Patients’ medical records are some of the most attractive targets for theft. The US Department of Health and Human Services (HHS) designated them as protected health information (PHI) in the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and laid out measures to ensure their safety. Later, the HITECH Act of 2009 updated these safeguards for the modern era. But what are the major components of the HITECH Act? Keep reading to learn more.
What are the Major Components of the HITECH Act
What exactly is HITECH? It is an upgrade to HIPAA. It comprises various new protections and sensibilities for PHI, specifically shifting focus away from paper forms and onto electronic PHI (ePHI).
Understanding HIPAA requires understanding HITECH.
So, this guide will focus on the three most significant impacts of HITECH on HIPAA:
- Building on existing HIPAA protections by adding an entirely new rule
- Increasing the stakes of compliance with more significant penalties for noncompliance
- Widening the spread of protections across a greater number and variety of companies
Before we detail the key components of HITECH, let’s take a closer look at the history and context leading up to its adoption.
Why did HITECH come about in the first place?
Historical Context: Why HITECH Was Needed
Back when HIPAA was first introduced, health information technology (health IT) was far less prevalent than it is today. Practices relied more heavily upon traditional, analog forms for record-keeping. Nowadays, the widespread use of digital or wireless networks and servers, especially cloud computing, has necessitated a focus on ePHI more than traditional PHI.
Just as technological advances have facilitated patients’ access to PHI, they’ve also opened up several vulnerabilities enabling cyber-criminals the same (if not more) access.
In 2009, the HITECH Act was drafted as one part of the 111th Congress’s H.R.1 – American Recovery and Reinvestment Act (ARRA). Aimed at repairing damage from the Great Recession, ARRA would eventually become Public Law 111 – 5. The experts at HealthIT.gov have compiled an index of key ARRA excerpts, including the HITECH Act’s entirety (on pages 112-164).
Component 1: Expanded HIPAA Rules
The first principal component of HITECH is its impact on requirements of HIPAA compliance for professionals. Initially, these included two rules preventing PHI’s compromise: the Privacy Rule and the Security Rule.
Their respective principles and protections break down as follows:
- Privacy Rule summary – Defining the scope of what PHI includes, as well as who should be authorized to access it, why, and how, along with two main principles:
- Restricting all access to PHI, except by request of its subject (or a representative), or in the event of permitted use and disclosure conditions (public benefit, etc.)
- Restricting all (even authorized) access to PHI by the principle of minimum access required, including limiting and anonymizing data to the extent possible
- Security Rule summary – Implementing risk analysis and management to uphold confidentiality, integrity, and availability of PHI, with three categories of safeguards:
- Administrative safeguards to control management of processes and personnel, as well as information access, workforce awareness training, and evaluation
- Physical safeguards to monitor, restrict, and generally control individuals’ access to facilities, workstations, and physical devices that allow access to ePHI
- Technical safeguards to control access and auditing, as well as the integrity of individual hardware, software, and network traffic as it relates to ePHI
Before HITECH, these controls were the only real determinants of a company’s compliance.
HIPAA’s New Breach Notification Rule
Building upon these essential Privacy and Security protections, HITECH is involved in the addition of the Breach Notification Rule. This Rule focuses less on the prevention of data breaches than on recovery in their aftermath. It requires companies to notify all individuals impacted by a data breach within a timely manner — immediately, if possible, but no more than 60 days later.
Besides, companies must also report to the HHS secretary. Organizations must file this within the same timeframe if the breach impacts under 500 people or annually if it affects more than 500 people. In the latter case, companies must also notify a local media outlet for transparency.
Component 2: Stricter Enforcement
The second major component of HITECH is its impact on the Enforcement Rule, which specifies penalties for noncompliance and the process by which HHS investigates and enforces them. At first, noncompliance penalties were relatively low. Companies would pay up to $100 dollars per violation, totaling no more than $25,000 dollars per calendar year for all accumulated violations.
- Violations in which the offender did not know, incur fines of $100 to $50,000 dollars, each, totaling up to $1,500,000 dollars per calendar year for all accumulated violations.
- Violations qualifying for “reasonable cause” incur fines of $1,000 to $50,000 dollars, each, totaling up to $1,500,000 dollars per calendar year for all accumulated violations.
- Violations due to willful neglect with correction incur fines of $10,000 to $50,000 dollars, each, totaling up to $1,500,000 dollars per calendar year for all accumulated violations.
- Violations due to willful neglect without correction incur fines of $50,000 dollars, each, totaling up to $1,500,000 dollars per calendar year for all accumulated violations.
Primarily because of these higher stakes, HITECH also implemented new auditing protocols, empowering the HHS to gain accurate insights into the extent of noncompliance industry-wide.
HIPAA / HITECH Compliance Auditing
Even before HITECH, the process of HIPAA enforcement involved protocols for the assessment and facilitation of compliance. The HHS’s Office of Civil Rights (OCR) works in conjunction with the US Department of Justice (DOJ) to research claims of non-compliance. If evidence of non-compliance is found, corrective actions or fines are assessed.
Now, these protocols have broadened in scope. HITECH has necessitated a comprehensive HIPAA auditing program to assess the adoption of the Privacy, Security, and Breach Notification rules across the healthcare industry. An investigation is no longer limited to claims; it applies to everyday cybersecurity operations. HIPAA auditing protocols delineate the HHS’s ability to monitor all relevant documents within the minimum necessary principle boundaries.
Component 3: Broader Application
HITECH’s final component is its impact on the covered entities that need to maintain compliance with HIPAA requirements. Before HITECH, the list comprised only the following:
- Healthcare providers – Private practices (doctors, psychologists, dentists, etc.) and group facilities (hospitals, clinics, nursing homes, etc.) that generate or process ePHI
- Health clearinghouses – All entities that generate, process, transmit, store, or otherwise come into contact with ePHI, translating it to or from standard formats
- Healthcare plans – Providers and other entities involved in the administration of health plans, such as health maintenance organizations (HMOs) and insurance companies
Compliance is also required for most business associates of these entities. Namely, any business associate that will contact ePHI is directly responsible for compliance. Traditionally covered entities are also accountable for partners’ compliance; business associate contracts, drafted to HHS specifications, can keep all parties safe.
How to Maintain HIPAA / HITECH Compliance
RSI Security offers robust, scalable HIPAA / HITECH compliance services to help all covered entities and their business associates achieve and maintain compliance. Our HIPAA Data Sheet breaks down the highlights of these offerings, like penetration testing and threat management.
Whatever your needs, RSI Security is your ideal partner for HIPAA compliance and cybersecurity across all mediums.
To circle back to the original question — what are the major components of the HITECH Act — the major components involve expanding HIPAA’s rules, the penalties for non-compliance, and the entities to whom these rules apply. To avoid non-compliance and cyberattacks’ costly repercussions, contact RSI Security today!