Introduction
You might hear about the interrelationship between the HIPAA and HITECH Act. But have you ever wondered about the role of the HITECH act in maintaining HIPAA compliance? There’s no doubt that HIPAA itself is an unprecedented act. But in due course, many other legislations, rules, and standards contributed to its empowerment.
The Health Insurance Portability and Accountability Act (HIPAA) of 1996 is a group of best methodologies to carry out privacy and security of patient’s health information. On the other hand, the Health Information Technology for Economic and Clinical Health (HITECH) Act was signed into law in 2009, so the initial complementarity of these two acts started in 2009. But how do they contribute to the empowerment of each other? In this article, we will explain the topic of the interrelationship between the HITECH Act and HIPAA in the form of FAQs. So, let’s find answers to all your questions!
What is the HITECH Act?
In 2009 the Office of President Barack Obama enforced the Recovery and Reinvestment Act (ARRA). These stimulating monetary measures include the Health Information Technology for Economic and Clinical Health (HITECH) Act. This stimulus package encouraged healthcare providers to accept and use medical IT technologies and electronic health records (EHR).
The HITECH Act consists of four sections, listed alphabetically. So, section 1 is named Subtitle A, and it refers to the development and enhancement of health IT. The subtitle consists of two parts. The first part refers to upgrading the treatment’s security, quality, and effectiveness. The second part provides instructions on applying and using health IT requirements.
As follows, Subtitle B refers to the necessary health IT tests. Then, Subtitle C is about the financial support of subsidies and loans. And finally, Subtitle D covers the safety and confidentiality of electronic medical data. The last one is divided into two parts — part 1 guides enhancing the privacy and security of protected health information and healthcare information technologies. The second part represents the interrelations between the Health Information Technology for Economic and Clinical Health (HITECH) Act and other legislation.
What are the Purposes of the HITECH Act?
Except for urging healthcare providers to implement EHR into their working process, this act had other purposes. It also eliminated gaps in HIPAA. For example, the HITECH Act made the Health Insurance Portability and Accountability Act’s (HIPAA’s) requirements stricter. In addition, this measure made it easy to make sure that business associates (BAs) and covered entities (CEs) comply with HIPAA and send notifications to suffering individuals in case of a data breach.
The HITECH Act also introduced higher penalties for non-compliance. It also stimulated BAs and CEs to pay more attention to their method and procedures of compliance with HIPAA Security and Privacy Rules and be careful in maintaining the PHI and ePHI of their patients.
What is the Meaningful Use Program?
The Department of Health and Human Services (HHS) invested in the Meaningful Use Program, encouraging healthcare providers to implement certified electronic health records (EHRs). If these providers did it, they could receive financial revenue. The purpose of this program was to make all processes of providing treatment more efficient and affordable. It also aimed to heighten the overall level of the health state among people and carry out the security and privacy of all private medical records.
Healthcare providers had to prove that they implemented EHRs and used them efficiently to get the monetary revenue for compliance. Providers also had to ensure that they reached the minimum compulsory goals at every program phase. In addition, it was essential to prove the compliance with HIPAA Privacy and Security Rules by managing estimation of risks.
How Did the HITECH Act Impact HIPAA?
It’s not a secret that after the signing HITECH Act in 2009, there was a lot of contribution to HIPAA regulations. But the HIPAA Omnibus Rule had the final word. The rule was signed in 2013, and it merged these two acts into one law. So, the Omnibus Rule reasonably strengthened the HIPAA-covered business associates’ (BAs) compliance demands. Thus, here are some aspects that the HITECH Act enhanced in HIPAA, resulting in the Omnibus Rule.
How did the Penalties for HIPAA Violations Change?
Before introducing the HITECH Act, monetary penalties for covered entities (CEs) were relatively small. The highest penalty was about 25K USD. The sum of the fine for each violation was 100 USD, so literally, every organization could afford to pay this fine. Also, there were some loopholes in the legislation so that CEs could avoid punishment.
