When you’re sick and at the doctor’s office, you have to reveal a lot of personal information for the physician to properly treat you. Within your file contains your demographic information, your personal medical history, mental health, tests and lab results, insurance information, and more. All of this falls under a specific category called protected health information (PHI).
In 1996, Congress passed the Health Insurance Portability and Accountability Act (HIPAA) in order to protect patients’ PHI. Privacy and security weren’t the only topics covered in HIPAA. It also addressed health insurance prices and changes, encouraged the use of electronic health records (EHRs), and developed the groundwork for a national healthcare standard.
HIPAA was amended — rather, bolstered — in 2009, when Congress passed the HITECH Act. It addressed many of the problems arising from HIPAA and helped bring the framework into the 21st century. It also brought with it harsher penalties for HIPAA noncompliance. To avoid these fees, healthcare providers and their business associates must understand the HITECH Act penalties and enforcement.
What is the HITECH Act
Before jumping straight into the HITECH Act penalties and enforcement, it might be helpful to explain what the HITECH Act is. The abbreviation stands for the Health Information Technology for Economic and Clinical Health Act, and as mentioned above, it was created to further the initial goals of HIPAA and cover some of the holes.
The points addressed in the initial proposal included:
- Promoting the adoption of EHRs – In 2009, more than half of all hospitals and physicians were still solely using paper records to document and record medical information. As the digital age progressed, the healthcare industry needed to adapt and adopt EHRs.
- Removing loopholes in the original text – In the 13 years between HIPAA and HITECH, the technological and medical advancements were incredible. Just think, in 1996, the idea of having access to a global information network in our pockets was a sci-fi dream. These advancements left wiggle room (read, loopholes) in the original text.
- Including business associates of HIPAA-covered entities – One major loophole of HIPAA was how business associates could escape regulations and penalties by claiming ignorance.
- Enforcing stricter penalties of HIPAA noncompliance – The penalties of HIPAA were too lenient to cause change, and there was less power within the HHS to enforce these regulations.
Who Enforces the HITECH Act
Within the Department of Health and Human Services (HHS), there is the Office for Civil Rights (OCR). They hold the primary authority for overseeing that healthcare providers and subsidiary companies work within the boundaries and regulations of this Act.
Some of their primary duties involve:
- Implementing and enforcing the HIPAA Privacy Rule and imposing civil money penalties
- Updating the HHS Security Risk Assessment Tool and providing it to HIPAA-compliant entities—this is particularly helpful for small and medium-sized healthcare practices
- Developing regulations for the Breach Notification Rule
What are the Penalties for Noncompliance
The penalties and fines for the HITECH Act are fairly straightforward. Of the possible infractions that can occur (outlined below), there are two different factors that influence what penalty you receive. Those factors are whether or not there was “willful neglect” and whether or not the infractions were resolved.
- Willful neglect – When a healthcare provider should have known about a HIPAA regulation and failed to make an effort to work within it, this is considered willful neglect. It is decided on a case-by-case basis and tries to nail down the intent behind the noncompliance.
- Resolving timeline – Healthcare providers and business associates have 30 days within which to correct any noncompliance errors. If they do so, they are dropped down a tier of penalties and receive significantly less monetary fees and jail time.
The Four Tiers of Penalties
To bring the abstract into concrete examples, it’s best to dive into the original text. The HHS outlined the general penalties in section 13410(d) of the HITECH Act. It goes as follows:
- Tier A – If a violation occurs in which the person or entity did not know they violated a provision, and they would not have known even if they exercised a reasonable effort [reasonable, defined case-by-case], then the penalty will be:
- Tier A penalty – For each instance or violation, the person or entity will pay $100. This can sum to a maximum of $25,000 annually for identical violations.
- Tier B – If it is the case that the violation established was because of reasonable cause but not of willful neglect, then the penalty will be:
- Tier B penalty – For each instance or violation, the person or entity will pay $1,000. This total will not exceed $100,000 in the calendar year for identical violations.
- Tier C – If the violation occurs and the cause is due to willful neglect, the person or entity is given a chance to amend their policy within 30 days. If the correction is satisfactory, the penalty will be:
- Tier C penalty – For each instance or violation, the person or entity will pay $10,000. This sum is not to exceed $250,000 per calendar year for identical violations.
- Tier D – Similar to Tier C, if the violation occurs due to willful neglect, and the person or entity does not amend their policy within 30 days, the penalty will be:
- Tier D penalty – For each instance or violation, the person or entity will pay $50,000. This sum cannot exceed $1,500,000 per calendar year for identical violations.
Limitations of Violations Due to Reasonable Cause
You probably noticed the term “reasonable cause” in the above. It is a term that is best described as the opposite of willful neglect, although its definition can be determined at the auditor’s discretion. If reasonable cause is suspected, there are limitations placed on the penalties.
- Grace period – If the violation is not due to willful neglect (Tier A and B), then the OCR must provide a 30-day period to correct the violation. The time begins when the person or entity first became aware of the penalty. If the violation is corrected within this grace period, the penalties will be omitted.
- Extension period – The grace period is able to be extended as deemed appropriate by the Office of the Secretary in order to comply with the corrections needed.
- Assistance – It may be the case that the Office of the Secretary determines the reason for the violation is due to the inability to comply. In which case, the Secretary will provide technical assistance during the grace period (or extension period) to the person or entity.
- Reduction – If the penalty fee is not waived entirely, the person or entity may request a reduction of the penalty to be relative to the violation involved.
What Constitutes Noncompliance
So far, this article has covered both the costs of violating the HITECH Act and who enforces the regulations and penalties. However, it’s important to outline what constitutes noncompliance because the objective is to avoid all of the HITECH Act penalties and enforcement.
