Covered Entities and Business Associates must familiarize themselves with the HITECH Act as it closely relates to the HIPAA and HITECH regulations. It is essential to comprehend the similarities and distinctions between HIPAA and HITECH, and where to access further details about these Acts.

Join our newsletter:

The connection between HIPAA and HITECH originated in 2009 through the American Recovery and Reinvestment Act. This act allocated funds for the establishment of a national network of Health Information Exchanges and marked the beginning of the Meaningful Use program. As the Meaningful Use program offered incentives to healthcare providers to incorporate technology in healthcare delivery, HITECH had to consider the HIPAA Privacy and Security Rules. To address concerns regarding electronic transmission and storage of medical records, Subtitle D of HITECH reinforced existing provisions of the Privacy and Security Rules and introduced measures for the effective enforcement of HIPAA. Subsequent updates to both HIPAA and HITECH often took each other's regulations into account. For instance, the HITECH Act of 2009 enhanced the enforcement of HIPAA by allowing State Attorney Generals to pursue cases for HIPAA violations on behalf of citizens and established the HIPAA Breach Notification Rule. In 2013, the HIPAA Final Omnibus Rule expanded the Business Associate Breach Notification Rules by broadening their criteria.

Enforcement of the HIPAA and HITECH Act of 2009

The HITECH Act of 2009 made notable revisions to HIPAA, particularly with regards to the Enforcement and Breach Notification Rules. Prior to HITECH, penalties for not complying with HIPAA were relatively insignificant, amounting to $100 per violation with a maximum cap of $25,000. The Office for Civil Rights (OCR) issued very few fines due to limited resources available for investigating unauthorized uses and disclosures of Protected Health Information (PHI), as well as the failure to promptly address patient access requests.

HIPAA and HITECH Act 2009 Violation Tiers

The introduction of 'violation tiers' and higher financial penalties has made it more costly for Covered Entities to pay fines instead of becoming HIPAA compliant. The fines have increased in value, ranging from $100 to $50,000 per violation, with a maximum of $1.5 million (adjusted for inflation). This has enabled the OCR to allocate more resources towards pursuing non-compliant Covered Entities and enforcing HIPAA.The following penalties apply based on the level of culpability:- Lack of Knowledge: Minimum penalty per violation - $127, maximum penalty per violation - $30,133, annual penalty limit - $30,133- Lack of Oversight: Minimum penalty per violation - $1,280, maximum penalty per violation - $60,973, annual penalty limit - $121,946- Willful Neglect: Minimum penalty per violation - $12,794, maximum penalty per violation - $60,973, annual penalty limit - $304,865- Willful Neglect not Corrected within 30 days: Minimum penalty per violation - $60,973, maximum penalty per violation - $1,919,173, annual penalty limit - $1,919,173Additionally, an amendment to the HITECH Act in 2021 has provided further incentive for Covered Entities and Business Associates to prioritize their compliance obligations. The Department of Health and Human Services' Office for Civil Rights (OCR) now has the discretion to waive or reduce financial penalties for HIPAA violations if the offending party can demonstrate the implementation of a recognized security framework prior to a data breach or other security-related violation."

Notification of Breaches: Understanding the HIPAA and HITECH Act of 2009

Prior to the HITECH Act of 2009, Business Associates were not legally obligated to protect PHI, although it was expected of them. However, with the passing of the HITECH Act, Business Associates are now legally required to comply with HIPAA and HITECH, just like Covered Entities. As part of this requirement, Business Associates must inform the Covered Entity if they have disclosed any unsecured PHI. Additionally, the HIPAA Breach Notification Rule mandates that Covered Entities must notify individuals, the OCR, and possibly the media in the event of an unauthorized disclosure of PHI. These notifications must be made within sixty days from the discovery of the breach or when reported to the Covered Entity by the Business Associate. It's important to note that breaches affecting fewer than 500 individuals are exempt from the sixty-day notification period.

Understanding the Distinctions between HIPAA and HITECH

The distinction between HIPAA and HITECH may seem small, but it is significant. Both Acts deal with the protection of electronic Protected Health Information (ePHI), and HITECH specifically aids in the effective enforcement of HIPAA. This is particularly evident in the Breach Notification Rule and the HIPAA Enforcement Rule. However, there is one key difference between HIPAA and HITECH when it comes to patients' rights. Prior to the implementation of HITECH, patients were unable to determine who had accessed their ePHI (both authorized and unauthorized). However, in 2011, the Department of Health & Human Services published a Rule that was required under HITECH, granting patients the ability to request a disclosure accounting. This report informs patients about who has accessed and viewed their ePHI, and the reasons behind such access.

Comparing HIPAA and HITECH: Which is More Important?

