The connection between HIPAA and HITECH originated in 2009 through the American Recovery and Reinvestment Act. This act allocated funds for the establishment of a national network of Health Information Exchanges and marked the beginning of the Meaningful Use program. As the Meaningful Use program offered incentives to healthcare providers to incorporate technology in healthcare delivery, HITECH had to consider the HIPAA Privacy and Security Rules. To address concerns regarding electronic transmission and storage of medical records, Subtitle D of HITECH reinforced existing provisions of the Privacy and Security Rules and introduced measures for the effective enforcement of HIPAA. Subsequent updates to both HIPAA and HITECH often took each other's regulations into account. For instance, the HITECH Act of 2009 enhanced the enforcement of HIPAA by allowing State Attorney Generals to pursue cases for HIPAA violations on behalf of citizens and established the HIPAA Breach Notification Rule. In 2013, the HIPAA Final Omnibus Rule expanded the Business Associate Breach Notification Rules by broadening their criteria.
The HITECH Act of 2009 made notable revisions to HIPAA, particularly with regards to the Enforcement and Breach Notification Rules. Prior to HITECH, penalties for not complying with HIPAA were relatively insignificant, amounting to $100 per violation with a maximum cap of $25,000. The Office for Civil Rights (OCR) issued very few fines due to limited resources available for investigating unauthorized uses and disclosures of Protected Health Information (PHI), as well as the failure to promptly address patient access requests.
The introduction of 'violation tiers' and higher financial penalties has made it more costly for Covered Entities to pay fines instead of becoming HIPAA compliant. The fines have increased in value, ranging from $100 to $50,000 per violation, with a maximum of $1.5 million (adjusted for inflation). This has enabled the OCR to allocate more resources towards pursuing non-compliant Covered Entities and enforcing HIPAA.The following penalties apply based on the level of culpability:- Lack of Knowledge: Minimum penalty per violation - $127, maximum penalty per violation - $30,133, annual penalty limit - $30,133- Lack of Oversight: Minimum penalty per violation - $1,280, maximum penalty per violation - $60,973, annual penalty limit - $121,946- Willful Neglect: Minimum penalty per violation - $12,794, maximum penalty per violation - $60,973, annual penalty limit - $304,865- Willful Neglect not Corrected within 30 days: Minimum penalty per violation - $60,973, maximum penalty per violation - $1,919,173, annual penalty limit - $1,919,173Additionally, an amendment to the HITECH Act in 2021 has provided further incentive for Covered Entities and Business Associates to prioritize their compliance obligations. The Department of Health and Human Services' Office for Civil Rights (OCR) now has the discretion to waive or reduce financial penalties for HIPAA violations if the offending party can demonstrate the implementation of a recognized security framework prior to a data breach or other security-related violation."
Prior to the HITECH Act of 2009, Business Associates were not legally obligated to protect PHI, although it was expected of them. However, with the passing of the HITECH Act, Business Associates are now legally required to comply with HIPAA and HITECH, just like Covered Entities. As part of this requirement, Business Associates must inform the Covered Entity if they have disclosed any unsecured PHI. Additionally, the HIPAA Breach Notification Rule mandates that Covered Entities must notify individuals, the OCR, and possibly the media in the event of an unauthorized disclosure of PHI. These notifications must be made within sixty days from the discovery of the breach or when reported to the Covered Entity by the Business Associate. It's important to note that breaches affecting fewer than 500 individuals are exempt from the sixty-day notification period.
The distinction between HIPAA and HITECH may seem small, but it is significant. Both Acts deal with the protection of electronic Protected Health Information (ePHI), and HITECH specifically aids in the effective enforcement of HIPAA. This is particularly evident in the Breach Notification Rule and the HIPAA Enforcement Rule. However, there is one key difference between HIPAA and HITECH when it comes to patients' rights. Prior to the implementation of HITECH, patients were unable to determine who had accessed their ePHI (both authorized and unauthorized). However, in 2011, the Department of Health & Human Services published a Rule that was required under HITECH, granting patients the ability to request a disclosure accounting. This report informs patients about who has accessed and viewed their ePHI, and the reasons behind such access.
