HITECH Act definition and summary
The HITECH Act is a law that aims to expand the use of electronic health records (EHRs) in the United States. (HITECH stands for Health Information Technology for Economic and Clinical Health.) There are a number of provisions of the law that provide direct and indirect incentives to health care providers and consumers to move to EHRs, but the parts of the law of most interest to infosec professionals are those that tighten rules on providers to ensure that EHRs remain private and secure. Those latter aspects will be the main focus of this article.
The law tackles its security and privacy goals by extending the rules laid down by the pre-existing HIPAA law to more and different kinds of businesses, and by adding tougher reporting and enforcement provisions. As a result, much of the regulatory ecosystem that falls under the broad (and expensive) umbrella of HIPAA compliance today is actually a result of the passage of the HITECH Act.
Why was the HITECH Act created and why is it important?
The HITECH Act was part of the larger American Recovery and Reinvestment Act of 2009, which was the stimulus package enacted in the early days of the Obama Administration to inject money into the economy in order to blunt the effects of the Great Recession. The HITECH Act aimed to use some of that government spending to help the health care industry make the expensive leap into using EHRs. The law provided HITECH Act incentives for this purpose, in the form of extra payments to Medicare and Medicaid providers who transitioned to electronic records. This aim of the law can be considered successful, with the number of acute care hospitals deploying EHRs expanding from 28% in 2011 to 84% in 2015.
However, while EHRs held a lot of promise to improve the health care industry, they also made it much faster and easier to transmit personally identifying data between organizations, which had serious implications for privacy and security. As a result, the HITECH Act established a regulatory framework for EHRs that imposed security and privacy requirements not only on medical providers, but also on other companies and organizations they did business with that might also handle EHR data.
To achieve this, HITECH piggybacked onto some of the regulations already imposed by the earlier HIPAA law—and also closed some of the loopholes from HIPAA’s original implementation. With EHR adoption becoming more and more universal, it’s the HITECH Act’s privacy and security provisions that are most important today.
HITECH and HIPAA
HIPAA (the Health Insurance Portability and Accountability Act) had been passed in 1996 and, among other goals, was meant to promote the security and privacy of patients’ personal data. But 1996 was the very early days of the internet and EHRs, and some of HIPAA’s provisions weren’t up to snuff in a world that was more connected and where certain business tasks were increasingly tackled by specialized third-party companies rather than being taken care of in-house by medical providers.
In particular, there were loopholes in HIPAA when it came to business associates of the medical providers covered by the act. In HIPAA regulatory jargon, business associates are standalone companies that provide support services to medical organizations like billing, scheduling, marketing, or even IT services or software, rather than providing direct medical services to patients. Business associates were theoretically required to adhere to HIPAA’s privacy and security requirements, but under the law those rules couldn’t be enforced directly onto those companies by the U.S. government; enforcement only applied to the medical organizations themselves, who could in cases of violation simply say they were unaware their business associates were noncompliant and avoid punishment.
And when medical organizations were found guilty of violating HIPAA, the potential punishment they faced was quite light: $100 for each violation, maxing out at $25,000, which was little more than a slap on the wrist for many large companies. The HITECH Act strengthened HIPAA’s regulations by expanding the number of companies it covered and punishing violations more severely.
HITECH Act requirements
U.S. government mandates are set down in broad form by legislation like HIPAA or the HITECH Act, but the details are formulated in sets of regulations called rules that are put together by the relevant executive branch agency—the Health and Human Services Department (HHS), in this case. The Security Rule and the Privacy Rule had been laid down in the ’90s to formalize the mandates set out in HIPAA. (Again, we go into more detail on these two rules in our HIPAA article.) In the aftermath of the passage of the HITECH Act in 2009, its mandates were formulated into two rules: the HITECH Enforcement Rule, which set out more stringent enforcement provisions that extended the HIPAA framework, and the Breach Notification Rule, which established that, when personally identifying information was exposed or hacked, the organization responsible for that data had to inform the people involved.
