Title 1 of HIPAA initially was formulate to deal with the portability of health insurance and protecting the rights of workers between jobs to ensure health insurance coverage remains active, which are not related to the HITECH Act.
However, there is a strong link between HITECH and HIPAA Title II. Title II of HIPAA incorporates the administrative provisions, patient privacy security measures, and security controls for health and medical records and other forms of protected health information (PHI).
One of the main targets of the HITECH Act was to speed up the adoption of electronic health and medical records by creating financial incentives for making the transition from paper to digital records. The HITECH Act also strengthened the HIPAA Privacy and Security Rules with respect to electronic health and medical records.
The HITECH Act required the Secretary of the HHS to ensure advice was shared annually to covered entities and business associates to help them implement appropriate technical safeguards to make sure the confidentiality, integrity, and availability of PHI. The technologically neutral nature of HIPAA had led to confusion about how best to secure PHI.
How did the HITECH Act Alter HIPAA?
The HITECH Act, which was released on January 25, 2013, made many changes to HIPAA and introduced new obligations for HIPAA-covered entities with notable amendments for business associates. Some of the key updates to HIPAA by HITECH are listed here:
Business Associates Directly Accountable for HIPAA Breaches
The HITECH Act required business associates of HIPAA covered entities to complete a business associate agreement (BAA) with HIPAA-covered entities and agree not to share HI other than for reasons allowed by the HIPAA Privacy Rule. They were also obligated to agree to comply with certain provisions of the HIPAA Security Rule, including the implementation of administrative, physical, and technical controls to secure the confidentiality, integrity, and availability of PHI.
A business associate definition was also fleshed out to include all persons who receive PHI and subcontractors of business associates. The HITECH Act required business associates to complete a BAA with their subcontractors. Business associates were made directly responsible for HIPAA violations and could be penalized financially for breaching HIPAA Rules.
Higher Penalties for HIPAA Violations
Along with fines for business associates, HIPAA-covered entities could also be financially penalized for violations of HIPAA Rules committed by their business associates. The HITECH Act also required the HHS to review breaches and complaints to decide if there had been willful violations of HIPAA Rules.
The penalty tier for HIPAA violations was also changed with HITECH. HITECH permitted penalties to be issued for HIPAA violations that took place without the knowledge of the covered entity or business associate if the covered entity/business associate should have been conscious that HIPAA was violated by using reasonable due diligence. However, the HITECH Act prohibited the issuing of financial penalties if a breach was addressed within 30 days, provided the violation was not due to willful neglect.
Patients Allowed Option of Obtaining Health and Medical Records in Electronic Form
While the HIPAA Privacy Rule allocated patients and health plan subscribers the right to obtain copies of their PHI, the HITECH Act increased those rights to include the option of being given copies of health and medical records in electronic form, if the covered entity maintains health and medical records in electronic form and the information was easily producible in that format.
HITECH also forbade the sale of PHI except in limited circumstances and shut the marketing loophole, stopping providers from receiving compensation in return for making treatment recommendations.
HITECH, HIPAA, and Breach Alerts
The HITECH Act brought in a new requirement for sending notifications to individuals whose electronic protected health information was exposed in a security breach if the information had not been not encrypted. The definition of a breach was also widened to include any unauthorized acquisition, access, use or sharing unsecured PHI which compromised the security or privacy of that data.
These updates made up the foundations of the HIPAA Breach Notification Rule which requires HIPAA covered entities to send notifications to affected people if there is a significant risk of financial, reputational or other harm due to a breach. Those alerts need to be sent without unnecessary delay and no later than 60 days after the discovery of a breach.
The Department of Health and Human Services’ Office for Civil Rights must also be made aware of all breaches within the same time frame if the breach impacts 500 or more peoples. Smaller violations must also be reported to OCR, but within 60 days of the end of the calendar year in which the breach was firsat noticed.