The Health Insurance Portability and Accountability Act of 1996, more commonly known as HIPAA, has had immense impacts on the domestic and global healthcare industry. Over a decade later, the US Department of Health and Human Services (HHS) expanded HIPAA’s protections with the publication of the Health Information Technology for Economic and Clinical Health Act (HITECH). But what are the HITECH safety measures? In other words, what do you need to do to fully secure your company and its stakeholders? Keep reading to find out.
What are the HITECH Safety Measures?
HITECH adds several safety and security measures to those already existing in the HIPAA framework. Many see HITECH as a second HIPAA, but in reality, it’s more of an extension of the previous measures. Understanding and implementing HITECH’s safety measures requires knowing how and why it was added to HIPAA.
This guide breaks down everything there is to know about HITECH safety measures, including:
- Some background on HITECH’s publication and the cybersecurity context
- The full breakdown of HIPAA and HITECH rules and requirements
- A closer look at HIPAA / HITECH auditing and compliance
By the end of this article, your company will be ready to begin (or continue) your journey toward compliance. But first, let’s take a look at whether these safety measures apply to your company.
Who Exactly Needs to Be HITECH Compliant?
Companies that need to follow HIPAA and HITECH rules are those in or adjacent to the healthcare industry. Before HITECH, the list of covered entities had three main categories:
- Healthcare providers – Clinics, hospitals, pharmacies, nursing homes, and private practices of doctors, dentists, chiropractors, psychologists, etc.
- Healthcare plan providers – Health insurance companies, health maintenance organizations (HMOs), governmental plans, and company-supplied plans
- Healthcare clearinghouses – Companies that process nonstandard health information
With the HITECH Act implementation, these companies’ business associates are also required to comply with HIPAA guidelines. Business associates include but are not limited to:
- Third-party administrators who assist with the processing of health plan claims
- Pharmacy staff, like benefits managers, who manage a health plan network
- Accountants, attorneys, and advisors who contact-sensitive medical data
- Consultants who have access to a healthcare provider’s medical data
- Healthcare clearinghouses that translate and forward transactions
This expansion of coverage is a primary safety measure of HITECH. In most cases, responsibility for third-parties’ compliance is shared between the business associate and the covered entity. HHS guides on business associate contracts to keep all parties compliant.
History and Context Surrounding HITECH
On the heels of the “Great Recession” of 2007 to 2009, the 111th Congress passed H.R.1, the American Recovery and Reinvestment Act of 2009 (ARRA). ARRA, which became Public Law 111 – 5, was designed to help rebuild the damage done by the housing market’s collapse. It also had far-reaching implications for nearly every industry — like HITECH’s impact on healthcare.
Like the other key portions of ARRA indexed by HealthIT.gov, HITECH was aimed at greater transparency and consumer protections. Namely, it pushed healthcare providers and other adjacent companies to adopt electronic methods of processing patients’ health information.
The HITECH portion of ARRA hedges against inherent security risks related to virtual records by expanding existing HIPAA protections into the virtual space. Thus, to fully understand the safety measures HITECH entails, it’s also essential to understand the backdrop of HIPAA itself.
Protecting Patients’ Sensitive Information
Before the advent of HITECH, HIPAA safety measures for professionals designated patients’ medical and financial records as protected health information (PHI). HIPAA’s protections for PHI would gradually evolve to focus on electronic PHI (ePHI) with adopting the HITECH Act.
The original HIPAA safety measures include privacy, security, and their enforcement:
- The HIPAA Privacy Rule – Governing baseline standards for authorization of use and disclosure of PHI and ePHI; its first final version was published in December of 2000
- The HIPAA Security Rule – Governing specific administrative, physical, and technical safeguards required to protect PHI and ePHI; first finalized in February of 2003
- The HIPAA Enforcement Rule – Providing standard protocols for investigating and punishing noncompliance issues, such as unauthorized access or data breaches
HITECH eventually adds an entirely new rule, along with additional safety measures, as well as updates to the scope and severity of enforcement (which we’ll detail below). But first, let’s take a look at why ePHI — and the technology that houses it — is so important to safeguard.
Importance of Health Information Technology
While the adoption of health information technology (health IT) facilitates access to ePHI for patients, it also opens up innumerable weaknesses for hackers to exploit. The HITECH Act was published at least in part to address and preempt vulnerabilities inherent to servers, networks, and other health IT taking over the healthcare industry. These vulnerabilities include the now-widespread use of cloud computing and health apps to generate, transmit, and store ePHI.
The Final Omnibus Rule marked the first integration of HITECH and HIPAA. In addition, HHS has developed numerous resources explicitly targeted at health information technology providers and related stakeholders. For example, the Privacy and Security Framework Introduction offers an overview of which HIPAA principles to understand and apply.
Over time, the focus of HIPAA and HITECH safety measures has shifted toward ePHI and health IT. As companies transition from paper to digital, health IT only grows more critical.
HIPAA and HITECH Cybersecurity Rules
To understand HIPAA and HITECH safety measures’ full extent, you need to grasp the relationship between HITECH and HIPAA. According to HIPAA Journal, the main elements of this relationship have to do with expansions of HIPAA across three main categories:
- New responsibilities for business associates of covered entities
- Increased civil money penalties for HIPAA noncompliance violations
- A whole new rule (on breach notifications), added to Privacy and Security
The first of these new HITECH security measures, detailed above, relates to business associates. In the sections immediately below, we’ll take a look at the new Breach Notification Rule and the enhanced Enforcement Rule (in the context of all HIPAA and HITECH requirements).