In 2013, the HIPAA Omnibus Rule combined and modernized all the previously mentioned rules into one comprehensive document. Although HIPAA is in its name, this set of regulations formalizes the mandates of both HIPAA and the HITECH Act, and HITECH’s updates are woven throughout its DNA. The details of the rule are beyond the scope of this article—you can read the complete text at the HHS website—but let’s step through an overview of what the rule requires.
Liability for business associates. This was one of the most important updates to HIPAA that the HITECH Act established. Business associates of medical organizations regulated by HIPAA, along with the subcontractors of those business associates, are now themselves directly subject to HIPAA and HITECH regulations, in particular the Privacy and Security Rules. This knock-on effect has greatly expanded the reach of HIPAA regulation, and with it the market for compliance software and services (more on which in a moment).
Breach notification requirements. Medical organizations and business associates must now inform individuals whose personal information has been exposed or potentially exposed by a security breach. The standard for notification is fairly strict: companies must assume in most cases that impermissible use or disclosure of personal health information is potentially harmful and that the subject of that information must be informed about it.
Privacy and rights to data. HITECH and the Omnibus Rule aim to give individuals more control over how their personal data is used in a number of ways:
- Use of personal information in marketing or fundraising has been restricted
- Someone’s personal data cannot be sold without their express consent
- Patients can request that data not be shared with their own health insurers
- Individuals have more rights to access their own personal data
HITECH Act penalties and enforcement
As we noted above, all of these new rules and regulations are accompanied by a new framework of enforcement and penalties much tougher than the original one established by HIPAA. Today, HIPAA and HITECH violations are subject to fines on a series of tiers based on how egregious the violations are. HIPAA Journal outlines the punishments:
- Tier 1 is for organizations that were unaware of a violation and would have been unaware even if they had exercised reasonably due diligence. Fines for this tier begin at $100 per violation.
- Tier 2 is for organizations that had reasonable cause to be aware of a violation had they exercised due diligence. Fines for this tier begin at $1,000 per violation.
- Tier 3 is for organizations that demonstrated willful neglect of HIPAA/HITECH rules, but corrected problems within 30 days of discovery. Fines for this tier begin at $10,000 per violation.
- Tier 4 is for organizations that demonstrated willful neglect of HIPAA/HITECH rules and made no effort to rectify problems within 30 days of discovery. Fines for this tier begin at $50,000 per violation.
Fines at all tiers max out at $50,000 per violation or $1.5 million annually for all fines imposed on an organization. Enforcement is under the authority of HHS’s Office of Civil Rights, which often prefers to resolve violations through non-punitive measures. State Attorneys General have independent enforcement powers as well.
HITECH Act compliance
When you hear the phrase HIPAA compliance used in the tech industry, that generally includes compliance with the provisions of both HIPAA and the HITECH Act, because, as noted, the regulations implementing the two laws are so closely intertwined. Complying with these rules is no simple matter; organizations that provide healthcare services (or that provide products and services to those organizations) must not only avoid bad behavior, but must be able to demonstrate that they are actively following best practices. For instance, organizations need to take administrative, physical, and technical steps to secure patients’ personal data, and then need to employ risk assessment and risk mitigation techniques to determine if their safeguards are sufficient. RSI Security has some in-depth analysis of the sort of steps you’ll need to take to be compliant with HIPAA and the HITECH Act.
In practice, the complex and ambiguous nature of these regulations has spawned a cottage industry of vendors willing to offer compliance help. A wide of variety of software packages promise to help you keep your company in compliance with the law, and if you need more hand holding, there’s a thriving consultancy business as well. Often the two are combined, with software vendors customizing solutions to your company’s needs and providing resources like training or verification along with it.
And to emphasize one final time: the HITECH Act specifically extends HIPAA’s reach to business associates of health care providers, so it’s not just doctors and insurance companies that need to be HIPAA/HITECH compliant. If you’re selling products or services to anyone in the health care industry, you’ll need to be able to assure your customers that your offerings are compliant with the rules we’ve outlined here. That’s why everyone from computer programmers to cloud service providers needs to be aware of these mandates.