HIPAA is a regulation that’s gets talked about a lot. But there are other industry regulations that healthcare providers – as well as those that offer technology products and services to the healthcare industry – need to be aware of. HITECH is one of the most prevalent.
In fact, HIPAA and HITECH are so intertwined that many providers simply refer to them as either HIPAA/HITECH or just HIPAA for short. But, if you’re somewhat new to healthcare compliance, when you hear HITECH mentioned for the first time, you might be wondering what that’s all about.
Why Do We Need Two Regulations Covering Security of PHI?
The first question that often gets asked is why there needs to be two regulations covering the security and privacy of healthcare records. To understand this, you need to look at the original intent of the regulations.
HIPAA was enacted in 1996 – long before online health records were much of a thing. A common misconception is that the P in HIPAA stands for Privacy. It actually stands for Portability, and the original intent of HIPAA was to ensure the portability of insurance plans between employers. Though it wasn’t the primary purpose of the act, security of Protected Health Information (PHI) is covered, mainly in Part 164, Subparts C and D.
HITECH came along in 2009 as part of the American Recovery and Reinvestment Act. By then, Congress had recognized the value of online access to medical records, and they wanted to encourage their use by healthcare providers with monetary incentives. (After 2015, they switched to penalties for non-use.)
Since HITECH dealt specifically with electronic health records, it made sense to build in provisions that covered the privacy of the patient’s personal information. (By 2009, we had just started recognizing the value of PHI on the dark web.) HITECH also gave regulators an opportunity to clarify and strengthen some of the security and privacy rules found in HIPAA. The HIPAA Omnibus Final Rule in 2013 officially linked the HIPAA and HITECH privacy and security rules together.
Though the intention behind these regulations was initially different, HITECH was written in the digital age, and it strengthened the privacy and security rules found in HIPAA. Often, it simply clarified some of the vagueness inherent in HIPAA given that it was written at a time before electronic PHI was as prevalent as it is today. At other times, it added more teeth to the security and privacy provisions found within HIPAA.
Some of the most significant additions added by HITECH include:
The requirement of signed Business Associate Agreements (BAAs). HIPAA already outlined certain responsibilities on the part of covered entities to ensure their Business Associates do not compromise the security and privacy of PHI. HITECH strengthened those requirements by requiring a signed BAA, not just verbal assurances.
Liability for Business Associates. With the signed agreement, Business Associates could also be found liable for non-compliance with HIPAA. Earlier this year, the Dept. of Health and Human Services (HHS) released a fact sheet clarifying liability for Business Associates under HIPAA. This could signal an increased focus on these types of organizations.
If you’re interested in cases under investigation that involve Business Associates, you can see these on the HHS portal. If you choose advanced options, you can see a list of those cases in which a Business Associate is involved. However, if you want to see the cases in which a Business Associate is the primary target of the investigation, use the filter arrows at the top of the column to sort by type of covered entity. As of this moment, there are 548 active investigations underway. Of these, Business Associates are the primary target in 62 cases and involved in another 57. So, yes, Business Associates should be very concerned about HIPAA/HITECH compliance.
Higher penalties for willful neglect. Before HITECH, the motives of the organization being audited weren’t much taken into account. Purportedly, this led some to decide that it was just easier to pay the fines than to even attempt compliance. HITECH added a higher category of fines for willful neglect of the regulations. The definition of willful neglect is likely to change from administration to administration, so it’s always a good idea to watch the news to see what sorts of cases the OCR (Office of Civil Rights) decides to pursue. (HIPAA Journal is one of my favorite sources.)
States can get involved. Before HITECH, non-compliance with HIPAA was pretty much a matter between the regulators and the covered entity. HITECH now allows State Attorneys General to file suit on behalf of their residents, increasing the potential costs of non-compliance.
Breach notifications. HITECH also created rules governing how and when consumers and the HHS were to be notified in the event of a breach. These rules were eventually incorporated into the HIPAA Breach Notification Rule.
HIPAA/HITECH-Compliant Cloud Computing
No cloud provider can ensure HIPAA or HITECH compliance because both regulations cover a lot more than IT security. However, since security is a core part of both regulations and the focus of many of the OCR’s investigations, choosing the wrong cloud provider can jeopardize your HIPAA/HITECH compliance.
Here are four things you can do to help ensure your cloud provider isn’t jeopardizing your HIPAA/HITECH compliance.
#1 Get a signed Business Associate Agreement. Contrary to popular belief, there doesn’t need to be a breach for the OCR to issue a non-compliance fine. You can be investigated and fined for failure to get an agreement signed even if both parties (you and your business associate) follow every other clause to the letter. Of course, if there is a breach, failure to get a signed Business Associate strengthens the OCR’s case against you.
#2 Do your due diligence. While Business Associates can be directly investigated and fined for HIPAA non-compliance, that doesn’t let you off the hook for violations they commit. HIPAA still requires you to ensure the proper handling of your PHI even if it is passed off to a third party with whom you have a signed agreement.
Of course, that begs the question: How do you know what’s happening to your electronic PHI once it’s in the hands of a third party? One way is to choose a cloud provider that has been independently audited for HIPAA compliance. Independent auditors can’t certify that the provider is compliant. However, they can issue a report detailing the processes and systems they found during the audit. This report should note any red flags they found that might jeopardize HIPAA compliance. (Tip: If you’re concerned about IT security in general, it can also be helpful to request an independent SOC 2 compliance audit report.)
#3 Look for experience. Every business needs to start somewhere, but I wouldn’t want my business to be a cloud provider’s first HIPAA compliance project. Ask for references or case studies of other businesses that the provider has helped.
#4 Maintain visibility. Lastly, you need to have visibility into your cloud-based resources. Many cloud providers have their own tools, but visibility can be somewhat limited if you’re managing multiple clouds – as some 80%+ of businesses do. And, not all of these tools are geared to monitor compliance.
For that, we offer TRiA, a multi-cloud management platform that allows you to monitor HIPAA/HITECH compliance across all your cloud environments from a single console. TRiA comes standard with more than 200 compliance packs (including HIPAA/HITECH) that can be used to monitor compliance and alert you to any issues such a database exposed to the public internet. (Read the HIPAA Journal. Misconfigured resources are often the cause of HIPAA violations!) These compliance packs can also be configured with custom rules so you can check for adherence to industry or organizational best practices.