Originally published Nov 3, 2020. Updated and expanded May 21, 2024.
HIPAA forever changed the handling of PHI (protected health information) when it became law in 1996. However, the regulation was drafted long before anyone could envision the future complexity of cybersecurity in the healthcare industry.
In 2009, President Obama signed the HITECH Act into law. As it relates to HIPAA and cybersecurity, this Act introduced direct accountability for business associates of covered entities who disclose protected health information in a way that doesn’t comply with HIPAA. In other words, it made HIPAA more effective at actually protecting PHI.
HITECH also gives patients the right to request the release of their ePHI (electronic PHI) if that information is available electronically. In addition, HITECH introduced rules regarding the disclosure of any security breaches affecting PHI. HITECH also incentivized organizations to adopt EHR (electronic health records). Last of all, HITECH introduced more stringent and graduated fines for organizations that fail to secure PHI.
In a nutshell, HITECH builds on HIPAA when it comes to cybersecurity, confidentiality of information, enforcement, and pushing the industry to adopt electronic records.
Here’s how HIPAA relates to HITECH in detail.
Why is the HITECH Act important to HIPAA compliance?
Prior to the HITECH Act, only 9% of hospitals and healthcare facilities had adopted EHRs. To boost efficiency and patient care coordination between different entities, the Act incentivized organizations to transition to electronic health records.
Such projects aren’t cheap. The initial cost of implementing the new technology proved to be too much for many healthcare providers. To overcome this roadblock, the HITECH Act introduced incentives to encourage healthcare providers to make the change. The Act increased the rate of adoption to EHRs from 3.2% to 86% in nine years.
To be clear, HITECH didn’t make HIPAA compliance mandatory—that was already the case after the establishment of HIPAA in 1996. However, HITECH made sure that non-compliant entities could receive a substantial fine. The Act also pushed organizations to comply with HIPAA privacy and security rules by implementing safeguards to keep health information such as PHI private and confidential, restricting uses and disclosures of health information.
The main differences between HITECH and HIPAA are the penalty structures and the responsibility of breach notifications.
Breach notifications
To implement certain provisions of HITECH, Health and Human Services (HHS) introduced the breach notification rule. This regulation requires health care providers, health plans, and other entities covered by HIPAA to notify individuals when their health information is breached. If a breach affected less than 500 records, there is no time limit for reporting it. For any breach affecting more than 500 records, the organization has 60 days from the time of discovery to notify HHS, the media, and the State Privacy Officer.
The organization must also send a first-class mailing to all breached patients addressing what happened to them personally and what the organization is doing to resolve the breach. In some cases, the organization may pay for breached patients to get free access to their credit reports.
Essentially, HITECH extends legal liability for a breach to any entity that handles PHI or ePHI.
Original HITECH penalty structures for HIPAA violations
The HITECH Act changed the penalty structure for covered entities found to be noncompliant with HIPAA. Previously, the fine structures allowed noncompliant companies to pay the fines and continue on their merry way. HITECH introduced much harsher fines with violation tiers, making it much harder to just pay the fine without addressing the issue.
When the law was passed, it introduced a set of tiered fines ranging from $100 to $50,000 per violation while setting the maximum fine at $1.5 million. However, the fine schedule was updated in 2023 for all violations occurring on or after November 2, 2015.
What are the penalties for HIPAA noncompliance in 2024?
The current fine structure is as follows, based on the organization’s knowledge of their noncompliance and their response when noncompliance is discovered.
Tier 1—Organization was unaware, and the breach could not have been discovered through due diligence.
- $137 minimum penalty per violation
- $68,928 maximum penalty per violation
- $2,067,813 maximum penalty per year
Tier 2—Reasonable cause that the organization should have discovered the violation by exercising due diligence.
- $1,379 minimum penalty per violation
- $68,928 maximum penalty per violation
- $2,067,813 maximum penalty per year
Tier 3—Willful neglect of HIPAA regulation, but the organization corrected the noncompliance within 30 days of discovery.
- $13,785 minimum penalty per violation
- $68,928 maximum penalty per violation
- $2,067,813 maximum penalty per year
Tier 4—Willful neglect of HIPAA regulation, and the organization did not correct noncompliance within 30 days of discovery.
- $68,928 minimum penalty per violation
- $2,067,813 maximum penalty per violation
- $2,067,813 maximum penalty per year
Note how Tier 1 and 2 emphasize the exercise of due diligence. If the organization decides not to conduct due diligence, and they’re aware of the violations, they could land in Tier 3 or 4 because of willful neglect.
How to improve compliance with HIPAA and HITECH
The first step for any organization affected by HIPAA and HITECH is to conduct a compliance gap assessment. This will help turn up any areas of noncompliance.
Yet pinpointing your gaps is only half the battle. It’s also the first step in developing a healthy plan of action to improve compliance.
Broadly speaking, here are some common recommendations that may come out of a gap assessment.
1. When in doubt… encrypt
ePHI must be encrypted in two states:
- At rest (i.e. when stored in a database)
- In transit (i.e. when being sent to another system)
Encrypting ePHI in both states requires secure data storage systems and secure file transfer methods. For example, sending ePHI in an email attachment is not a secure transfer method. A cybersecurity company that specializes in healthcare, like Corsica Technologies, can advise you further.
2. Establish systems, processes, and policies to manage ePHI
ePHI is here to stay. The best way to handle it is to invest in systems, processes, training, and policies that support proper handling of ePHI.
This doesn’t matter only for cybersecurity. Patients can request a copy of all ePHI you have on file at any time. It’s much easier to comply with these requests if you have the proper systems in place to handle ePHI securely.
3. Make sure all employees are fully trained to comply with HIPAA and HITECH
There is no certification for HIPAA. This means the burden falls on covered entities to ensure their employees are fully trained on the relevant regulation as it applies to their work. Numerous third parties offer HIPAA training to bring your employees up to speed—and keep them there.
4. Implement role-based permissions in all systems that access ePHI
The principle of least privilege, as it’s called, helps ensure that no employee has access to any ePHI that isn’t required to do their job.
In the context of healthcare cybersecurity, implementing the principle of least privilege requires role-based permissions. This means that a given software system supports different levels of access for different user types. Implementing the principle also requires system admins to manage user permissions accordingly.
FAQs about HIPAA and HITECH
What is protected health information (PHI)?
Information collected from an individual by a covered entity that relates to the past, present, or future health or condition of an individual and that either identifies the individual or there is basis to believe that the information can be used to identify, locate, or contact the individual.
What is HITECH and when did it go into effect?
HITECH stands for the Health Information Technology for Economic and Clinical Health (HITECH) Act. President Obama signed it into law on February 17, 2009.
The HITECH Act provided over $30 billion for healthcare infrastructure and the adoption of electronic health records (EHR). According to the Act, physicians were eligible to receive up to $44,000 per physician from Medicare for meaningful use of a certified EHR system starting in 2019. This support expired in 2021.
What businesses must comply with HIPAA laws?
Any business entity that electronically processes, stores, transmits, or receives medical records, claims or remittances must comply with HIPAA. This can include organizations such as staffing companies, HR departments, and other entities outside of a standard healthcare facility.
How long must HIPAA Compliance Records be retained?
HIPAA requirements preempt state laws if they require shorter periods of document retention. HIPAA compliance states you must retain required documentation for six years from the date of its creation or the date when it last was in effect.
Want to learn more about HIPAA, HITECH, and data security?
Reach out to schedule a consultation with our HIPAA security specialists.