HIPAA / HITECH Privacy Rule
The HIPAA Privacy Rule, including HITECH safety measures, exists to restrict unauthorized access to ePHI. To that effect, the two main principles of the Privacy Rule are:
- Permit only select uses and disclosures – Covered entities may not use or disclose ePHI unless its subject requests as much or one of the following criteria is met:
- Use or disclosure is granted to the subject of the ePHI (or a representative)
- Use or disclosure relates to treatment, payment, or healthcare operations
- The subject has a reasonable opportunity to agree or object to use or disclosure
- Use or disclosure is incidental to otherwise authorized uses or disclosures
- Use or disclosure relates to the public interest or a public benefit project
- Use or disclosure is related to research and contained to a limited data set
- Limit disclosure to minimum necessary – When use or disclosure is authorized, it should be limited to the minimum amount or extent required, except in these cases:
- Use or disclosure to the subject of the ePHI (or a representative)
- Use or disclosure requested by a healthcare provider for care purposes
- Use or disclosure required by governmental agencies for legal reasons
- Use or disclosure required by HHS for compliance enforcement
The Privacy Rule doesn’t just restrict access. It also requires disclosure of ePHI to the subject thereof at their request and HHS or government agencies in the cases detailed above.
HIPAA / HITECH Security Rule
The Security Rule exists to ensure the confidentiality, integrity, and availability of ePHI, including monitoring and mitigating threats. To that end, requirements of the Security Rule are:
- Administrative Safeguards – Governing security protocols from the highest level, including staffing and allocation of resources, specifically in five key areas:
- Security management process, including threat detection and response
- Security personnel, including one or more dedicated security officers
- Information access management, consistent with the Privacy Rule
- Workforce training, for all personnel, on essential HIPAA requirements
- Evaluation, or periodic assessment and verification of safeguards
- Physical Safeguards – Governing controls related to physical, proximal access to hardware and servers containing ePHI, particularly in two areas:
- Facility access control, restricting access to protected premises
- Device and workstation security, managing sensitive endpoints
- Technical Safeguards – Governing the technological and virtual controls needed to protect user accounts and communications, especially in four main areas:
- Access control, accounting for ID and credential management
- Audit controls, including monitoring of software and hardware
- Integrity controls, ensuring ePHI is not improperly altered
- Transmission security, for communication over networks
Covered entities are required to integrate all of these safeguards and applicable Privacy and Breach Notification safety measures (see below) into Risk Analysis and Management.
HIPAA / HITECH Breach Notification Rule
The HITECH Act’s adoption resulted in an entirely new rule to account for data breaches or unauthorized uses or disclosures of information (as defined by the Privacy Rule). To contain the attack and recover resources is not enough; covered entities must also notify stakeholders who may have been impacted by the attack, including the secretary of HHS and the media.
Some Breach Reporting Rule specifications differ depending on the size of the breach:
- Personal notice – In any breach, no matter how prominent, personal notice must be sent to all affected parties without reasonable delay (always within 60 days of breach discovery)
- HHS secretary notice – For breaches impacting 500+ people, the HHS must be notified immediately (within 60 days); annual notice is permitted for those impacting up to 500
- Media notice – If a breach impacts more than 500 people in a given state or region, the covered entity must notify a major media outlet in the region (within 60 days)
While all unauthorized uses and disclosures constitute a breach by default, there are certain exceptions in which they don’t. For example, if the covered entity can prove that exposure of one limited portion of ePHI does not jeopardize any other data, it may not be a data breach.
HIPAA / HITECH Enforcement Rule
Less a branch of HITECH safety measures than a set of consequences, the HIPAA Enforcement Rule has undergone significant changes since HITECH’s adoption. Before HITECH, noncompliance could result in civil money penalties up to the following limits:
- Individual fines of up to $1 hundred dollars per violation
- A yearly cap of $25 thousand dollars for all violations
However, HITECH Act enforcement has increased these penalties along a tiered system:
- Individual fines of $100 to $50 thousand dollars per violation
- $1 hundred to $50 thousand dollars for “did not know” violations
- $1 to $50 thousand dollars for “reasonable cause” violations
- $10 to $50 thousand dollars for willful neglect with correction
- A flat $50 thousand dollars for willful neglect without correction
- A yearly cap of $1.5 million dollars for all violations
The process of HIPAA enforcement has remained relatively unchanged since the integration of HITECH. The HHS’s Office of Civil Rights (OCR) works in conjunction with the US Department of Justice (DOJ) to determine whether civil or criminal penalties are appropriate.
Auditing, Compliance, and Safety
Another safety measure adopted as a part of HITECH is regular monitoring of covered entities. HHS has conducted HIPAA / HITECH auditing over multiple phases, starting with the audit pilot program, completed in 2012. Its processes comprised the following:
- A notification letter (Day 1), then response and planning of audit process (~Day 10)
- On-site fieldwork (Days ~30-90) and audit reporting (~20-30 days, after fieldwork)
- Review of the report and corrective action (~10 days) and final report (within ~30 days)
Moving forward, the updated audit protocols, current as of 2018, expand the scope of monitored practices and controls. Companies must implement all HIPAA safety measures, including those related to the HITECH Act’s full extent. However, audits are now more streamlined, requiring only the minimum possible documentation to verify compliance.
HIPAA / HITECH Advisory Services
To streamline compliance even further, many covered entities and business associates turn to IT service providers for robust HIPAA / HITECH compliance advisory services. For example, RSI Security has been helping businesses across the healthcare industry for over a decade.
Our HIPAA services suite comprises everything from basic risk monitoring of your ePHI environment to powerful analytical tools, like vulnerability scanning and penetration testing.
To return to the question from above: what are the HITECH safety measures?
Given HITECH’s impact on broader HIPAA enforcement, they comprise all the HIPAA Rules — Privacy, Security, Breach Notification, and Enforcement. Contact RSI Security today to see how simple HIPAA compliance can be. We’re happy to optimize your cyberdefenses and protect your clients’ ePHI.