Both HIPAA and HITECH are very closely related and strive to secure Personal Health Information (PHI) from unauthorized access, dissemination, and exploitation. The Health Information Technology for Economic and Clinical Health Act (HITECH) came into effect in 2009, much later than the Health Insurance Portability and Accountability Act which was established in 1996. Both sets of regulations established ways to ensure that it remains a priority for the healthcare industry and that medical information remains private.
One of the primary objectives of the HITECH Act was to support electronic health and medical records adoption from paper to digital records through financial incentives. The HITECH Act also strengthened the HIPAA Privacy and Security Rules concerning electronic health and medical records.
The introduction of the HITECH Act required the Secretary of the HHS to issue guidelines to covered entities and business associates annually to assist them in implementing appropriate technical safeguards that ensure the confidentiality, integrity, and availability of PHI. HIPAA’s nature of being technologically neutral had to confusion about how to best protect PHI.
HIPAA and HITECH – The Differences
Both HIPAA and HITECH are committed to keeping patients’ and individuals’ PHI secure. Any disclosure of medical-related information is heavily controlled, and access or transmission is limited. As HITECH was introduced after HIPAA, the regulations adapted accordingly, and the lessons learned informed the updates.
HITECH has also brought changes to patient rights. HIPAA does not allow patients access to information about disclosures, whether authorized or not, relating to their health information. As the HITECH act came into effect, patients now have access to every disclosure of PHI via Access Reports, maintained by organizations who process, transmit, or store the information. The report should provide information about who accessed it and under which authority access was granted.
With the introduction of HITECH, issues identities in others have subsequently facilitated updates on both acts. The main difference between the two acts is the penalties levied and extending the responsibility of breach notifications.
HITECH Penalty Structures
Previously, HIPAA was ineffective in dealing with non-compliant entities (called Covered Entities) as the fine structures weren’t excessive. HITECH brought with it much harsher fines by introducing tiers that ensure companies can no longer opt for simply paying the fines. Fines per violation have increased from $100 to $50 000 due to tiers setting the maximum fine at $1.5 million. Healthcare facilities simply no longer can afford non-compliance with HIPAA and HITECH requirements.
HITECH Breach Notifications
Now Business Associates must also report any breach of electronic PHI to the Office of Civil Rights (OCR), the Covered Entity, and in certain cases, the media.
If a breach affected less than five hundred individuals, there is no time limit for reporting it. When a breach exceeds this number, there is a sixty-day time limit from when the threat was detected. Essentially, any associated entity that also handles PHI is legally liable under the HITECH act.
Need help with compliance? Start using HIPAA Ready!
Covered Entities must now as well ensure that their Business Associates comply. Both HIPAA and HITECH have mandated conducting yearly audits and sent to the OCR, non-compliance will automatically result in fines.
To manage all these aspects from one centralized location, you can utilize HIPAA Ready – the most comprehensive cloud-based HIPAA compliance management software. You can start documenting your efforts and business associate agreements via the app. The app also includes a training module to help you simplify workforce training concerning the proper handling of PHI. There are several other functions you can manage with HIPAA Ready, such as policy and procedures, risk assessments, incident management, ePHI devices, etc.