If your business processes protected health information (PHI) in the United States, you’ll need to familiarize yourself with both the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act.
Both pieces of legislation provide legal guidelines for managing PHI in the United States and come with strict penalties for violations. For example, two health care networks were fined $5.5M each in two of the worst violations in recent history.
However, each law manages and protects health data in different ways (and for different reasons). Below is a summary of what each law could mean for your business if it processes PHI in any format.
HIPAA vs. HITECH: What Are the Differences?
HIPAA and HITECH are two separate laws with two different goals:
- HIPAA was passed in 1996 and was the first U.S. law to regulate how protected health information was managed. It introduced a set of security controls and privacy rights aimed at reducing fraud and waste in health care. HIPAA defined who was required to comply with its regulations (which HIPAA called “covered entities”) and how they were required to do so in order to protect health data.
- The HITECH Act was passed in 2009 as part of the American Recovery and Reinvestment Act (ARRA) to encourage HIPAA-covered entities to adopt electronic health records (EHRs) for managing PHI. It offered financial incentives from 2011 to 2015 to transition to EHRs and to improve the delivery of healthcare. The HITECH Act also introduced new technical security standards (in addition to a few other things below) that complement and enhance HIPAA as well.
How HITECH Changed HIPAA Compliance for Businesses
The HITECH Act enhances HIPAA in several critical areas that affect compliance. In order to help you better understand how those enhancements may affect your business, we’ve summarized the most critical changes and enhancements below.
For specific information on how both laws pertain to your business, always work with legal counsel skilled in navigating those laws.
HITECH Upgraded HIPAA’s Security Standards For ePHI
HIPAA was passed when most protected health information was still managed on paper, and it did not provide comprehensive standards for securing and managing it in electronic form. The HITECH Act introduced specific technical standards for implementing HIPAA’s Security Rule when processing protected health information electronically.
Some of the parts of HIPAA’s Security Rule that were enhanced include:
- Access Control: Access to electronic health data must be controlled with authentication procedures.
- Encryption: The devices that store digital health information must be secured with encryption.
- Access Log Usage: There must be a way to see who has accessed and/or modified protected data.
- Audit Monitoring: Audit procedures must be in place to monitor compliance.
- Risk Assessments: Data loss risk assessments must be conducted to monitor vulnerabilities and threats.
HITECH Extended HIPAA’s Privacy Rights To Electronic Health Records
The HITECH Act extended the privacy and access rights granted to individuals via HIPAA to electronic health records (a loophole prior to 2009). For businesses that process PHI electronically, this means:
- You must provide individuals with a copy of their health records in electronic form if they request it, and you have the means to share it with them electronically.
- The sale of electronic protected health information (ePHI) is now expressly prohibited.
Under the HITECH Act, PHI now includes any medical records, billing records, or conversations about personal health (emails, notes, recorded phone calls, etc.) stored physically or electronically.
HITECH Expanded Which Businesses Must Comply With HIPAA
HIPAA defines covered entities as health plans, healthcare providers, or healthcare clearinghouses (auxiliary healthcare services). These include organizations such as doctors, their offices, hospitals, insurance companies, medical researchers.
The HITECH Act expanded the definition of a covered entity to include all “business associates” (and their subcontractors) who process PHI on behalf of covered entities. For example, a SaaS business that provides cloud services to doctors or hospitals could be considered a business associate and would be responsible for complying with both HIPAA and HITECH just as any covered entity would, including:
- Follow HIPAA/HITECH privacy provisions and not sharing PHI unless permitted to do so under HIPAA’s Privacy Rule.
- Adhere to HIPAA/HITECH security provisions, including standards for data access control, auditing procedures, and more.
- Pay HIPAA/HITECH fines and penalties if they share PHI with unauthorized parties (a breach, for instance).
To manage the relationship between covered entities and their business associates, the HITECH Act requires that all business associates and covered entities enter into a business associate agreement (BAA).
HITECH Introduced A New Breach Notification Rule
Under the HITECH Act, any business that qualifies as a covered entity, business associate, or subcontractor of a business associate is now required to notify affected individuals and the Secretary of the U.S. Department of Health and Human Services (HHS) within 60 days, in the event that a breach of unsecured data occurs. For instances where the breach affects over 500 records, you’re also “required to provide notice to prominent media outlets serving the State or jurisdiction.”
According to the HITECH Act (and an interim final rule released after an initial request for public feedback), your data is considered “unsecured” if it’s unencrypted or improperly destroyed. For businesses, this means if an attacker (or any other unauthorized party) obtains access to your data and can use it, you’ll need to follow the breach notification procedures outlined in the HITECH Act (and summarized above).
The HITECH Act also now requires that covered entities and business associates, rather than the HHS (the required party under HIPAA), prove that their data is secured. This means in the event of a breach; you’ll be responsible for showing the HHS that your data is encrypted and unable to be used by the unauthorized party who accessed it.
HITECH Increased The Severity of Penalties for NonCompliance
Many of the penalties under HIPAA were often borderline inconsequential for covered entities. So the HITECH Act introduced a new four-tiered penalty system based on the level of fault for a breach and upped the penalties and annual limits for violation.
However, in response to public criticism that the initial annual limits were an inaccurate interpretation of HITECH’s tiered system, the annual limits for penalties were reduced in 2019.
The current penalty tiers and structure are as follows:
Culpability | Minimum penalty/violation | Maximum penalty/violation | Annual limit |
No Knowledge | $100 | $50,000 | $25,000 |
Reasonable Cause | $1,000 | $50,000 | $100,000 |
Willful Neglect—Corrected | $10,000 | $50,000 | $250,000 |
Willful Neglect—Not Corrected | $50,000 | $50,000 | $1,500,000 |
HITECH Introduced New Information For Training Compliance
Training is a requirement of both the HIPAA Security Rule and the HIPAA Privacy Rule and is loosely defined as whatever is “necessary and appropriate for the members of the workforce to carry out their functions within the covered entity.”
The HITECH Act did not change the requirement for training or the specificity of the language used to explain what it should contain. But because it enhances HIPAA, it does mean that any additional information introduced under HITECH should be included in your employees’ training program(s) in order to ensure compliance.
For example, because the HITECH Act introduced new technical standards, you will need to make sure your cybersecurity and development teams’ HIPAA training (and the training for anyone else who is responsible for ensuring the technical security of PHI within your business) includes these new standards.
Each business is different. Consider the roles and responsibilities of your employees, and make sure they have the training needed to ensure that your business complies with both laws.
Two Critical Ways to Better Secure ePHI
According to the HHS’s “wall of shame”, most HIPAA violations occur as a result of an external attack or unauthorized access/disclosure. This indicates that two types of data security technologies will have a big impact on ensuring any ePHI you process is secure:
- Data encryption: Encrypting ePHI renders it useless if a hacker obtains it, protecting individuals from public exposure even in the event of a breach.
- Access control: The better you’re able to control who has access to sensitive health data, the more you reduce the chances of unauthorized access in the first place (including a hack).
Auth0’s Identity as a service (IDaaS) platform offers features to easily control who has access to sensitive health data within your organization, thereby allowing you to configure Auth0 to meet your HIPAA/HITECH needs.
About Auth0
Auth0 by Okta takes a modern approach to customer identity and enables organizations to provide secure access to any application, for any user. Auth0 is a highly customizable platform that is as simple as development teams want, and as flexible as they need. Safeguarding billions of login transactions each month, Auth0 delivers convenience, privacy, and security so customers can focus on innovation. For more information, visit https://auth0.com.
About the author
Adam Nunn
Sr. Director of Governance, Risk, and Compliance