HIPAA is a detailed and comprehensive set of regulations governing IT systems and data handling in the healthcare industry. As times change, so too has the language of HIPAA evolved to address those changes. One of these updates is the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009. This law modernized HIPAA and directed entities in healthcare to adopt more modern, digital record keeping and security technologies.
Here, we’ll cover some of the basics of HITECH and what it changed in the language of HIPAA.
What is the HITECH Act?
The Health Information Portability and Accountability Act (HIPAA) defines essential security requirements and obligations healthcare providers and their business partners must follow to protect patient information. Personal Health Information, or PHI, was deemed a necessary form of information for individuals and should be protected against unauthorized disclosure. Following that, the government implemented HIPAA regulations to address the importance of privacy and PHI, particularly in data systems.
As such, HIPAA can refer to a lot of individual compliance guidelines that apply to different organizations. Generally, HIPAA has organized around three rules:
- The Privacy Rule, which provides a definition of PHI, how it must be protected and which organizations are governed by HIPAA rules. These organizations include Covered Entities (or primary care physicians, hospitals, insurance companies, etc.) and Business Associates (vendors and third-party service providers that work with Covered Entities and handle PHI).
- The Security Rule that defines the security measures (technical, physical and administrative) that CEs and BAs must implement to protect PHI under the Privacy Rule requirements.
- The Breach Notification Rule that outlines procedures and guidelines for organizations to report breaches of PHI privacy and security, including when and how to report breaches to affected patients, the public, and government agencies.
President Clinton signed HIPAA into law in 1996. Digital technology was present, and the Internet existed, but the widespread use of digital record keeping technologies was not yet in place. Between 1996 and the early 2000s, many healthcare organizations did undertake migration to electronic record keeping, but not at a pace or scale that seemed to meet the quickly evolving digital security landscape. Furthermore, many of the proscriptions of HIPAA applied to both physical and digital records. However, the privacy rules around digital records were still immature as compared to the rapidly innovating cybercrime industry.
The HITECH Act was passed in 2008 and signed into law in 2009 to speed the adoption of electronic systems in the healthcare industry. More specifically, HITECH promoted the adoption of Electronic Health Records (EHR) to protect what would be known as electronic PHI (ePHI).
The HITECH Act accomplished three major goals:
- Shifting healthcare record keeping, including payment information, health records, and other PHI, away from physical records to EHR, and placing enforcement of these and other requirements under the Department of Health and Human Services (HHS) jurisdiction.
- Creating and including the Breach Notification Act to legally define the obligations of CEs and BAs in the event of a breach.
- Including Business Associates as parties who can be held legally responsible for HIPAA violations.
In short, Congress passed this law to modernize modern healthcare and PHI protections. Healthcare providers can manage records more efficiently and securely by moving from physical to electronic records while maintaining integrity and privacy.
What is the Omnibus Rule?
HITECH was an update of sorts for HIPAA. Likewise, the Omnibus Rule, released in 2013, modified and updated several aspects of both HIPAA and HITECH.
Some of the immediate changes that the Omnibus Rule added to healthcare law include:
- Modifications to the Privacy, Security and Breach Notification Rules
- Finalization of the Enforcement Rule that increased the potential penalties for civil and criminal violations of HIPAA.
- Inclusion of Privacy Rule language to include rules on genetic information.
- Allowances for patients to pay out of pocket for care and require providers to refrain from sharing information with their health insurance company.
- Expanding accountability for Business Associates to match that of the Covered Entities that they work with.
This language, while somewhat esoteric, implemented a rock-solid compliance standard in which PHI is protected by CEs and BAs, that all parties are responsible for protecting that data (and prohibited from selling or marketing that data) and that patients have control over how their data is shared, particularly with insurance companies.
How Can I Ensure That My Organization Meets HIPAA Requirements?
Large CEs typically have dedicated IT, compliance and legal teams managing their HIPAA obligations full-time. However, if you are a smaller CE or an associate of a CE, you may not have that luxury. There are, however, some simple steps to take to meet HITECH and HIPAA requirements:
- Security: You must implement all security requirements defined under the Security Rule, including encryption, external security and system protection measures. Since your ePHI will inevitably live on a network system, these measures are non-negotiable.
- Physical Media Protection: A lost laptop or tablet that exposes PHI can cost your organization millions. Outside of technical security, ensure all data centers, workstations and devices are secured against outside theft or unauthorized use.
- Use Only EHR: While you may generate physical notes like paper prescriptions or chart memos, you must have electronic records of all your ePHI. This includes invoices, medical requests or anything related to PHI.
- Utilize the Principle of Least Privilege in All Systems: Least Privilege states that users in an IT system have clearly defined roles. Based on those roles, they can only access the minimum system resources or permissions to accomplish their tasks. Role-based systems can ensure that users don’t accidentally breach HIPAA and minimize the fallout from a breach, should one arise.
- Audit Vendor Relationships Annually: The digital supply chain is increasingly interconnected. Even digital services vendors may rely on other managed service providers for functions like cloud storage or IAM. Those vendors, should they manage PHI for your operation, must adhere to HIPAA and HITECH rules. This process should include having language in vendor contracts for audits, regular reviews of vendor security capabilities, additional reviews, and documented updates from vendors when infrastructural changes occur.
Meet Your HIPAA Requirements with Lazarus Alliance
Developing your HIPAA compliance standards can be difficult, especially if you aren’t fielding a dedicated compliance team. Thankfully, you don’t need such a team. Lazarus Alliance brings decades of experience in compliance and security more broadly, and HIPAA compliance specifically. We can help you streamline HIPAA compliance meaningfully so that you avoid penalties from non-compliance and make audits simple and straightforward.
Ready to Get Started with HIPAA and HITECH Compliance?
Call Lazarus Alliance at 1-888-896-7580 or fill our this form.