In the realm of healthcare privacy regulations, the debate between 'HIPAA vs HITECH' can be quite complex. Both acts hold equal importance and must be adhered to by Covered Entities and Business Associates involved in handling Protected Health Information (PHI). The HITECH Act of 2009 granted the Office for Civil Rights (OCR) the authority to enforce the Breach Notification Rule, extending its reach to include Business Associates.Consequently, if your business falls under the category of a Covered Entity or Business Associate, it is imperative to comply with the requirements of both acts. To ensure compliance, it is strongly recommended that businesses undergo HIPAA HITECH training. It is vital to note that OCR can impose fines for non-compliance with either act, regardless of whether a breach of PHI or impermissible disclosure has occurred. Ignorance of the regulations set forth by HIPAA and HITECH is not an acceptable defense.
There is no specific training mandated by OCR for HIPAA HITECH. To meet the compliance requirements of HIPAA and HITECH, each individual Covered Entity and Business Associate must conduct risk assessments to identify any gaps in their compliance efforts. These risk assessments are now also mandatory for participation in the Meaningful Use program, according to the HIPAA Security Rule. It is a legal obligation for Covered Entities and Business Associates to provide training to their workforce. Covered Entities need to train their employees on the policies and procedures established to comply with the Privacy Rule, while both Covered Entities and Business Associates are obligated to provide an ongoing security and awareness program for all members of their workforce, even those who do not handle Protected Health Information (PHI).
In summary, it is commonly believed that Business Associates only need to follow the HIPAA Security Rule, but that belief is incorrect. With the implementation of HITECH and the revisions made to HIPAA through the Final Omnibus Rule, Business Associates must adhere to not only the HIPAA Security Rule but also the Breach Notification Rule and specific standards outlined in the HIPAA Privacy Rule. Additionally, it is possible for organizations not covered by HIPAA to still be subject to the Breach Notification Rule. Vendors of Personal Health Records (PHRs), PHR-related entities, and third-party service providers are obligated to report any disclosures of unsecured PHI to the Federal Trade Commission. Therefore, it is recommended that any organization with access to PHI is well-informed about the Privacy and Security Rules in HIPAA and HITECH.
The different levels of culpability for HIPAA violations are categorized into four tiers. These tiers represent varying degrees of responsibility, ranging from instances where violations could not reasonably have been prevented, to cases of deliberate neglect with no effort to rectify the violation. Each tier specifies its own range of penalties, which are annually adjusted to accommodate inflation.
The Office for Civil Rights, while favoring corrective action over data breaches, has recently taken a stricter stance against Covered Entities that do not promptly grant patients access to their PHI within the permitted 60-day timeframe. In November 2020, the University of Cincinnati was fined $65,000 for their failure to timely provide patient records. This marked the twelfth penalty of the year related to right of access issues.
Patients have the right to request an "Accounting of Disclosures" report under HIPAA regulations. This report contains a comprehensive list of any disclosures made to third parties in the past six years, excluding those made for treatment, payment, or operational purposes. The report may include but is not limited to, disclosures made to public health agencies, law enforcement officials, workers' compensation programs, and coroners. It's important to note that certain states may have additional criteria for the information that should be included in an accounting of disclosures document.
According to federal regulations, employee training on HIPAA policies and procedures is outlined in 45 CFR § 164.530 and 45 CFR § 164.308. These standards require that staff members receive proper training on HIPAA policies and procedures, and that all employees undergo security and awareness training. To maintain compliance with these regulations, it is advised by experts to provide refresher training on HIPAA policies and procedures on an annual basis, while security and awareness training should be an ongoing program.
In a large organization, it may not be feasible to provide personalized training for every individual's role. However, it is possible to train groups of employees who have similar positions on shared policies and procedures. For instance, employees with customer-facing roles should receive training on policies concerning privacy regulations and patients' rights. On the other hand, office-based employees should be trained to enhance their cybersecurity awareness and reduce vulnerability to online scams such as phishing attacks.
Quick & Simple
Whether you need to meet and maintain your compliance requirements, help your clients meet them, or verify supplier compliance we have the expertise and solution for you