The HITECH Act – or Health Information Technology for Economic and Clinical Health Act – formed part of an economic stimulus package that the Obama administration developed. The HITECH Act was mainly focused on promoting and expand the implementation of health information technology, and the Department of Health & Human Services (HHS) was allocated a budget in excess of $25 billion to reach its targets.
HHS spent some of the budget to fund the Meaningful Use program – a program that incentivized care providers to implement EHRs. In order to receive federal funds, care providers not only had to implement EHRs but show compliance with the HIPAA Security and Privacy Rules by completing risk assessments. The subsequent failure rate showed tougher enforcement of HIPAA was necessary.
Business Associates and the Legal Requirement for HIPAA Compliance
When HIPAA was first passed in 1996, Business Associates (BAs) had a “contractual obligation” to adhere with HIPAA. As there was no enforcement of the obligation, and Covered Entities could avoid penalties (in the event of a breach of PHI by the BA) by saying they were unaware that the BA was not HIPAA-compliant, many BAs failed to adhere with the regulatory guidelines – placing millions of health records in danger.
The HITECH Act subjected BAs to the HIPAA Security and Privacy Rules and gave them the same legal requirements to safeguard PHI, identify breaches and report violations of HIPAA as Covered Entities. BAs were also subject to the same obligatory HIPAA audits as Covered Entities, and the same civil and criminal sanctions for failing to comply with HIPAA.
The Resulting Effective Enforcement of HIPAA
Before the HITECH Act was introduced, as well as Covered Entities avoiding penalties by claiming they or their BAs were unaware they were breaching HIPAA, the sanctions HHS could apply were little more than a slap on the wrist ($100 for each violation up to a maximum fine of $25,000). The Act enhanced the HHS’ powers by introducing “violation tiers” and raising the maximum fine to $1.5 million per HIPAA breach.
The consequence of new $1.5 million ceiling was that Covered Entities and Business Associates began pay more attention to the HIPAA regulations. With a much more plentiful income source, HHS was able to pool more resources to investigating the cause of PHI breaches and, in 2011, initiated the first phase of its audit program. The second phase was finished in 2016 and Phase 3 is expected soon.
HITECH Act: HIPAA-Relevant Provisions in the
A revised Breach Notification Rule and new requirements for the authorized sharing of PHI were also incorporated in the HITECH Act. Under the new Breach Notification Rule, Covered Entities have to report breaches of over 500 records to impacted patients and the HHS within 60 days. The Rule also required BAs to notify Covered Entities of a breach for the Covered Entity to report it to the HHS.
The updated requirements for the authorized release of PHI tightened up the wording of the HIPAA Privacy Rule, stopped BAs from using PHI for marketing purposes without permission and gave patients the right to withdraw authorizations. These changes effectively permitted the HHS to seek criminal charges for breaches of HIPAA if PHI was stolen or disclosed without authorization for personal profit.