What is the HITECH Act?
HITECH stands for Health Information Technology for Economic and Clinical Health. It aims to improve health care quality, safety, and efficiency with health information technology.
The HITECH Act of 2009 expands the responsibilities of business associates under the security and privacy rules. It does so by requiring HIPAA covered entities and their business associates to provide notification following a breach of unsecured protected health information.
The HITECH Act promotes the meaningful use of health information technology and strengthens enforcement of HIPAA rules around transmitting electronic health records.
HITECH also includes limitations on the sale of protected health information, marketing, and fundraising communications. It grants stronger individual rights to access electronic medical records and restrict the disclosure of certain information.
Why is the HITECH Act Important?
The HITECH Act establishes:
- Four categories of violations, with increasing levels of culpability.
- Four corresponding tiers of fines which significantly increase for each violation.
- A maximum penalty of $1.5 million for violations of an identical provision.
- Culpability at the lowest violation level even if the covered entity didn't know of a data breach.
- A prohibition on penalties for any violation that is corrected within a 30-day window, as long as the violation wasn't due to willful neglect.
How Does HITECH Affect my Organization?
Business associates and covered entities must comply with HIPAA requirements by signing written contractual agreements. These are commonly called business associate agreements or BAAs. The agreements state that the business associate will only use the protected health information for proper purposes and safeguard it from misuse. It also means they'll comply with all security requirements of HIPAA regulations ensuring administrative, physical and technical safeguards.
Essentially, this means that business associates and covered entities agree to be responsible for protecting protected health information, particularly electronic health records.
If a business associate violates HIPAA, they are in violation of the contract with the covered entity AND also in violation with HIPAA itself. They are held accountable for the penalties for both types of violations.
HIPAA requires contractual agreements between business associates and subcontractors. The subcontractor is held to the same HIPAA requirements in the use of protected information. However, subcontractors are not subject directly to HIPAA for violations. Instead, a subcontractor would be accountable for penalties for a breach of contract with the business associate.
Navigating HITECH and HIPAA can be confusing and overwhelming. Be sure to check out our free HIPAA training videos, or schedule a free consultation to ensure you're on the right path to HIPAA compliance.
More HITECH Act Requirements:
- Covered entities to notify every patient potentially affected by a data breach.
- Business associates to notify covered entities of every patient potentially affected in a data breach.
- All notifications to occur no later than 60 calendar days after the discovery of a data breach.
- All notifications to be documented by the covered entity or business associate.
- The media to be notified if the breach is larger than 500 people.
- The Secretary of Health and Human Services to be notified.