Over the past three decades, America has been transformed by revolutionary technologies such as the internet, PC, laptop, and mobile phone. New tech ushered the world into the Information Age, creating a paradigm shift in how data and information could be logged, stored, and shared. This change completely altered the face of the American economy; and in the space of a few years, digital electronics became an essential facet of business life.
Few industries were as fundamentally impacted by this shift as the healthcare industry. Seeing this, the U.S. government created security measures to protect private electronic patient info. They started with HIPAA in 1996, which then received a much-needed update more than a decade later with the HITECH Act. Naturally, you might wonder, how does HITECH affect HIPAA? Below, we’ll answer that question and others related to both information security regulations.
What Is HIPAA?
In 1996, Congress introduced the Health Insurance Portability and Accountability Act (HIPAA), This sweeping piece of legislation was created to address two factors:
- Provide health insurance coverage for workers who were between jobs.
- Implement controls to safeguard private health information and prevent fraud.
On August 21st, 1996, President Bill Clinton signed the initial version of HIPAA into law. Crowing it as a partial vindication over his failure to transform the American health insurance system, President Clinton said it was, “a long step toward the kind of health care reform our nation needs.” According to a New York Times article written at the time,
Besides assuring expanded access to insurance, the new law makes it easier for self-employed workers to afford their own insurance, by increasing the share of its cost they can deduct from their income taxes to 80 percent, from 30. It toughens penalties for Medicare and Medicaid fraud, reduces paperwork and offers tax breaks for long-term care.
The Five HIPAA Titles
HIPAA consists of five key sections, which are referred to as titles:
- Title I – Sought to safeguard health insurance coverage for workers who changed or lost their job. In addition, it prohibited group health plans from denying coverage for individuals with preexisting conditions and prevented them from creating lifetime coverage limits.
- Title II – Directed the Department of Health and Human Services to create a standardized methodology for processing electronic health care transactions. Title II compelled healthcare providers and organizations to give patients electronic access to their private electronic health records (EHR). It also required that patient data and privacy be safeguarded according to HHS regulations.
- Title III – Set out tax-related provisions regarding deductions and outlined general medical care standards.
- Title IV – Created health insurance provisions for individuals with preexisting conditions and for those looking for continued coverage.
- Title V – Adds provisions related to company-owned insurance and treatment of individuals who lost their citizenship as a result of income tax failures.
Privacy Updates to HIPAA
Although one of HIPAA’s stated objectives was to protect patient EHR, there was little to nothing in the bill that actually ensured those ends. As it was in its original state, HIPAA lacked the security mechanisms necessary to even begin to protect a patient’s data and privacy. Despite that, it took four years for initial mandates to be put that would better protect patient privacy and ensure that their data was secure.
- HIPAA Privacy Rule – In 2000, HHS added the Privacy Rule regulation, which would then go into effect on April 14th, 2001. It set universal standards for the safeguarding of EHR for the three primary covered entities:
- Health plans
- Healthcare providers
- Healthcare clearinghouses
- These entities were required to be in compliance with the standards data protection standards outlined in the addendum by April 14th, 2003. Failure to do so could result in civil or criminal penalties.
- HIPAA Security Rule – In 2003, HHS also added the Security Rule in order to create a national set of security regulations for protecting private health information that was saved or shared electronically. According to HHS: “The Security Rule requires covered entities to maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting e-PHI. Specifically, covered entities must:
- “Ensure the confidentiality, integrity, and availability of all e-PHI they create, receive, maintain or transmit;
- Identify and protect against reasonably anticipated threats to the security or integrity of the information;
- Protect against reasonably anticipated, impermissible uses or disclosures; and
- Ensure compliance by their workforce.”
The Failures of HIPAA
The introduction of HIPAA was met with skepticism, criticism, and even animosity from both patients and health care providers. Healthcare providers thought it would add unnecessary expenses, paperwork, and hurdles, making it more costly and less efficient to treat patients. Patients lamented that it wouldn’t provide significant protections to their data or private information. Both concerns wound up being largely true. A 20-year retrospective on HIPAA found:
In the early years of HIPAA privacy protections, HHS and OCR, which was responsible for enforcing the Privacy Rule, seemed content to let noncompliant healthcare providers slide with a warning. From April 2003 to 2008, around 35,000 HIPAA privacy violations were reported, but not a single civil fine was levied against a healthcare provider.
At the time, covered entities could circumvent sanctions by simply stating that their business associates didn’t know that they were violating HIPAA regulations. Even then, the sanctions HHS could levy were considered to be far too gentle with a $100 fine for each violation with a cap of $25,000. Many operators saw it as cost-effective to simply violate the rules and pay the small penalties rather than pay more to follow the regulations.
Over the next decade, HHS worked with thousands of providers that had been flagged for violations. Their goal was to help them reach voluntary compliance, but the current laws did little to push them towards voluntary compliance. In the end, the 2009 passage of the HITECH act was required to fix the glaring compliance and enforcement issues with HIPAA.
How Does HITECH Affect HIPAA?
In 2009, President Obama signed the American Recovery and Reinvestment Act. Although it was primarily a stimulus bill meant to jumpstart the post-recession American economy, a portion of the bill was meant to address the failures of HIPAA. This subsection was known as the Health Information Technology for Economic and Clinical Health (HITECH) Act.
The goals of HITECH were simple:
- Remove HIPAA loopholes by tightening up and clarifying the previous language.
- Ensure compliance and accountability for healthcare providers.
- Increase the enforcement mechanism for violations.
- Promote and expand the adoption of EHRs by healthcare providers.