In the realm of healthcare privacy regulations, the debate between 'HIPAA vs HITECH' can be quite complex. Both acts hold equal importance and must be adhered to by Covered Entities and Business Associates involved in handling Protected Health Information (PHI). The HITECH Act of 2009 granted the Office for Civil Rights (OCR) the authority to enforce the Breach Notification Rule, extending its reach to include Business Associates.Consequently, if your business falls under the category of a Covered Entity or Business Associate, it is imperative to comply with the requirements of both acts. To ensure compliance, it is strongly recommended that businesses undergo HIPAA HITECH training. It is vital to note that OCR can impose fines for non-compliance with either act, regardless of whether a breach of PHI or impermissible disclosure has occurred. Ignorance of the regulations set forth by HIPAA and HITECH is not an acceptable defense.

What is Included in HIPAA HITECH Training?

There is no specific training mandated by OCR for HIPAA HITECH. To meet the compliance requirements of HIPAA and HITECH, each individual Covered Entity and Business Associate must conduct risk assessments to identify any gaps in their compliance efforts. These risk assessments are now also mandatory for participation in the Meaningful Use program, according to the HIPAA Security Rule. It is a legal obligation for Covered Entities and Business Associates to provide training to their workforce. Covered Entities need to train their employees on the policies and procedures established to comply with the Privacy Rule, while both Covered Entities and Business Associates are obligated to provide an ongoing security and awareness program for all members of their workforce, even those who do not handle Protected Health Information (PHI).

HIPAA and HITECH Privacy and Security Rules

In summary, it is commonly believed that Business Associates only need to follow the HIPAA Security Rule, but that belief is incorrect. With the implementation of HITECH and the revisions made to HIPAA through the Final Omnibus Rule, Business Associates must adhere to not only the HIPAA Security Rule but also the Breach Notification Rule and specific standards outlined in the HIPAA Privacy Rule. Additionally, it is possible for organizations not covered by HIPAA to still be subject to the Breach Notification Rule. Vendors of Personal Health Records (PHRs), PHR-related entities, and third-party service providers are obligated to report any disclosures of unsecured PHI to the Federal Trade Commission. Therefore, it is recommended that any organization with access to PHI is well-informed about the Privacy and Security Rules in HIPAA and HITECH.

Understanding the Four Tiers of Violation for HIPAA Non-Compliance

The different levels of culpability for HIPAA violations are categorized into four tiers. These tiers represent varying degrees of responsibility, ranging from instances where violations could not reasonably have been prevented, to cases of deliberate neglect with no effort to rectify the violation. Each tier specifies its own range of penalties, which are annually adjusted to accommodate inflation.

Do Covered Entities Face Fines Even Without Data Breaches?

The Office for Civil Rights, while favoring corrective action over data breaches, has recently taken a stricter stance against Covered Entities that do not promptly grant patients access to their PHI within the permitted 60-day timeframe. In November 2020, the University of Cincinnati was fined $65,000 for their failure to timely provide patient records. This marked the twelfth penalty of the year related to right of access issues.

Which report enables patients to track and monitor who has accessed and viewed their ePHI?

Patients have the right to request an "Accounting of Disclosures" report under HIPAA regulations. This report contains a comprehensive list of any disclosures made to third parties in the past six years, excluding those made for treatment, payment, or operational purposes. The report may include but is not limited to, disclosures made to public health agencies, law enforcement officials, workers' compensation programs, and coroners. It's important to note that certain states may have additional criteria for the information that should be included in an accounting of disclosures document.

By law, what type of HIPAA HITECH training are employees mandated to undergo?

According to federal regulations, employee training on HIPAA policies and procedures is outlined in 45 CFR § 164.530 and 45 CFR § 164.308. These standards require that staff members receive proper training on HIPAA policies and procedures, and that all employees undergo security and awareness training. To maintain compliance with these regulations, it is advised by experts to provide refresher training on HIPAA policies and procedures on an annual basis, while security and awareness training should be an ongoing program.

Adapting HIPAA HITECH Training to Suit the Unique Responsibilities of Each Employee

In a large organization, it may not be feasible to provide personalized training for every individual's role. However, it is possible to train groups of employees who have similar positions on shared policies and procedures. For instance, employees with customer-facing roles should receive training on policies concerning privacy regulations and patients' rights. On the other hand, office-based employees should be trained to enhance their cybersecurity awareness and reduce vulnerability to online scams such as phishing attacks.


Quick & Simple

Discover Our Cybersecurity Compliance Solutions:

Whether you need to meet and maintain your compliance requirements, help your clients meet them, or verify supplier compliance we have the expertise and solution for you

 NIST SP 800-171 & CMMC Compliance App

NIST SP 800-171 & CMMC Compliance

Become compliant, provide compliance services, or verify partner compliance with NIST SP 800-171 and CMMC requirements.
 HIPAA Compliance App

HIPAA Compliance

Become compliant, provide compliance services, or verify partner compliance with HIPAA security rule requirements.
 FAR 52.204-21 Compliance App

FAR 52.204-21 Compliance

Become compliant, provide compliance services, or verify partner compliance with FAR 52.204-21 Basic Safeguarding of Covered Contractor Information Systems requirements.
 ISO 27001 Compliance App

ISO 27001 Compliance

Become compliant, provide compliance services, or verify partner compliance with ISO 27001 requirements.