The US Department of Health and Human Services (HHS) presides overall healthcare and patient safety matters to “enhance the health and well-being of all Americans.” Extending this protection to patients’ health information, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) set baseline requirements for how hospitals and doctors process data. In 2009, HITECH compliance requirements expanded these protections to meet evolving threats of cybercrime.
Now, it’s not just healthcare providers that need to comply.
Your Guide to HITECH Compliance Requirements
Some refer to HITECH as “HIPAA 2.0” or a more advanced HIPAA. There’s some truth in this, as the HITECH Act strengthens HIPAA protections and requirements, making compliance more challenging and more rewarding. There isn’t isolated HITECH compliance; it’s all a part of broader HIPAA compliance.
In the sections that follow, we’ll break down everything you need to know, providing:
- A primer on HIPAA compliance requirements independent of HITECH
- A detailed look at the new compliance requirements HITECH adds
- A comprehensive guide to HIPAA and HITECH audits and compliance
By the end of this blog, you’ll be well prepared for HIPAA and HITECH compliance. But before getting into the individual requirements for each, let’s touch on the relationship between them.
How Does HITECH Relate to HIPAA?
As noted above, HITECH is an extension of HIPAA. According to the HIPAA Journal experts, the HITECH Act’s primary purpose is safeguarding patients’ protected health information (PHI). It does this by creating standards for health information technology.
Thus, the relationship between HITECH and HIPAA comprises a handful of fundamental changes:
- Patients can now receive electronic PHI (ePHI) in addition to traditional paper forms.
- Companies are now encouraged to transition to ePHI through financial incentives.
- But further restrictions apply to ePHI, such as prohibiting sale without the patients’ consent.
- New HIPAA rules on breach notifications are now required for compliance.
- All existing HIPAA rules now apply to a broader range of business associates.
- Businesses are now held accountable for the compliance of their associates.
The sections below will break down the exact implications these changes have for HITECH compliance. But first, let’s detail the prerequisite HIPAA compliance.
HIPAA Compliance Requirements
Aside from new Breach Notification requirements implemented through HITECH, HIPAA requirements for professionals comprise two rules: Privacy and Security. The Privacy Rule is the basis for all of HIPAA. It was published first in 2000, whereas the Security Rule reached its first form in 2003. Administrative Simplifications for Public Law 104-191 detail the specific requirements that became HIPAA.
The Enforcement Rule is the other main HIPAA requirement that existed independently of HITECH. This rule specifies protocols for compliance auditing and penalties for compliance violations. This rule was impacted significantly by the HITECH Act. The subsection below will function as a bridge into the next main section on HITECH compliance requirements.
HIPAA Privacy Rule Requirements
According to the HHS’s summary of the HIPAA Privacy Rule, its main basic principle is twofold. It prohibits all disclosure of PHI except in conditions the Rule defines or in the event of a written consent provided by the patient. It also requires disclosure of PHI to the patient upon their request or disclosure to HHS in the event of an audit or other condition for government access.
Uses and disclosures permitted by the Privacy Rule include the following:
- Unlimited disclosure to the individual who is themselves the subject of the PHI
- Use or disclosure necessary for treatment, payment, and healthcare operations
- Use the patient has had the opportunity to object to (“informal,” incapacitated, etc.)
- Incidental use or disclosure of related information when other PHI is being shared or used
- Specific uses or disclosures undertaken for public interest or benefit (broadly defined)
- Use or disclosure within a limited data set that anonymizes patients for research
The other main principle of the Privacy Rule is the concept of “minimum necessary.” This requires that for authorized uses, reasonable efforts are made to restrict the amount of PHI requested and shared to the minimum information necessary for the task at hand.
HIPAA Security Rule Requirements
The HHS’s summary of the HIPAA Security Rule requirements stipulates four “General Rules” that govern its “reasonable and appropriate” administrative, technical, and physical PHI safeguards. The four General Rules break down as follows:
- Ensuring confidentiality, integrity, and availability of PHI to support the Privacy Rule
- Identifying and mitigating reasonably anticipated risks to security or integrity of PHI
- Safeguarding against reasonably anticipated risks of unauthorized use or disclosure
- Monitoring for and enforcing HIPAA Security compliance across the entire workforce
Implementing a robust risk analysis and management program is essential to satisfying these requirements. Companies must also install the following three classes of safeguards:
- Administrative Safeguards – Including security management process, dedicated security personnel, information access management, workforce training, and evaluation
- Physical Safeguards – Including control and authorization of access to facilities, as well as strict monitoring and access control related to individual workstations and devices
- Technical Safeguards – Including more comprehensive access control, audit controls, integrity controls, and transmission monitoring and security across networks and servers
Some controls and practices are “required,” while others are considered “addressable.” It’s not strictly required to implement “addressable” controls and practices, although it is recommended. Companies that implement all safeguards increase their security and decrease its risk profile.
HIPAA Enforcement Rule Specifications
As noted above, the Enforcement Rule was more significantly influenced by the HITECH Act than the Privacy and Security Rules. However, one element that has remained relatively stable is the process of HIPAA enforcement, detailed by HHS. This includes the following flow:
- The HHS’s Office of Civil Rights (OCR) receives a HIPAA-related complaint.
- Intake and review may lead to an immediate resolution if one of the following is true: the offender is not a covered entity (see below); a would-be violation occurred before April 14, 2003; the complaint was not filed on time (within 180 days); the incident(s) in the complaint do not constitute a violation.
- Intake may determine a violation is possible, leading to an investigation.
- If the violation is criminal, the US Department of Justice (DOJ) may be involved. The DOJ’s investigation supersedes the OCR’s investigation and resolution.
