What is HIPAA, HITECH, and its Objectives?
Health Insurance Portability and Accountability Act (HIPAA), a US federal law, issued in 1996, upholds the data privacy and security of protected health information (PHI) and provides guarantees to patients that their data is handled in a safe and secure way.
HIPAA is created to:
- Improve the portability and accountability of health insurance coverage for employees between jobs
- Combat fraud and abuse in health insurance and healthcare delivery
- Promote the use of medical savings accounts by introducing tax breaks, provides coverage for employees with pre-existing medical conditions
- Simplify the administration of health insurance
Health Information Technology for Economic and Clinical Health Act (HITECH Act), issued in 2009, promotes and expands the adoption of health information technology, specifically, the use of electronically protected health information (ePHI) by healthcare providers and tightens HIPAA compliance. HITECH is created as an extension to HIPAA to cover:
- Improvement of healthcare quality, safety, and efficiency
- Application and use of health information technology standards and reports
- Testing of health information technology
- Grants and loans funding
- Privacy and security of electronic health information
- Revisions to permitted uses and disclosures of PHI
- Business associates are prevented from using ePHI for marketing purposes without authorization
- Patients are given the right to change/revoke any authorizations they had previously given
- Requirements for accounting for disclosures of PHI
- Maintaining records of disclosures including to whom PHI had been disclosed and for what purpose.
The HIPAA Final Omnibus Rule of 2013 expands regulations for privacy, requirements for breach notifications, business associate liabilities, and business associate agreements. This rule mandates business associates of covered entities also subject to HIPAA compliance and audits.
For which businesses HIPAA and HITECH Acts are applicable?
It is applicable to practically all health plans, health care clearing houses, health care providers and endorsed sponsors of the medical care prescription drug discount card. These entities, directly create., maintain, and use PHI on a regular basis, are referred to as “HIPAA Covered Entities” under the Act.
“Business Associates” of “Covered Entities” are also covered by HIPAA. Business Associates entities provide third party services during which they will encounter PHI. Prior to undertaking a service on behalf of a Covered Entity, a Business Associate must sign a Business Associate Agreement guaranteeing security and privacy of any PHI to which it has access.
It is not applicable to entities dealing neither with patients’ personal data nor patients’ health information.
What happens in case of HIPAA violations?
- The HIPAA regulations are enforced by the U.S. Department of Health & Human Services´ Office for Civil Rights, while state Attorney Generals can also act against parties discovered not to be compliant with HIPAA.
- The Office for Civil Rights has the authority to impose fines on Covered Entities and Business Associates for violations of HIPAA and data breaches unless the offending party can demonstrate a low probability that health information has been compromised.
- Civil and criminal penalties could be issued directly to business associates for the failure to comply with HIPAA Rules regardless of whether a data breach had occurred or not.
- Penalties of HIPAA violations, in 4 levels of negligence, range from USD 100 to USD 50,000 per violation and maximum of USD 1.5 million per year of violation of identical type.
- Restitution may also need to be paid to the victims.
- In addition to the financial penalty, imprisonment is likely for a criminal violation of HIPAA Rules.
Benefits of HIPAA and HITECH
While the initial cost of investment in the necessary technical, physical, and administrative safeguards to secure patient data may be high, the improvements can result in cost savings and higher revenue over time because of improved efficiency.
Since healthcare organization employees’ workflows are streamlined, and the workforce has become more productive, healthcare organizations can reinvest their savings and deliver a higher standard of healthcare to patients.
Challenges to Implement HIPAA + HITECH
- The technologists are often unaware of the expectations of these Acts of Law
- Initial high investment of securing data/information
- Shorter time-to-market may overlook requirements of the Act
B2B perspective for sharing data
Data Protection Agreements for guarantees of security and privacy of PHI need to be established prior to sharing of PHI among covered entities and their business associates
Technology controls need to be established to managed to prevent and detect any loss of data privacy and security by covered entities and their business associates