HIPAA vs. HITECH: Understanding the difference and how to comply


“There’s gonna be an explosion in the new Congress,” René Quashie, VP of digital health at the Consumer Technology Association, recently told Politico’s Ruth Reader. What he was referring to is a raft of new legislation that is looming over anyone and anything that collects, handles, transfers, or shares health data. Lawmakers across the aisle are pushing for strengthening HIPAA to protect a multitude of health information that we, at the time federal health privacy law was enacted, didn’t even know we’d ever have.

“The 1996 law says covered entities — health care providers, insurers and data clearinghouses — must protect health data. But data collected by health apps, which track everything from weight loss to pregnancy, isn’t,” explains Politico’s Carmen Paun. She adds: “Neither are web searches for symptoms, illnesses or treatments. Data amassed by Fitbits and Apple Watches is also unprotected, meaning it can be sold or shared without a user’s consent.” The same goes for health records physicians share with patients under the 21st Century Cures Act.

Which data protection bills will become law and what they will accomplish is yet to be seen. In the meantime, let’s take a closer look at the legislation that did make strides in tightening rules on healthcare providers to keep electronic health records safe from prying eyes.

In this post, we’ll take a deep dive into the HITECH Act, short for Health Information Technology for Economic and Clinical Health Act, including how it came to be, what overlaps and what’s different between HIPAA and HITECH, and how to ensure compliance with both.

HIPAA: meaning and implications for personal health information accessibility

As we explored in our previous posts on the HIPAA minimum necessary standard and technical safeguards, the Health Insurance Portability and Accountability Act was passed by the US Congress and signed into law by President Bill Clinton in 1996. Its primary purpose was to protect health care coverage for people who have lost or changed their jobs. More specifically, to help more Americans get health insurance coverage, prevent employees from losing their health insurance between jobs, and minimize waste, fraud, and abuse in health insurance and healthcare delivery.

However, thanks to the rapid evolution of technology as well as the risks they had brought to the privacy of personal information in the healthcare space, by the time the legislation came into effect, its provisions were already somewhat outdated. Policymakers then introduced the HIPAA Privacy Rule in December 2000 and the HIPAA Security Rule in February 2003, to set national standards for the protection of individually identifiable health information and to protect the confidentiality, integrity, and availability of electronic protected health information, or e-PHI, respectively.

What is HITECH? Meaning, purpose and benefits

The HITECH Act of 2009, or Health Information Technology for Economic and Clinical Health Act, was introduced as part of the American Recovery and Reinvestment Act (ARRA). The economic stimulus package was created and signed into law by the Obama administration in an effort to jumpstart the US economy by saving jobs jeopardized by the Great Recession of 2008. Among its key priorities, ARRA aimed to provide investments needed to boost economic efficiency by spurring technological advances in science and health.

That’s where the HITECH Act came into the picture. According to HIPAA Journal, the five goals of the legislation coincided with those of the US healthcare system, namely:

  1. improve quality, safety, and efficiency;
  2. engage patients in their care;
  3. increase coordination of care;
  4. improve the health status of the population; and
  5. ensure privacy and security.

To turn these objectives into reality, the legislation promoted the use of health information technology, gave patients more control over their health records, bolstered the adoption of Health Information Exchanges, and reinforced the privacy and security provisions of the Health Information Portability and Accountability Act.

EHR adoption: has HITECH delivered on its biggest promise?

The HITECH Act spurred unprecedented gains in hospitals’ adoption of electronic health records, or EHRs, which was a key component of the legislation. It did so by promising Medicaid providers incentive payments of up to $63,750 over 6 years and Medicare providers a maximum payment of $44,000 over 5 years if they adopt and use “certified EHRs.”

Research shows that before the HITECH Act came into effect, EHR adoption rates for eligible hospitals had been rising by a modest 3.2% annually. After the $27 billion incentive program had taken off, the same number jumped to 14.2%, with the number of acute care hospitals deploying EHRs expanding from 28% in 2011 to 84% in 2015.

HIPAA, HITECH: the key difference between the two US healthcare laws, explained

The main difference between HIPAA and HITECH lies in the fact that the former was designed to ensure the continuation of health insurance coverage for employees between jobs and the latter to promote the adoption and meaningful use of health information technology through funding. That said, patient rights is another area where the two legislations diverge, HIPAA Journal points out.