- The OCR’s investigation can lead to a resolution in one of three ways: the OCR formally finds a violation and begins enforcement; the OCR reaches an agreement with the offending party; the OCR finds no violation or insufficient evidence of a violation.
The penalties incurred for an official violation are some of the most significant changes implemented by HITECH. Before getting into what these are and how they’ve changed over time, let’s take a closer look at all of HITECH’s requirements.
HITECH Compliance Requirements
The HITECH Act was not a standalone legal development. It was one part of the much broader H.R.1 – American Recovery and Reinvestment Act of 2009 (ARRA), introduced by the 111th Congress. It became Public Law 111 – 5 in February of 2009. The HITECH Act contents are accessible via an index of ARRA excerpts (pages 112-164) compiled by HealthIT.gov.
The requirements and specifications detailed above are all part of HITECH compliance. In addition, HITECH adds the Breach Notification Rule, including a new set of requirements. The HITECH Act also expands the scope of HIPAA requirements it doesn’t directly impact by adding to the list of covered entities who need to uphold all HIPAA Rules. The following subsections will detail the HITECH compliance requirements for healthcare companies and their associates.
Breach Notification Rule Requirements
The Breach Notification Rule requires healthcare providers and other covered entities to notify impacted parties of a data breach. The particular sub-rules share similarities and crossover with the Health Breach Notification Rule of the Federal Trade Commission (FTC).
The HHS defines data breaches somewhat broadly. All unauthorized uses and disclosures of PHI that violate the Privacy or Security Rules are assumed to be breaches. Exceptions apply in cases where data analysis of the following factors proves limited impact on other patients’ PHI:
- The kind and volume of data exposed, including identifiers and risk of re-identification
- The party or parties who used the PHI or to whom the disclosure was made
- Whether or not exposed information was viewed or used
- The extent of risk mitigation surrounding the exposure of PHI
Furthermore, Breach Reporting specifications include the following requirements:
- For breaches impacting fewer than 500 people – Notice to all impacted parties within 60 days of breach; annual notice to the HHS secretary via official breach report form
- For breaches impacting more than 500 people – Equivalent requirements for personal notice; immediate notice to the secretary; media notice within 60 days of the breach
These requirements add an extra dynamic to compliance, as any unauthorized disclosure or use can now be grounds for violation of multiple Rules simultaneously (i.e., Privacy and Breach).
Updated Compliance and Enforcement
As a result of HITECH Act enforcement, the HIPAA Enforcement Rule now includes more robust penalties for violations. Rather than a single, low-range money penalty for all offenses, HITECH introduces a tiered system depending on the offending party’s ignorance and intent:
- “Did not know” violations – Between $100 dollars and $50 thousand dollars per violation, up to a maximum of $1.5 million dollars per year for all such violations
- Reasonable cause violations – Between $1 thousand and $50 thousand dollars per violation, up to a maximum of $1.5 million dollars per year for all such violations
- Willful neglect with corrections – Between $10 thousand and $50 thousand dollars per violation, up to a maximum of $1.5 million dollars per year for all such violations
- Willful neglect without correction – A flat fee of $50 thousand dollars for each violation, up to a maximum of $1.5 million dollars per year for all such violations
In addition to these civil money penalties, HIPAA violations may also incur criminal charges. At the DOJ’s discretion, these can carry jail sentences ranging from one year to ten years.
Compliance for Business Associates
Finally, HITECH’s most wide-reaching implication is the updated scope of who exactly must maintain HIPAA compliance. As briefly noted above, HITECH adds business associates to the list of covered entities or parties that need to comply with all the HIPAA rules. Before HITECH, the list included just healthcare providers, health plans, and healthcare clearinghouses.
Now, however, third parties with whom these entities do business are also covered — strategic partners such as service providers, attorneys, and pharmacies all need to be compliant. Some outsourced administrators, such as particular managed IT providers, may also need to comply.
In practice, this means more organizations need to worry about HIPAA compliance than before. The HHS provides tools to gauge and meet your compliance needs, like the covered entity questionnaire and guide to compliance requirements for business associate contracts.
HIPAA and HITECH Audit Requirements
The final element of HITECH-specific compliance requirements involves the process of HIPAA and HITECH auditing. HITECH requires the HHS to periodically monitor all covered entities (and select business associates). The first phase audits were launched as a pilot from 2011 to 2012 on 115 identified stakeholders. Afterward, phase two has been ongoing since 2016.
The exact HHS HIPAA audit protocol, including all specific criteria and testing procedures, was updated as recently as 2018. Similar to the minimum necessary element of the security rule, HIPAA auditing does not require comprehensive documentation of practices. Companies are required and encouraged to submit only the documents specified by HHS or the auditing agent.
Simplifying HIPAA and HITECH Compliance
Given all the HIPAA and HITECH compliance requirements detailed above, companies can find it challenging to stay fully secure. Third-party advisory services, like RSI Security’s HIPAA and HITECH compliance suite, can help any healthcare provider or business associate stay safe.
The core of our comprehensive HIPAA and HITECH compliance advisory suite comprises:
- Risk analysis to determine the risks facing your PHI and ePHI
- Auditing and assistance for all HIPAA and HITECH Rules
- Internal and external network penetration testing
- Complex vulnerability scanning and mitigation
Plus, these services aren’t all we offer. Consult our HIPAA and HITECH datasheet for a complete rundown of how we can help you protect PHI. Or browse our broader compliance advisory and other cybersecurity services. To simplify implementing HITECH compliance requirements and optimizing your overall cyberdefense, contact RSI Security today!