As mentioned before, the Health Information Technology for Economic and Clinical Health (HITECH) Act made HIPAA stricter. In addition, the HITECH Act established obligatory fines for all CEs and BAs for deliberate non-compliance without exceptions. As a result, the most extensive penalty increased to about 250K USD for a single violation and more than 1 million USD for repeated one. This increase urged covered entities and business associates to pay attention to HIPAA compliance thoroughly.
This action also positively impacted the Department of Health and Human Services (HHS) Office for Civil Rights (OCR). Owing to the more considerable revenue, HHS Office for Civil Rights (OCR) invested more means and capabilities into researching data breaches. As a result, HHS introduced systematic audits of HIPAA-covered entities and BAs.
How did the HITECH Act make BAs HIPAA-Compliant?
Under the HIPAA, business associates (BAs) had a treaty commitment to comply. So, until the HITECH Act, there was no actual implementation of this commitment. Covered entities (CEs) could avoid punishments for data breaches simply by saying that they didn’t know about their BAs’ noncompliance with HIPAA Rules. Thus, the law’s affordable sum of penalties and loopholes allowed BAs not to meet HIPAA requirements and standards.
The HITECH Act made business associates (BAs) responsible for HIPAA compliance. It also concerned compliance with the Breach Notification Rule. As covered entities (CEs) and business associates (BAs) also could avoid sending notifications to affected patients and informing HHS and media if more than 500 individuals suffered. So, BAs had to sign a business associate agreement (BAA) with CEs. Under this agreement, business associates (BAs) had to protect PHI and detect data breaches the same way as CEs. In addition, BAs ought to inform their covered entities (CEs) of data violations.
The HIPAA Omnibus Rule enhanced the responsibility of BAs to be compliant. With its introduction, they could pass the HIPAA audit directly. They also could pay penalties for HIPAA violations, even though there were no breaches.
How were the HIPAA Violators Shown?
The HITECH Act also encouraged the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) to create a portal to post an overview of the data breaches in HIPAA-covered entities. So, starting from 2009, OCR made those publications and mentioned the name of responsible CE or BA, a type of violation, and a number of suffered individuals.
Why is the HITECH Act Essential for HIPAA Compliance?
As you can see, we’ve mentioned a lot of privileges of the HITECH Act for HIPAA compliance. But to highlight them one more time, we would like to share some statistical data with you. Before the Health Information Technology for Economic and Clinical Health (HITECH) Act introduction, only ten percent of healthcare providers applied electronic health records (EHRs). But when it came into force, the rate of EHRs acceptance raised from about 3% to more than 80%.
Of course, the HITECH Act didn’t make the HIPAA requirements compulsory to meet. The Health Insurance Portability and Accountability Act (HIPAA) of 1996 became itself mandatory for covered entities (CEs) and business associates (BAs) to comply. But the HITECH Act made fines for non-compliance higher and the rules stricter. Also, the act introduced preventive measures to maintain the security of private health information such as PHI by limiting usage and disclosure of medical data. So, the HITECH Act assisted in ensuring that healthcare organizations keep up with the HIPAA Privacy and Security Rules.
Conclusions
In this article, you’ve learned about the Health Information Technology for Economic and Clinical Health (HITECH) Act and its contribution to HIPAA enforcement. Now you know how the HITECH Act tightened HIPAA requirements and heightened fines for non-compliance.
So, these measures had a relatively positive impact on HIPAA compliance and the HHS operating overall. It became simply impossible to search for the loopholes in the legislation. Business associates (BAs) have more responsibility for their compliance than 13 years ago. Fewer companies can afford to pay penalties for violations because of the considerable fine. Also, a much more significant number of hospitals started to use EHRs effectively.
But if you still have questions regarding the interrelationship between the HITECH Act and HIPAA, feel free to contact us!
