The relationship between HIPAA and HITECH started in 2009 when the American Recovery and Reinvestment Act. Title XIII of the American Recovery and Reinvestment Act – the Health Information Technology for Economic and Clinical Health Act (HITECH) – designated funds for the establishment of a nationwide network of electronic health records and heralded the start of the Meaningful Use program.
As the Meaningful Use program encouraged healthcare providers to adopt technology in the provision of healthcare, HITECH had to incorporate the HIPAA Privacy and Security Rules. Subtitle D of HITECH consequently addresses worries in relation to the electronic storage and transmission of medical records and brings in measures for the effective enforcement of HIPAA.
Later updates to both HIPAA and HITECH frequently take each other’s regulations into consideration – like when the HITECH Act 2009 enhanced the civil and criminal enforcement of HIPAA and brought in breach notification rules for Business Associates. The HIPAA Final Omnibus Rule 2013 expanded the Business Associate Breach Notification Rules by widening their criteria.
Enforcement of HIPAA and HITECH Act 2009
The major amendments the HIPAA in the HITECH Act 2009 related to the Enforcement and Breach Notification Rules. Prior to HITECH, fines for non-compliance with HIPAA were small ($100 per violation up to a maximum of $25,000). Few fines were applied by the Office for Civil Rights (OCR) due to a lack of resources to look into unauthorized disclosures of Protected Health Information (PHI).
The introduction of “violation tiers” plus higher financial penalties meant it was no longer cheaper for Covered Entities to pay the fines rather than complete the process of becoming HIPAA compliant. The higher value of the fines (from $100 to $50,000 per violation up to a maximum of $1.5 million) gave the OCR many more resources to pursue non-compliant Covered Entities and enforce HIPAA.
Breach Notifications and HIPAA and HITECH Act 2009
Since HIPAA was introduced in 1996, Business Associates had a contractual obligation to guarantee the integrity of PHI, but no legal requirement. With the introduction of the HITECH Act 2009, Business Associates now had the same legal requirement to adhere with HIPAA and HITECH as Covered Entities, and are now required to communicate any unauthorized disclosure of PHI with the Covered Entity.
The HIPAA Breach Notification Rule states that Covered Entities must alert individuals, OCR, and – in some instances – the media of an unauthorized disclosure of PHI. Alerts must be sent within sixty days of the discovery of a breach or when it is made known to the Covered Entity by the Business Associate. One exception to this is when when a breach impacts less than 500 individuals.
HIPAA and HITECH Differences
The differences between HIPAA and HITECH are almost unnoticeable. Both Acts make provision for the security of electronic Protected Health Information (ePHI) and measures within HITECH support the effective enforcement of HIPAA – particularly in relation to the Breach Notification Rule and the HIPAA Enforcement Rule. However, there is a difference between HIPAA and HITECH when it comes to to patients’ rights.
Before HITECH, patients could not find out who their ePHI had been given to (both authorized and unauthorized where known). In 2011, the Department of Health & Human Services passed a HITECH-required Rule that means patients can request access reports. These reports describe to patients who accessed their ePHI and under what authority.
Which is more Important? HIPAA vs HITECH?
Neither Act is more important than the other. Covered Entities and Business Associates, since the HITECH Act 2009, must obey the stipulations within both Acts if they create, use, transmit or store Protected Health Information. What the HITECH Act 2009 introduced was to allocate the OCR the powers to enforce the Breach Notification Rule and extend it to Business Associates.
Thus, if your business is a Covered Entity or Business Associate, and it is not aware of with the requirements of both Acts, it is recommended the business undergoes HIPAA HITECH training. OCR can apply financial penalties for non-compliance with either Act even if there is no breach of PHI or unauthorized disclosure. An absence of knowledge about HIPAA vs HITECH is not an acceptable excuse.