The Health Information Technology for Economic and Clinical Health (HITECH) Act was signed into effect in 2009, and upon its mandate, $19.2 billion was allocated toward increasing the use of Electronic Health Records (EHR) by physicians and hospitals. However, this increase in healthcare data being managed electronically ultimately made the medical community vulnerable to data breaches as their patient’s personal information became high risk. Because of this, the HITECH Act had a significant effect on the Health Information Portability and Accountability Act (HIPAA), where regulations needed to become more stringent in order to combat the enhanced risk of cyber threats.
HITECH changed the game drastically by expanding the compliance requirements of HIPAA. In fact, the original HIPAA requirements pale in comparison. What’s more, it forced healthcare organizations to make compliance a top priority. If you’re an IT provider servicing the healthcare industry, here are the most significant changes you need to be aware of.
HIPAA Regulation Updates
A breach of personal health information (PHI) is defined as an access to, use or disclosure of unsecured PHI; (2) a use, access or disclosure that violates the “Privacy Rule”; (3) a significant risk that such access, use or disclosure will cause financial, reputational, or other harm to the patient. When a breach occurs, HIPAA requires healthcare organizations to make a public statement about the occurrence.
Lack of compliance with regulations will lead to severe consequences that will be heavily enforced. This can include significant increases in civil and criminal penalties. A lack of knowledge of compliance requirements will no longer be an adequate defense and all medical professionals will be held accountable to understand their obligations. Here are some examples of how the HITECH Act affected non-compliance violations:
- Maximum fine per regulation was raised from $100 to $50,000.
- Annual cap for all violations has been raised from a maximum of $25,000 to $1.5 million.
- Criminal penalties are now dramatically more severe with the fine being raised from $50,000 to $250,000 and up to 10 years in federal prison.
HIPAA provisions became extended to all business associates who have access to PHI. This includes any organization where their staff has access to PHI such as a health insurance agencies, a medical records storage company, or even a medical translation service. These are just a few examples, and the amount of businesses that do have access to PHI is rapidly expanding.
Mandates now require detailed annual self-assessments for all healthcare organizations and their business associates.
As you can see, HIPAA regulations expanded greatly upon the introduction of the HITECH act, and with the growing number of cyber criminals targeting healthcare organizations, they will continue to expand. The penalties for non-compliance are very expensive—they are based on the level of negligence and can range anywhere from a maximum fine of $1.5 million dollars or even prison time. The penalty structure is composed of 4 different categories:
When an establishment commits a HIPAA violation without knowing they were doing so. This action is punishable by a $100 fine per violation to $50,000 per violation with an annual maximum of $1.5 million per year.
A HIPAA violation that occurred even though the medical establishment should have been exercising reasonable diligence and should have known they were committing a violation. This is punishable from a $1000 fine to a $50,000 fine per violation up to $1.5 million per year.
Willful Neglect but Violation is Corrected Within the Required Period
A HIPAA violation that occurred as a result of reckless indifference and intentional failure of compliance requirements. This is punishable from a $10,000 to a $50,000 fine per violation up to $1.5 million per year.
Willful Neglect but Violation Is Not Corrected Within the Required Period
A HIPAA violation that occurred as a result of reckless indifference and intentional failure of compliance requirements but where the entity did not make any effort to correct the issue. This is punishable by a $50,000 fine per violation with an annual maximum of $1.5 million.
As can be gathered from this information, HIPAA violations have severe consequences, and due to the HITECH Act, the rules became more stringent and difficult to abide by. Not only do healthcare companies face exorbitant fines for violating HIPAA law, they also can’t afford to lose clients’ trust in their ability to safeguard patient information. Therefore, all healthcare organizations and their business associates need to ensure the proper training is administered so that their staff does not unknowingly violate HIPAA policies.
Protecting sensitive data is a significant priority in the healthcare vertical, and IT providers need to make sure they have the proper tools available to meet the needs of their healthcare clients, or risk losing business. As an IT provider, you need to become an expert on HIPAA, pay attention to changing regulations, and be prepared to help your clients not only remain compliant; but also prepare when the HIPAA auditors make an appearance.
By Meaghan Moraes
By Monika Gupta