Stay HITECH Compliant

Easy ways to maintain HIPAA and HITECH compliance for covered entities

HITECH Compliance

What is HITECH?

The Health Information Technology for Economic and Clinical health (HITECH) Act was signed into law on February 17th, 2009. The purpose of the HITECH act promotes the adoption and meaningful use of information technology in the healthcare industry. HITECH, while separate from HIPAA, enhances the enforcement that takes place when HIPAA if violated or a data breach occurs. Similar to HIPAA, the HITECH Act functions in two parts, privacy and security. One way that the HITECH act strengthens HIPAA regulation is it establishes the four tiers of violations that reflect different levels of culpability. In this article, we will evaluate the various aspects of the HITECH act in simple steps any medical provider or covered entity can take to decrease the risk of a violation or breach. 

Business Associates of Covered Entities

Business Associates. This term is thrown around in HIPAA and HITECH language all the time. What is a Business Associate? When discussing HSS regulation, a business associates is any vendor, contractor, partner, or other third party that has direct or indirect access to protected health information (PHI). Why is it important to worry about what they are doing? They are professionals, experts even, in their field and surely they are safe with the data. While that may be true, everyone is human and mistakes are made or attitudes change. It isn’t uncommon for a vendor to be the cause of a breach. Section 13401 of the HITECH Act discusses the provisions and penalties that are, and need to be, considered when managing business associates. Part a of this section provisions that business associates are held to the same requirements of HIPAA and HITECH that a covered entity, that’s you, is. Part b then states that because they are upheld to the same requirements as the covered entity, it is the covered entities responsibility to notify and, with diligence, ensure they are taking the same precautions to protect PHI. What do we do about all of the this cross pollination of responsibility? How does a practice ensure that their business associates are trusted with PHI and if misused the practice isn’t liable? This is where the business associate agreement (BAA) comes into play. The BAA provides a transferability of liability between the covered entity and the business associate. Therefore, if one party experiences a breach and it is out of control of the associated party, the associated party is not liable for that breach. Zekteck recommends that ALL third parties working with your company should have a BAA whether they work with PHI or not. 

Notification In Case of Breach

What do you do in the case of a breach? What even is a breach? “The term ‘‘breach’’ means the
unauthorized acquisition, access, use, or disclosure of protected health information which compromises the security
or privacy of such information” is the definition of a breach set forth by Health and Human Services in their outline of the HITECH Act. When information is disclosed to an unauthorized party, or parties, what is the next step? There is no big red button that can be hit. There is no HIPAA 911 phone number that we can call. So what’s the plan? HITECH regulates that plan for covered entities. One step that is required is to notify all individuals whose information was compromised by the breach. If the breach was experienced by a business associate, then they must provide that same information to the covered entity. The business associate and the covered entity both have 60 days from the discovery of the breach to notify those individuals affected. Individuals are notified by the best, HIPAA Compliant, means necessary to the individuals or their next of kin. If it is known or discovered that at least 10  individuals’ contact information is out of date, the notification of the breach must become public. Either a public media posting or a posting on the homepage of the covered entities website must be posted along with a toll free number. If more than 500 individuals’ information is affected, it is required that a local media news outlet make an announcement and a statement be submitted to the Secretary of HHS, which will include a public posting on the HHS website. It is very important to maintain security protocols and patient contact information in order to reduce the risk of, what is often the biggest damage of a breach, loss of reputation. 

Restriction on Disclosures of Information

Disclosing PHI is a necessary part of providing patient first, comprehensive care, between providers and health plans. There are several allowable reasons to disclose PHI, so why all of the hullabaloo about keeping it private? HITECH determined that while it is allowable to share PHI for the payment of care or for referring out care, it is required that only the least amount of data should be shared for the purposes of the transaction. For example, if a dentist is billing insurance for a root canal, they do not have to include with their disclosure of information to the health plan anything pertaining to any orthodontic work that the patient is also receiving. The health plan only requires the minimum amount of information to process the claim and that is all that should be shared with them. 

This section of HITECH also forbids the sell of PHI, with a few exceptions.  A covered entity or business associate may require remuneration for the exchange of PHI if the exchange of PHI is for an authorized or permitted disclosure and the transmission of the PHI holds a cost. But what does that actually mean. It essentially means, if a business associate is required to print patient records for a covered entity for the purposes of operations, for example, that the business associate may charge the covered entity for the paper and time spent doing the labor. This is different than selling PHI to a pharma company so they can make the next best skin product. This is a part of the authorized HIPAA disclosure paperwork that every patient is REQUIRED to sign before seeing a provider. Patient authorization is key in determining what disclosures of PHI are allowable. 

Enforcement and Fines

HITECH updates the method in which the Office of Civil Rights, the sub agency of HHS that determines the violation level of fines, enforces HIPAA violations based on the level of culpability that the covered entity or business associate was demonstrating. Each tier also includes that corrective action has been taken within 30 days of the violation being discovered. 

Tier 1: Lack of Knowledge

The first tier is considered the most “innocent.” Having a lack of knowledge is when a covered entity or business associate is unaware of a violation and could not have realistically avoided it. Evidence is also present that reasonable care has been taken to abide by the rules of HIPAA and HITECH. Again, with the consideration that corrective action will be taken within 30 days of discovering the violation. The fine for this type of violation is $100 per violation with an annual maximum of $25,000 per entity per requirement violated per calendar year. 

Tier 2: Reasonable Cause

Reasonable cause is when there is a violation that a covered entity or business associate should have been aware of but could not have avoided, even with a reasonable amount of care. The fine for this type of violation is $1,000 per violation with an annual maximum of $100,000 per entity per requirement violated per calendar year. 

Tier 3: Willful Neglect

The third tier is called willful neglect, however an effort is made to take corrective action 30 days after the violation is discovered. The violation is considered a direct result of willful neglect of HIPAA and HITECH requirements. The fine for this type of violation is $10,000 per violation with an annual maximum of $250,000 per entity per requirement violated per calendar year. 

Tier 4: Willful Neglect with no attempt to correct

In cases of willful neglect where no effort is made to take corrective action, the fine is $50,000 per violation with an annual maximum of $1,500,000 per entity per requirement violated per calendar year. 

Lewis Mandichak
Co-Founder/ CEO
[email protected]

This page is not be used as an official HIPAA Compliance Checklist*

Everyone Makes Mistakes, Lets Fix Them Together

Zekteck will keep your practice as HIPAA and HITECH compliant as possible while saving you time and money with our automated HIPAA compliance platform and premium data security services. 

Learn More

Quiz Your HIPAA Knowledge!

Which of the following is not a section of HIPAA:
True or False: Practices are shielded from liability if a vendor or contractor breaches HIPAA.
True or False: Practices will not be charged a fine if they were unaware of risks that caused a breach.
On average, a HIPAA violation fine is:
___% of healthcare organizations have experienced at least one data breach in the last 12 months.
If a data breach occurs involving more than 500 individuals, how long does a practice have to report it?
Which of the following documents are required per HIPAA?
How long must a practice keep HIPAA-related documents?
Which of the following is not a common cause of a HIPAA violation:
[forminator_form id="5983"]