The US Department of Health and Human Services (HHS) drafted the original Health Insurance Portability and Accountability Act (HIPAA) in 1996. HIPAA designated patients’ medical data as “protected health information” (PHI) and developed security standards to safeguard it. Later, the Health Information Technology for Economic and Clinical Health Act (HITECH) added several HITECH security standards to broaden these increasingly digital landscape protections.
Overview of the HITECH Security Standards Rule
HITECH was drafted and integrated into the HIPAA framework to extend its protections for PHI into the realm of electronic PHI (ePHI). It introduced several new security standards and upgraded existing ones to protect all healthcare stakeholders.
Below, we’ll cover everything you need to know about HITECH’s security standards, including:
- A primer on the impacts of HITECH on broader HIPAA security standards
- An overview of all security standards across both HIPAA and HITECH
- A guide to full HIPAA / HITECH implementation and compliance
By the end of this blog, you’ll be well prepared to safeguard ePHI in your company’s orbit, protecting you and your clients from cybercrime, and other consequences of non-compliance.
Primary Impacts of HITECH on HIPAA
- Stricter enforcement, including significantly higher penalties for noncompliance
- Expanded scope of compliance, including the addition of a new HIPAA rule
- Broader sharing of responsibilities, spreading out to business associates
The first of these changes is the most straightforward. Before HITECH, the HIPAA Enforcement Rule specified fees of up to $100 dollars per violation, totaling no more than $25,000 dollars per year. But adoption of the HITECH Act increased the base and implemented a tiered system:
- $100 to $50,000 dollars per “did not know” violation
- $1,000 to $50,000 dollars per “reasonable cause” violation
- $10,000 to $50,000 dollars per “willful neglect with correction” violation
- $50,000 dollars, flat, per “willful neglect without correction” violation
- $1,500,000 dollar yearly maximums across all accumulated fines
Now, let’s take a look at HITECH’s other, more complex impacts on HIPAA security standards.
HIPAA / HITECH Breach Notification Rule
The addition of the HIPAA Breach Notification Rule is the most direct influence of HITECH on the particular security standards companies need to implement for compliance. Companies now need to be diligent about immediately notifying all impacted parties if and when one does occur.
For breaches impacting fewer than 500 people, Breach Reporting requirements include notice to all impacted parties within 60 days of breach discovery and an annual notice provided to the HHS Secretary within 60 days of that calendar year’s end. For breaches impacting more than 500 people, both the HHS Secretary and individual notices must be immediate, and the company must also notify a media outlet for greater transparency.
HIPAA Covered Entities After HITECH
Another way in which HITECH impacts security standards for healthcare and health adjacent companies is by expanding the covered entities’ list. Before HITECH, it only included:
- Healthcare providers, such as private doctors, dentists, psychologists, chiropractors, and group facilities like hospitals, nursing homes, clinics, pharmacies, etc.
- Health plan providers, health maintenance organizations (HMOs), governmental plans, company-supplied plans, and the health insurance providers themselves
- Healthcare clearinghouses, including all service providers that handle or process PHI and ePHI in nonstandard forms and translate them into standard forms (and vice versa)
Other Important HIPAA Requirements
Beyond the Breach Notification and Enforcement Rules, there are two other sets of HIPAA for Professionals requirements for covered entities and business associates:
- HIPAA Privacy Rule – First published in 2000, with compliance required as of 2003 for most companies, the Privacy Rule defines PHI and conditions for appropriate access
- HIPAA Security Rule – First published in 2003, with compliance required as of 2005 for most companies, the Security Rule adds standards for risk analysis and management
All relevant rules and regulations have been drawn together in the final Omnibus Rule Making process, resulting in the HIPAA Administrative Simplification document. Let’s take a closer look at the Privacy and Security rules based on these simplifications and HHS’s summaries.
HIPAA Privacy Rule Requirements
The Security Rule’s critical standards, per the HHS’s Privacy Rule summary, involve restricting unauthorized use and disclosure of PHI. Besides, the Rule also codifies which uses are permitted — and, in some cases, required. Namely, permitted uses and disclosures include:
- Disclosure to or use by the subject of the (e)PHI or designated representative
- Disclosure or use as a course of treatment, payment, or health care operations
- Disclosure or use after a reasonable opportunity for the subject to agree or object
- Disclosure or use deemed incidental to any other authorized disclosures or uses
- Disclosure or use for the public’s interest, or as part of a public benefit project
- Disclosure or use of a limited data set for approved research
When use or disclosure is permitted, it should still be restricted following the principle of minimum necessary requirement. However, no minimum necessary requirements apply for some access requests, including those made by the PHI subject or a governmental agency.
HIPAA Security Rule Requirements
The critical security standards of the Security Rule, per the HHS’s Security Rule summary, involve preserving the confidentiality, integrity, and availability of PHI. To that effect, it requires measures for comprehensive risk monitoring, analysis, and mitigation. These break down as follows:
- Administrative Safeguards – Comprising security management processes and personnel, workforce training, information access management, and evaluation.
- Physical Safeguards – Comprising control over access to facilities, as well as management of devices and other hardware from which ePHI is accessible.
- Technical Safeguards – Comprising controls for audits, access, and integrity, in addition to robust monitoring and restriction of ePHI transmission over networks.
Taking the HITECH Act into consideration, these security standards (especially the technical safeguards) focus primarily on the confidentiality, integrity, and availability of ePHI specifically.
Achieving HIPAA / HITECH Compliance
Given the diversity and complexity of all the security standards, implementation and compliance can be challenging for many healthcare industry companies. For smaller businesses with fewer resources dedicated to IT, professional advisory services can be extremely beneficial. RSI Security offers a suite of HIPAA / HITECH services, including:
- Staff-wide awareness training on HIPAA / HITECH requirements
- Patch monitoring, reporting, and corrective advisement and action
- Comprehensive incident management, including detection and response
- Internal and external network penetration testing, “white hat” and “black hat”
To learn more about our HIPAA / HITECH-related offerings, see our HIPAA Services Data Sheet. RSI Security is happy to help all healthcare and adjacent businesses stay compliant.
Compliance and Cyberdefense Assistance
For over a decade, RSI Security has helped covered entities and their business associates be HIPAA and HITECH compliant. As cybersecurity leaders, we also know that compliance is just the beginning of cybersecurity; companies need to have robust architecture and infrastructure for full protection. We help companies build these too.
For unmatched advisory support with HITECH security standards and more, contact RSI Security today!