Because the HITECH Act covers many different areas of healthcare, it’s easier to break it down by major sections.
- HIPAA Compliance
- Business Associates under HITECH
- HIPAA Privacy Rule
- HIPAA Security Rule
- Breach Notification Rule
- Meaningful Use Program
First off, remember that the HITECH Act is considered an extension of HIPAA. Which means to be HITECH compliant, you have to be HIPAA compliant. Any HIPAA-covered entity that has access to personal health information must adhere to the administrative, physical, and technical safeguards. In addition, they must comply with HIPAA Privacy and Security and follow all Breach Notification Rule guidelines.
Business Associates under HITECH
As an update to HIPAA compliance, all business associates of HIPAA-covered entities are now regulated under the same rules and regulations. Before the HITECH Act, business associates were able to skirt around these penalties by claiming ignorance. If they were unaware of the healthcare provider they were working with did not adhere to HIPAA guidelines, then they were not at fault.
The HITECH Act fixed this loophole and made all entities that have access to ePHI regulated by the HHS and OCR.
HIPAA Privacy Rule
One of the defining principles of HIPAA, when it was created, was the importance placed on the patient’s privacy. It established what standards should exist to protect an individual’s medical background and personal health information. This idea was again reinforced with the institution of the HITECH Act.
The HIPAA Privacy Rule sets the following in place:
- Patients should have control over their PHI
- Boundaries are set to regulate the release and use of PHI
- Institutes safeguards for healthcare providers and business associates when dealing with patient information
- Imposes strict penalties on violations, including monetary fees and jail time
- Limits shared information to the “minimum necessary” when disclosing PHI
The HIPAA rule also states that patients have the right to access their medical history and health information electronically or obtain a hard copy.
HIPAA Security Rule
The HIPAA Security Rule deals specifically with the ePHI (or electronic Protected Health Information). It’s a subset within the HIPAA Privacy Rule, and it’s an incredibly jargon-heavy document that combines both IT and legal jargon.
The original text can be found here.
For a simple understanding, the Security Rule is subject to three types of safeguards: administrative, physical, and technical. These are then further broken down into standards and specifications of implementation. The most important of these safeguards are:
- Risk assessment – HIPAA-covered entities must employ risk assessment techniques in order to determine what their infrastructure’s risk is currently. Ignoring this safeguard constitutes willful neglect and is categorized under either Tier C or Tier D of the penalties listed above.
- Risk mitigation – Once you’ve assessed these risks, the specifications of implementation break down how entities have to mitigate these risks. The amount of risk reduction is relative to the size and complexity of the healthcare provider or business associate.
Breach Notification Rule
If a data breach occurs within a HIPAA-covered entity, the Breach Notification Rule defines how said entity must report it. The size of the breach constitutes what is necessary:
If the breach affects less than 500 patient records:
- The healthcare provider or business associate must send a letter via first-class mail notifying the affected individuals. They must provide them with what protected health information was compromised, what steps within the company are being taken to prevent further breaches from happening, and what actions the patient can do to minimize the potential harm of the breach.
If the breach affects more than 500 patient records:
- On top of everything above, the healthcare provider or business associate must report the breach to the HHS within the first two months (or 60 days) of discovering the data breach. They must also report the breach to an established media outlet which serves the affected jurisdiction.
Meaningful Use Program
Another crucial factor of the HITECH Act was its push for electronic health records to be implemented. In just seven years (from 2008 to 2015), the percentage of non-Federal acute care hospitals using EHRs raised from 9.4% to 83.8%. The number of certified EHRs was even higher, at 96%.
What constitutes a “certified” EHR is whether or not it meets the Meaningful Use program standards.
Meaningful Use could mean that a patient is able to order prescription medication online. Or that patients have access to their medical records electronically and can easily transfer this information between insurers, hospitals, and other healthcare providers. The idea is to make it useful for the patient. That could be defined as any of the following:
- The improvement of patient healthcare quality, safety, and efficiency
- Better engagement with patients and their health
- Improvements in coordinating care
- Adequate privacy protections of ePHI
- Improvements to public health
Preparing for HITECH Act Penalties and Enforcement
With the HITECH Act came stringent enforcement and the power to audit healthcare providers and subsidiary companies. And the penalties associated—upwards of $1,500,000 in fees and ten years in jail time—can be a significant detriment to the entity.
An even more damaging consequence would be experiencing a data breach. Privacy failures negatively affect your patients’ trust and taint your brand’s image. To avoid these adverse outcomes, you have to make data privacy and security your primary focus.
RSI Security specializes in HIPAA and HITECH compliance and can assess data security risks. Once the risk is determined, RSI Security can advise and manage privacy and security measures to prevent penalties from the OCR. Contact us today!
Health IT Dashboard. Office-based Physician Electronic Health Record Adoption. https://dashboard.healthit.gov/quickstats/pages/physician-ehr-adoption-trends.php
HHS. Section 13410(d) of the HITECH Act. https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/enforcementrule/enfifr.pdf
HIPAA Journal. HIPAA Compliance Checklist. https://www.hipaajournal.com/hipaa-compliance-checklist/
HHS. 5 CFR Parts 160, 162, and 164 Health Insurance Reform: Security Standards; Final Rule. https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/securityrule/securityrulepdf.pdf?language=es
Health IT Dashboard. Adoption of Electronic Health Record Systems among U.S. Non-Federal Acute Care Hospitals: 2008-2015. https://dashboard.healthit.gov/evaluations/data-briefs/non-federal-acute-care-hospital-ehr-adoption-2008-2015.php