Before HITECH, patients had no way of finding out who their ePHI had been shared with, authorized or unauthorized.

In 2011, however, the Department of Health and Human Services modified HIPAA law by implementing the statutory requirement under HITECH “to require covered entities and business associates to account for disclosures of protected health information to carry out treatment, payment, and health care operations if such disclosures are through an electronic health record.”

But more importantly: how did the HITECH Act strengthen HIPAA provisions?

In more ways than one. Firstly, as HIPAA Journal explains, it extended the HIPAA Security Rule to business associates of covered entities, making them directly accountable for using or disclosing protected health information in a way other than what HIPAA, or the agreement between the covered entity and its business associate, authorizes.

Secondly, as we’ve already mentioned, the HITECH Act granted patients the right to ask covered entities to release their PHI in electronic form if they keep medical records in such form, and if the information requested can be readily produced in electronic format. This is on top of patients’ right to check who their PHI had been disclosed to and for what purpose.

Another development the HITECH Act has brought about was the Breach Notification Rule, under which covered entities and their business associates must notify affected individuals if a breach of unsecured protected health information occurs. If 500 or more records are exposed or compromised, the US Department of Health and Human Services and the news media should also be informed.

HITECH and HIPAA compliance: better safe than sanctioned

The HITECH Act also strengthened HIPAA enforcement efforts by increasing the minimum and maximum amount of potential civil money penalties businesses face for failing to fulfill HIPAA and HITECH Act requirements. Penalties for HITECH and HIPAA violations are based on how much knowledge the covered entity or its associate had about their failings and whether voluntary action was taken to remedy non-compliant behaviors. HITECH and HIPAA violation fines fall into four categories as follows:

  • The organization didn’t know and, by exercising reasonable diligence, wouldn’t have known that it was in violation of the law. Fines for this tier start at $100 per violation.
  • The HITECH or HIPAA violation was due to reasonable cause and not a result of willful neglect on the organization’s part. The minimum fine in this case is $1,000 per violation.
  • The violation occurred due to willful neglect but the unlawful behavior has been remedied by the company in a timely manner. Fines here begin at $10,000 per violation.
  • The HITECH or HIPAA violation resulted from the entity’s willful neglect and wasn’t rectified in a timely fashion. Minimum CMP amount: $50,000 per violation.

Since April 2003, the HHS Office for Civil Rights has been alerted of over 309,475 HIPAA complaints, has initiated 1,053 compliance reviews, and settled or imposed a civil money penalty in 126 cases totalling $133,519,272.

How to boost HIPAA and HITECH compliance: 4 tips + HITECH compliance checklist

1. Error on the side of being too safe
To avoid data breaches, healthcare industry players should be mindful that technology, whether it’s used to protect or misuse health information, is constantly evolving. This is exactly what lawmakers did in wording HIPAA encryption rules in technology-neutral terms, rendering them into the category of “addressable” implementation specifications.

Make no mistake: “addressable” does not equal “nice to have.” As per HHS’s recommendations, think about how and how often you transmit e-PHI, whether encryption is needed to protect e-PHI in transit and what encryption methods would be best to replace risky email attachments and file transfer methods.

2. Have your policies and protocols in place
As we’ve mentioned earlier, HITECH reinforced patients’ access to ePHI. In particular, it has granted individuals the right to obtain a copy of their protected health information in an electronic format wherever the covered entity maintains such records electronically. Make sure to implement efficient procedures to retrieve the right data from the right sources within the allotted time window for fulfilling such requests.

3. Keep things on a need-to-know basis
Nip potential HIPAA and HITECH violations in the bud by using role-based permissions and granular controls and only allowing employees and business associates access to certain types of information assets and systems. Plus, make sure to keep and monitor logs of who accessed – or attempted to access protected health information and when – as well as to perform periodic log and permission audits.

4. Turn employees into you first line of defense

It’s crucial that covered entities and their suppliers address relevant HITECH provisions as part of the mandatory HIPAA training they offer for staff. The most critical areas to be covered include the Breach Notification Rule, with a focus on when to report a breach and who to notify, as well as the consequences of HIPAA violations, such as failing to report a security incident, including internal disciplinary actions and civil penalties.

Need more help to improve your HITECH compliance? Here’s a comprehensive HITECH compliance checklist to get started. Looking for a HIPAA-compliant, encrypted cloud storage and file sharing solution for managing medical records? See what Tresorit can do for you.