What is the HITECH Act?
by Kapua Iao
HIPAA (the Health Insurance Portability and Accountability Act of 1996) is U.S. legislation that protects the rights and privacy of medical patients. Since its enactment, the U.S. Department of Health and Human Services (HHS) has established various additions and amendments that ensure even more protections and responsibilities.
RELATED: HIPAA Stands For . . .
In this post, we’ll take a closer look at HITECH, the Health Information Technology for Economic and Clinical Health Act of 2009.
Together, HIPAA and HITECH establish federal standards on the defense of protected health information (PHI). Covered entities and business associates must follow all requirements regarding PHI, individual rights, and administrative responsibilities.
So what is HITECH and how does it relate to HIPAA? And how can Paubox Email Suite and HIPAA compliant email strengthen a healthcare provider’s HIPAA compliance?
A HIPAA review
HIPAA is intended to improve healthcare standards and combat PHI fraud and abuse.
SEE ALSO: What is HIPAA? Or is it HIPPA?
The Act is regulated and enforced by HHS’s Office for Civil Rights (OCR) and consists of five sections (or titles). Most commonly referenced is Title II, which sets the policies and procedures for safeguarding PHI and includes several later rules:
- Privacy Rule (2003): covers the protection of PHI as well as standards for compliance.
- Security Rule (2005): sets necessary security standards to protect electronic PHI (ePHI).
- Enforcement Rule (2006): sets the standards of enforcing HIPAA and penalizing non-compliant healthcare providers.
What is HITECH?
The HITECH Act is part of the American Recovery and Reinvestment Act (ARRA) of 2009. ARRA is intended to support job growth in various public sectors, including healthcare.
HITECH supports two general initiatives: 1) promoting the adoption and meaningful use of electronic health records (EHR) and cybersecurity measures, and 2) acting as further support for OCR and HIPAA.
HITECH set aside funds to create a nationwide EHR network, offering monetary incentives to healthcare providers that adopt new technologies.
Since 2009, researchers have demonstrated that there was an increase in EHR adoption, though experts are still watching the growth rate to understand why.
A 2020 HITECH amendment provides a different type of incentive to covered entities that adopt “recognized cybersecurity practices” related to monitoring, auditing, and risk management policies and procedures.
The new incentive allows for some leniency toward breached healthcare providers that prove their compliance to specific cybersecurity practices for at least one year prior.
HIPAA and HITECH
There are several key parts to HITECH that relate directly to HIPAA.
First, it strengthens OCR’s civil and criminal enforcement of HIPAA rules. HITECH establishes four categories of violations with increasing levels of culpability and corresponding fines (max penalty, $1.5 million).
Under this provision, OCR must publicly publish a summary of reported breaches (unofficially called the Wall of Shame) for greater access and transparency. Finally, HITECH allows OCR to perform periodic audits on healthcare providers to ensure compliance.
Second, HITECH requires healthcare providers to notify OCR and all affected individuals of any unauthorized uses and disclosures. What and when to report depends on the breach size; those that affect more than 500 individuals are shared publicly on the Wall of Shame.
RELATED: What to Do After You Violate HIPAA
Third, the Act obliges business associates to comply with the Security Rule as well as the use and disclosure provisions under the Privacy Rule. In other words, business associates are liable for breaches, subsequent OCR investigations, and HIPAA violations.
Lastly, the Omnibus Final Rule further details the requirements needed to comply with HIPAA and HITECH, adding more accountability to healthcare providers. Moreover, it addresses certain patient privacy questions and issues, especially individual right of access to EHRs and PHI.
One thing remains the same: email security is a necessity
Email is not a HIPAA compliant method of communication unless an extra layer of email security is applied.
Our solution is simple for employees to use since it easily integrates with platforms like Google Workspace and Microsoft 365. No need to use patient portals or third-party apps to send HIPAA complaint emails to patients.
All healthcare providers must understand the nuances of HIPAA and HITECH. But they can rely on Paubox Email Suite to do the heavy lifting when it comes to email communication.
Don’t let patient care and rights get lost under all the government regulations; use Paubox to communicate with ease and to ensure HIPAA compliance today.