HIPAA and the HITECH Act 101

Your rights with regard to the privacy and security of your protected health information

  • HIPAA requires the confidential handling of patients’ individually identifiable data, as well as its protection.
  • The Privacy Rule and the Security Rule are important for electronic health information exchange.
  • The HITECH Act boosts the enforcement of HIPAA regulations.
  • Organizations that don’t comply with HIPAA regulations can incur steep fines and penalties.
A computer screen with the word "security" on it.

When you visit a healthcare provider, they generate and retain a lot of sensitive data about your health and medical history. This information is protected under the following federal laws: HIPAA and the HITECH Act. Here’s what you need to know.

What Is HIPAA?

HIPAA is the commonly-used acronym for the Health Insurance Portability and Accountability Act of 1996. It was established in order to:

  • Enable U.S. workers to transfer and continue health insurance for themselves and their families when they lose their job or accept a new one
  • Reduce healthcare abuse and fraud
  • Set standards for healthcare data during processes such as electronic billing
  • Legally require the confidential handling and safeguarding of protected health information

There are two parts of HIPAA that are specifically important when it comes to release of information services. These are the Privacy Rule and the Security Rule.

The Privacy Rule deals with access, protection, and authorization of a patient’s protected health information — PHI. It does the following:

  • Determines when and how PHI may be disclosed.
  • Provides you with the right to access your own health records.
  • Gives you the right to receive a copy of your health records.
  • Allows you to check and if relevant correct the information in your health records.
  • Gives you the right to know who has seen your private health information.

HealthIT.gov provides a series of short videos about your rights under the Privacy Rule.

The Security Rule lays out standards regarding the technology organizations use to store, access, process, or transmit PHI. It deals with the level of security organizations must meet to adequately protect PHI. For example, it dictates that PHI encryption must meet a specific government-set standard.

What Is the HITECH Act?

The HITECH Act is part of the American Recovery and Reinvestment act of 2009. Officially, it’s known as the Health Information Technology for Economic and Clinical Health Act. 

It boosts the enforcement of HIPAA regulations and enables the Department of Health and Human Services — HHS — to promote health information technology. The purpose of this is to improve the quality, safety, and efficiency of healthcare. Health IT includes electronic health records, as well as private and secure electronic health information exchange.

The HITECH Act was signed into law because increasingly more hospitals, physicians, and other covered entities are sharing electronic health records — EHRs. This allows them to significantly help reduce the cost of healthcare. 

However, a great deal of the information they share is individually identifiable data. That’s why the HITECH Act increased healthcare providers’ legal liability for non-compliance with HIPAA regulations. As a result, patients enjoy more privacy and security protection when it comes to their PHI.

Here’s a brief overview of how the HITECH Act enhances HIPAA regulations.

Business Associates Are Covered Under HIPAA Regulations

The HITECH Act determined that “business associates” of healthcare providers and other covered entities have to comply with the HIPAA Privacy Rule and Security Rule. Business associates refers to billing firms, banks, and claims clearinghouses. It also refers to software companies and health information exchanges that have access to protected health information — PHI.

The Breach Notification Rule

Covered entities and their business associates must notify patients of any unsecured breaches of their individually identifiable health information. A breach is the unauthorized access, acquisition, disclosure, or use of PHI that compromises the privacy or security of the information. 

Organizations must notify the HHS of data breaches that involve the sensitive information of 500 or more patients. They must also alert local media and the State Privacy Officer. Additionally, they have to inform every patient how they’ve been affected and what steps they’re taking to remedy the breach. In some cases, they have to offer patients free access to their credit reports.

Sometimes, the data involved in a breach is unreadable due to encryption. If this is the case, the organization doesn’t have to report the breach. However, all data encryption has to comply with government-set standards.

Stricter Auditing, Enforcement, and Penalties

The HITECH Act established stricter auditing and enforcing of HIPAA regulations. It also enabled more stringent penalties for non-compliance.

The HHS can punish organizations that are in willful neglect of HIPAA regulations with penalties of as much as $250,000. If an organization either repeats a violation or doesn’t correct it, fines can increase to $1.5 million.

The HHS can also hold organizations, as well as individuals within those organizations, accountable for breaches of protected health data. A violation can be as much as $1.5 million. On top of that, criminal penalties can be levied. 

Due to the possibility of incurring high fines, a growing number of organizations are more mindful of HIPAA-compliance.

Use a Release of Information Company You Can Trust

With a growing number of healthcare providers storing patients’ PHI in electronic format, HIPAA and the HITECH Act ensure that PHI is adequately protected. At ChartRequest, our software and ROI workflows are completely HIPAA-compliant and comply with the latest regulations from the federal government. So when you need to send your medical record to a specialist or another third party, use a release of information firm you can rely on — like ChartRequest.

Read our white paper “We’ve got HIPAA covered.”