HIPAA and HITECH are closely related sets of regulations that strive to secure Personal Health Information (PHI) from unauthorized access, dissemination, and exploitation. While HIPAA (the Health Insurance Portability and Accountability Act) applies from 1996, the HITECH Act (Health Information Technology for Economic and Clinical Health Act) only came into effect from 2009. Both sets of regulations established ways to ensure the privacy of medical information and that it remains a priority for the healthcare industry.
HIPAA informs HITECH and Vice Versa
With the enactment of HITECH, both acts have subsequently received updates, informed from issues identified in the other. The main difference between the two acts are the penalties levied and extending the responsibility of breach notifications.
HITECH Penalty Structures
Previously, HIPAA was ineffective in dealing with noncompliant entities (called Covered Entities) as the fine structures weren’t excessive. HITECH corrected that by introducing violation tiers with much harsher fines that ensure companies can no longer opt for simply paying the fines. Tiers increased fines from $100 to $50 000 per violation while setting the maximum fine at $1.5 Million. Healthcare facilities simply no longer can afford noncompliance with HIPAA and HITECH requirements.
HITECH Breach Notifications
Previously, Business Associates of healthcare insurance Covered Entities were only obliged contractually to comply with the breach notification rule. Business Associates are now also required to report any breach of electronic PHI to the Office of Civil Rights (OCR), the Covered Entity and in some cases, the media.
If a breach affected less than five-hundred individuals, there is no time limit for reporting it. For any breach in excess of that number, there is a sixty-day time limit from discovering the unauthorized access. Essentially, HITECH extends legal liability to any associated entity that also handles PHI.
Enforcing Data Security in the Healthcare Industry
Data security remains critically important in most industries, but with the healthcare professions even more so. A data breach can cause untold amounts of damage to both patients and facilities. HITECH addressed the shortcomings from HIPAA to force entities to acknowledge the importance of data security and proactively establish control systems.
Healthcare Data Security Best Practices
In order to secure a patient’s information, facilities need to implement technical safeguards at every access point. These technical safeguards apply to the networked infrastructure that hosts private information.
Technical safeguards include:
● Access Control and Audit Trails
● User Authentication and Unique Identity
● Transmission and Storage Security
The safeguards do not specifically reference technology, thereby placing the onus on the entity to ensure they are using the best possible controls at their facility. Additionally, Covered Entities are now responsible for ensuring their Business Associates comply. As both HIPAA and HITECH require yearly audits conducted and sent to the OCR, not complying will result in automatic fines.
The Differences between HIPAA and HITECH
Both HIPAA and HITECH seek to secure the PHI of patients and individuals. Disclosure of any medically related information is highly controlled, and access or transmission limited. As the enactment of HITECH came later than HIPAA, the lessons learned informed the updates and the regulations adapted accordingly.
Patient’s rights also differ under the two acts. HIPAA didn’t grant patient’s access to information about disclosures (authorized or not) relating to their information. HITECH now requires that patients have access to every disclosure of PHI via Access Reports, maintained by entities who process, transmit, or store the information. The report should include who accessed information and under which authority access was granted.
Technology Solutions that ensure HIPAA and HITECH Compliance
Developing technologies that cater to compliance requirements isn’t new. For healthcare industries, RightFax is one such technology. With the necessity for real records to be transmitted between service providers, a digital solution was lacking. RightFax uses a centralized fax server to provide a digital solution that enables compliance with regulatory requirements. While the software maintains a complete and comprehensive audit trail for every transmission, it also leverages digital infrastructure and document management processes to do so efficiently.
RightFax allows companies to move toward digital transformation without needing wholescale infrastructure upgrades from service providers and Business Associates. It integrates with email, document management solutions, and desktop applications while supporting current fax dependent PHI processes and record-keeping practices.
In addition to the above, managed IT service providers now specialize in HITECH and HIPAA compliance requirements. Solutions ensure controlled access, encrypted communication, and classification of electronic medical records.
Make HIPAA and HITECH Compliance easier with DSi Managed IT Services and Solutions
Document Solutions Inc. (DSi) provides best in class, compliance-ready solutions to the healthcare industry. From assessment to rollout, their consultants can provide expertise and proven solutions that cover all the aspects of the HIPAA and HITEC compliance frameworks. With managed network services that provide office and facility productivity enhancements, healthcare entities can reduce the total cost of compliance.
To get expert advice and details on the best technological practices available today, contact DSi and speak to one of their consultants.