopted EHR systems, which created inefficiencies in healthcare, with most showing reluctance due to the massive upfront costs of switching from paper records. In order to improve patient outcomes and increase Administrative efficiency, the HITECH act provided financial incentives (and penalties) to encourage hospitals and other healthcare providers to adopt these systems. Due to these incentives and penalties, by 2017, nearly 90% of healthcare providers had adopted EHRs. 

The HIPAA Privacy rule gave patients the right of access to their medical records. The HITECH act took that a step further and allows patients the right to obtain the PHI in an electronic format if they desired it in that format. This makes it easier for individuals to share their health records with other organizations and brought official HIPAA guidelines into alignment with the state laws that mandate patient access to their own medical records. Additionally, the act specifies that practices may only charge for the labor costs of fulfilling the request.

The HIPAA HITECH Act & Business Associates

Prior to the HITECH Act, Business Associates who did work that necessitated access to PHI on behalf of covered entities were not directly regulated but were still required to comply with HIPAA. All of that changed with the release of the HITECH Act, which provided for direct regulation of business associates by stating that they must abide by the standards set by the Security and Privacy Rules to them, though they were not held accountable for breaches until the passage of the Omnibus rule in 2013.

Now business associates must report security breaches to covered entities as per the breach notification rule, and they are subject to civil and criminal penalties for noncompliance with the HIPAA rules and regulations. The end result of the HITECH rule is that Business Associates and Providers now share joint responsibility for compliance.

Expanding HIPAA Enforcement

In the past, HIPAA was not rigorously enforced, but the passage of the HITECH act clarified and strengthened the enforcement of the law by increasing penalties for noncompliance, and as mentioned above, mandated the same rules applied to business associates as covered entities. 

Armed with the new stronger enforcement measures, the HHS is now more frequently performing audits on covered entities or business associates that have breached ePHI or have been reported to be in willful neglect of HIPAA.

One of the challenges of compliance is that “Willful Neglect” is often at the discretion of the auditor, but as a general rule if your organization does not have the required privacy and security documentation you’ll be found in willful neglect. 

Additionally, organizations can also now be audited by the state attorney general as well as the department of health and human services, which raises fears of motivated investigations of PHI by an attorney general driven by political ambition. 

The HITECH Act expanded enforcement for HIPAA Violations

HITECH Act Compliance

The overarching goal of HITECH was to encourage and promote the use of secure and portable EHR throughout the United States. In order to achieve this goal, it specified three stages of meaningful use requiring the increasing deployment of EHR along with safeguards to maintain the quality and security of the data.

HITECH required covered entities to undergo HIPAA Compliance training under the standards set by the Security Rule. Additionally, the rule strengthened the Breach notification rule by requiring notification of a PHI breach to all affected parties, regardless of whether the breach could result in harm or not.

As noted above, HITECH expanded HIPAA Compliance requirements.

Best Practices for HITECH Compliance

1: Stay informed. Make sure that employees of your organization are actually knowledgeable of HIPAA, HITECH, and data breach notification laws. How can you ensure they are knowledgeable? Ongoing education and training.

2: Create a security plan. HIPAA requires workplaces to implement various safeguards in order to ensure the security and privacy of PHI. A formal security policy should set in place physical, administrative, and technical safeguards to ensure the privacy, safety, integrity of PHI such as data protection solutions that proactively classify records from unauthorized access or use.

3: Educate your employees, and enforce compliance. Research has demonstrated that employee negligence is the leading risk of a data breach. Security training should be frequent and constantly updated.

4: Limited access to sensitive data. Ensure that PHI can only be accessed by employees who need access to this information for their delegated job responsibilities on an as-needed basis. Furthermore, it is a best practice to be able to log who accesses PHI, when, and what each employee did with the protected data.

5: Perform frequent reviews of your security protocols. Not only is this a requirement of HITECH, but it can also help you identify and eliminate risk prior to a breach actually occurring by correcting vulnerabilities and implementing policies and procedures that can lower your organization risk of a breach.

HITECH is Complex. Accountable makes HITECH Compliance simple

As you can see, The HITECH Act has a lot of moving parts and compliance can feel like it is a moving target.

It’s important to remember that as easy as it is to violate the HITECH act, implementing training and policies to safeguard PHI and your organization from a breach is easier. That is why we created Accountable: a complete solution designed to help you achieve and maintain your organization’s compliance with HITECH. We built it to include you the tools you need to train your employees, manage your vendors, and root out security risks within your organization.

Oh, and it’s free to get started.

Get started on the road to Compliance

Accountable can help you achieve HIPAA compliance for your company.

Schedule a Call

More Articles