At the time, the vast majority of healthcare providers stuck to their old physical copy system. They preferred paper records to digital ones and only 10% of hospitals had made the switch to electronic health records. According to the HIPAA Journal, “the Act increased the rate of adoption of EHRs from 3.2% in 2008 to 14.2% in 2015. By 2017, 86% of office-based physicians had adopted an EHR and 96% of non-federal acute care hospitals has implemented certified health IT.”
Violations and the OCR
One of the most significant ways that HITECH affected HIPAA had to do with the way that violations could be enforced. The original penalties for HIPAA violations were widely considered to be nothing more than a slap on the wrist; they did little to dissuade healthcare providers from breaching the rules. So, HHS empowered it’s Office for Civil Rights (OCR) by granting it better enforcement mechanisms and setting stricter penalties.
Through HITECH OCR could implement Privacy and Security rules in one of a few ways:
- Perform investigations based on violation complaints filed with HHS.
- Conduct compliance reviews and audits to see if specific healthcare entities were acquiescent.
- Supervise outreach and educational programs mean to encourage compliance.
During an OCR review, the lead investigator would gather all the pertinent information and then make a ruling as to whether or not there was a violation of the rules. In order to resolve cases of noncompliance, the OCR would seek resolution via:
- Voluntary compliance
- Corrective action
- Resolution agreement
HITECH Noncompliance Penalties
After the investigation was completed, the lead would decide whether or not the violations would be classified as civil or criminal penalties. In order to ensure that companies sought compliance, HHS set out a much more stringent penalty system, which was divided into four tiers:
- Tier 1 – The covered entity is unaware of its HIPAA violations. Had they done their due diligence HIPAA rules would likely not be violated. This sets a range of $100 to $50,000 in fines per violation with a maximum of $1,500,000 annually.
- Tier 2 – Investigator finds that there is “reasonable cause” that the covered entity was aware or should’ve been aware of the violation by exercising reasonable due diligence. This sets a range of $1,000 to $50,000 in fines per violation with a maximum of $1,500,000 annually.
- Tier 3 – Covered entity willfully neglects the rules of HIPAA but corrects the violation within 30 days of its discovery. This sets a range of $10,000 to $50,000 in fines per violation with a maximum of $1,500,000 annually.
- Tier 4 – Covered entity willfully neglects the rules of HIPAA and makes no effort to correct them within 30 days of their discovery. This sets a fine of $50,000 per violation with a maximum of $1,500,000 annually.
In addition to fines, individuals found guilty of criminal penalties for HIPAA violations could face serious prison time. According to the American Medical Association:
Covered entities and specified individuals, as explained below, who “knowingly” obtain or disclose individually identifiable health information, in violation of the Administrative Simplification Regulations, face a fine of up to $50,000, as well as imprisonment up to one year. Offenses committed under false pretenses allow penalties to be increased to a $100,000 fine, with up to 5 years in prison. Finally, offenses committed with the intent to sell, transfer or use individually identifiable health information for commercial advantage, personal gain or malicious harm permit fines of $250,000 and imprisonment for up to 10 years.
Originally under HIPAA, covered entities who experienced a data breach were not legally obligated to notify those whose data or personal information had been stolen. HITECH changed this by requiring covered entities to alert either the individuals or even the public at large of the security issue. This looked as follows:
- Breach of fewer than 500 individuals – The individuals must be notified of the data intrusion. The specificities must be divulged in the company’s annual report to the HHS Secretary.
- Breach of more than 500 individuals – The individuals must be notified of the data intrusion. The entity must alert both the HHS Secretary as well as the media.
Under HIPAA patients had the right to access and receive copies of their private HER. HITECH expanded the access rights to covered entities that are responsible for managing protected health information stored electronically. As a result, establishments were required to provide the electronic copies to:
- The patient
- The patient’s doctor (with their permission)
- The patient’s personal health record services (with their permission)
- The patient’s family or associates (with their permission).
HIPAA originally placed limitations on how organizations were able to use personal health information. HITECH regulations enacted further measures on the use of information. In particular, it expanded the minimum necessary information standard so that healthcare providers had increased limitations on using, sharing, or requesting personal data.
Protecting Your Private Patient Information
HIPAA was an important response to changes in technology and the world at large. Even though it was largely unsuccessful, it sought to protect private patient information and encourage covered entities to switch to digital record-keeping systems. HITECH impacted HIPAA for the better, fixing glaring security weaknesses, closing loopholes, and providing HHS with better enforcement mechanisms.
Today, you can make your digitally stored health records even more secure by partnering with RSI Security. We provide unmatched cybersecurity and can provide a thorough analysis of your HIPAA / HITECH compliance. Together, we can safeguard your important information.
Download Our Complete Guide to Navigating Healthcare Compliance Whitepaper
Not sure if your HIPAA or healthcare compliance efforts are up to snuff? Unsure about where to even start? Download RSI Security’s comprehensive guide to navigating the HIPAA and healthcare compliance labyrinth. Upon filling out this brief form you will receive the whitepaper via email.
Purdum, T. The New York Times. Clinton Signs Bill to Give Portability in Insurance. (1996). https://www.nytimes.com/1996/08/22/us/clinton-signs-bill-to-give-portability-in-insurance.html
DHCS. HIPAA Title Information.
HHS. Privacy Rule General Overview. https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/general-overview/index.html
HHS. Summary of the HIPAA Security Rule. https://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html
Gale, L. Healthcaredive. HIPAA at 20: Looking back at two decades of patient privacy protections. (2016). https://www.healthcaredive.com/news/hipaa-at-20-looking-back-at-two-decades-of-patient-privacy-protections/425378/
HIPAA Journal. What is the HITECH Act? https://www.hipaajournal.com/what-is-the-hitech-act/
American Medical Association. HIPAA Violations and Enforcement. https://www.ama-assn.org/practice-management/hipaa/hipaa-violations-enforcement