The Health Insurance Portability and Accountability Act of 1996, or HIPAA, has shaped how cybersecurity works in the healthcare industry for a quarter-century. In 2009, the Health Information Technology for Economic and Clinical Health Act (HITECH) changed how HIPAA works.
Read on to learn about the advantages and disadvantages of the HITECH Act.
Pros and Cons of the HITECH Act
The HITECH Act has modernized cybersecurity standards in healthcare, paying particular attention to digital and virtual methods of storing sensitive information. While HITECH entails innumerable benefits for patients, there are also several challenges it imposes on healthcare companies. This blog will walk you through several of the pros and cons, including:
- Deeper, more comprehensive cybersecurity protections (pro)
- Compounding challenges of HIPAA and HITECH compliance (con)
- Broader protections across healthcare industry stakeholders (pro)
- Harsher penalties for noncompliance, impacting more parties (con)
We’ll also break down how to achieve and maintain HIPAA compliance. First, let’s take a quick look at the history of HIPAA and HITECH.
The History of HIPAA and HITECH
The US Department of Health and Human Services (HHS) is the author and enforcer of the HIPAA framework. HIPAA exists to protect patients’ medical and payment data or protected health information (PHI). While it first entered the public consciousness in 1996, it did not implement its first rules until 2000. There have been many updates since, including HITECH.
Less than a decade later, the Great Recession ushered in the 111th Congress’ recovery effort, the H.R.1 – American Recovery and Reinvestment Act of 2009 (ARRA). ARRA introduced the HITECH Act — see the HealthIT.gov index of crucial index of ARRA excerpts, pages 112-164.
HITECH, which would become Public Law 111 – 5, was implemented to protect the vanguard of health information technology (health IT) overlooked in the original HIPAA safeguards.
Assess your cybersecurity
Advantages and Disadvantages of HITECH Act
Understanding the potential advantages and disadvantages of HITECH for your company involves grasping its impact upon HIPAA and the relationship between the two. According to the experts at HIPAA Journal, the impact of HITECH on HIPAA is threefold:
- The addition of a new rule required for HIPAA compliance
- A broadening of stakeholders who need to maintain compliance
- Higher penalties for noncompliance violations for all parties involved
In other words: HITECH increases protections; it also holds more parties accountable and raises the stakes of accountability. Ever since its adoption, complying with HIPAA means also complying with HITECH. Now, let’s take a closer look at what that means at a practical level.
Pro: Deeper, More Robust Cyberdefenses
Maybe the most significant impact of HITECH on HIPAA and the biggest pro for all stakeholders was implementing the Breach Notification Rule. This requires HIPAA-compliant companies to notify any individuals impacted by a data breach as soon as possible and no later than 60 days after discovery. They must also notify the secretary of the HHS in the same window.
The Breach Reporting specifications are more advanced and stringent for breaches impacting more than 500 people. Companies suffering from a cybersecurity attack must also reach out to local media to contact all impacted individuals in a given area — an additional burden (and con).
Con: Challenges for Healthcare Professionals
The Breach Notification Rule is relatively straightforward; it does not impose the most burdensome challenge for your IT team. However, it does add to and compound the challenges of the other HIPAA Rules. For example, critical protections of the Privacy Rule break down as follows:
- Permit only select uses and disclosures – No use or disclosure of PHI is permitted unless its subject requests access or can object to it. There is a medical reason for use, the service is incidental, or it relates to public research good.
- Limit disclosure to minimum necessary – For permitted uses, the extent of disclosure and exposure should be limited to the minimum amount or extent required.
In addition, the other main rule is the Security Rule, with requirements including:
- Administrative Safeguards – These safeguards control security management processes and personnel, management of information access, workforce training, and evaluation.
- Physical Safeguards – These safeguards restrict access to physical spaces (containing or related to PHI) and monitor and control access and use of workstations and devices.
- Technical Safeguards – These safeguards include full access and audit control measures, along with controls to maintain integrity and monitor and mitigate threats in communications traffic.
All these controls, plus those required for the Breach Notification Rule, can make compliance rather challenging for all companies that need to comply. This leads us to the next pro.
Pro: Protections for More Stakeholders
Another significant impact of HITECH upon HIPAA is that the list of covered entities that need to maintain compliance expands to include business associates. Before HITECH, only businesses directly involved in providing healthcare, clearinghouse services, or health plans had to abide by the Privacy and Security Rules. Now, their strategic partners are also held accountable.
Healthcare businesses now need to be extremely diligent with their business associate contracts. Missteps on the part of an external service provider can negatively impact both parties. But on the bright side, this means greater protection for all stakeholders involved.
Con: Greater Compliance Consequences
The other side of more parties being compliant is that more parties may now potentially face non-compliance penalties. Compounding this factor, HITECH also drastically increased the existing penalties under HIPAA’s Enforcement Rule. Consider this before and after:
- Original HIPAA penalties – Individual fines of up to $100 dollars per violation; a maximum of $25,000 dollars, combined, for all violations accumulated in a year
- HITECH adjusted penalties – Between $100 and $50,000 dollars per violation, depending on severity and intent; a yearly maximum of $1,500,000 dollars in total
Despite these changes, the process of HIPAA enforcement has remained the same. The HHS investigates non-compliance claims, deferring cases involving criminal behavior to the US Department of Justice (DOJ). These criminal penalties can also carry jail time.
Understanding HIPAA / HITECH Compliance
In order to take advantage of the pros of HITECH while avoiding the cons, it’s essential to set up a plan for long-term maintenance thereof. To that effect, RSI Security offers a suite of HIPAA / HITECH services, including but not limited to:
- Risk and vulnerability scanning for threats impacting your company’s PHI
- Assessment, patch reporting, and corrective assistance for HIPAA compliance
- Robust firewall services and proactive web filtering for social engineering attacks
- Powerful analytics, like penetration testing, to root out threats before they happen
- Training and awareness programs to educate all staff and stakeholders on HIPAA
We’ll work with your internal IT team to tailor a plan and architecture to your unique needs and means. For a fuller picture of what our HIPAA services comprise, see our HIPAA Data Sheet.
Professional Healthcare Cyberdefenses
Here at RSI Security, we know how vital compliance is for all companies, especially those within or adjacent to the healthcare industry. We also understand that compliance is not the end of cybersecurity; it’s just the start. Our talented team of experts is happy to work with you through all the HITECH act’s advantages and disadvantages.
No matter where you are on the journey toward compliance and cyberdefense, contact RSI Security today to move forward!