Healthcare information security

Healthcare HITECH Act

Infosec
September 2, 2016 by
Infosec

The Healthcare HITECH Act is an important piece of legislation that affects everyone now that the Affordable Care Act is in place. However, if your company or employer operates within the health care industry, it is vital that you understand the HITECH Act definition and what this law demands of your organization.

What Does HITECH Stand for?

HITECH stands for health information technology for economic and clinical health. For reasons that should become clear momentarily, some have also referred to it as HIPAA II.

Implementing HIPAA Controls

Implementing HIPAA Controls

Learn how to protect ePHI from unauthorized use and disclosure, and how to help employees stay compliant with HIPAA rules.

What Is the HITECH Act?

Although you now know what the acronym stands for, a true HITECH Act definition will take a bit more time. To better explain this important piece of legislation, we’re going to start from the beginning.

Though we’ll cover the two in a bit more detail below, the HITECH Act was essentially meant to be an addendum to HIPAA (Health Insurance Portability and Accountability Act). It was actually a part of the American Recovery and Reinvestment Act of 2009, enacted under Title XIII. As the name suggests, its main purpose was to put in place a national digital framework so that sharing health care information would be easier and safer.

In order to do this, the United States Department of Health and Human Services (DHSS) has spent over $26 billion and much more is expected to go into promoting and expanding the adoption of the HITECH Act’s proposed IT infrastructure.

More than anything, the HITECH Act was passed to keep PHI (protected health information) safe, as hackers and other malicious parties continue to improve at finding ways into secure systems. PHI is one of the most valuable forms of information stored online, which is why hackers constantly target it. With this sensitive data, hackers can spend money that’s not theirs, blackmail companies or individual patients, reroute prescriptions or the money being spent on them, and much more.

Although HIPAA laid out many rules companies that need to follow to secure PHI safely, the HITECH law built on this foundation in an attempt to keep up with malicious parties.

The other improvement the HITECH law brought to the table was stiffer fines. One of the reasons HIPAA hasn’t been as effective as lawmakers had hoped for when it was passed back in 1996 is that the penalties for breaking the rules are relatively light. To ensure that affected companies begin taking the laws seriously, HITECH was designed with much more serious fines.

HITECH and Business Associates

HIPAA was eventually revised to address the role “business associates” play in the healthcare industry. Business associates include banks, billing firms, claims clearinghouses, software companies, health information exchanges, and any other third-party entity that facilitates “covered entities” and thus has access to PHI.

Originally, HIPAA was only concerned with these covered entities, like hospitals, healthcare companies, health insurers, and physician group practices. This left far too much room for error, though, especially because the role of these business associates has continued to grow over time.
Since the passing of HITECH law, literally any organization that ever accesses “protected health information” must comply with this legislation or risk being penalized.

The Breach Notification Rule

Another important piece of the HITECH Act is the Breach Notification Rule, 45 CFR §§ 164.400-414. In short, this new rule requires that the business associates we just described and any other HIPAA-covered entities provide notification to the authorities if a breach in security measures results in an unauthorized party having access to protected health information.

There is also a similar requirement overseen by the Federal Trade Commission (FTC) that applies to all vendors of personal health records and any third-party service providers they work with, pursuant to the HITECH Act’s section 13407.

An example of when a company would need to follow the breach notification rule would be if a company that handles payments for prescriptions on behalf of an insurance company found that a hacker had accessed their database of billing information. Though it may not be medical data, it is still protected information and even if they could somehow prove the hacker wasn’t interested in the credit card numbers they found, the HITECH Act demands that the party responsible for safeguarding the information continue with a breach notification.

That being said, there are three important exceptions to this rule:

[clist id="1472839276545" post="37211"]

These exceptions are vague enough that it’s best to simply try avoiding them to begin with. You’re best off simply enforcing hard and fast rules regarding HITECH law and regularly following up to ensure that your employees are complying with them.

An Important Note about Unsecured PHI

It’s important to point out that the above provisions only apply to unsecured PHI. If PHI has been properly secured (e.g., encrypted), then it’s of no use to any malicious party that acquires it. Ergo, covered entities and business associates are only required to provide notifications if the breach was successful at acquiring unsecured PHI. As this data would be usable, readable, and/or decipherable, it could harm innocent parties.

What Does the HITECH Act Demand for Breach Notifications?

Even though HITECH law is very accommodating for secured information that is stolen, breaches still occur on a fairly regular basis that are successful in stealing unsecured data. To protect your company from this sort of thing, you’d be wise to introduce encryption on all mobile devices your employees use (e.g., laptops, portable drives, etc.).

Still, should you discover that your company was the victim of a successful hack, the HITECH Act requires that you respond in one of the following ways:

Individual Notices

Any individuals whose PHI was compromised must be given notice served by your company. You can either do this with a handwritten letter sent via first-class mail or through email if the victim has agreed in the past to receiving these types of notices electronically.

If your company has insufficient or outdated contact information for 10 or more people, you must either post a notice on your company’s website for at least 90 days or provide the notice to a major broadcast or print media company where the affected parties are likely to see it.

You must provide a toll-free phone number that individuals can call to learn about the nature of the breach and this number must remain active for at least 90 days.

If your company lacks insufficient or outdated information for fewer than 10 people, you can use an alternative form of communication, such as calling their telephone number.

In any case, individual notifications must be provided within a reasonable amount of time and absolutely no later than 60 days after the breach is discovered.

Notifications must include a description of the breach, of the types of PHI that were compromised, the steps the individuals should take to protect themselves from potential attacks, and the steps your company is taking to investigate the breach, diminish any harm done, and prevent other breaches from occurring again in the future. Contact information must be included as well.

A Media Notice

If more than 500 of the affected individuals of a data breach live in the same state or jurisdiction, your company must not only comply with the above but also send notice to a major media outlet that operates in that area. Usually, this means sending out a press release.

Again, this must be done in a reasonable amount of time and no later than 60 days after the breach was discovered. The same information that would be provided to an individual must be included in this notice, too.

Notice to the Secretary

Finally, the Secretary of the DHHS must also be notified. This must be done by completing a breach report form from the DHHS website. If more than 500 individuals were affected, the Secretary must be notified no later than 60 days after the event was discovered. Otherwise, you only have to notify the Secretary on an annual basis. You’ll have 60 days after the end of the calendar year in which the breach happened.

Breach Notifications and Business Associates

If your company qualifies as a business associate as we defined earlier, then you’ll serve breach notifications to the covered party you received the PHI from, not the individuals to whom the information applies. Once again, they have just 60 days from discovery of the breach to comply.

Furthermore, HITECH law requires that the business associate take every reasonable measure possible to give the covered entity the identity of each individual who was affected by the breach and any other relevant information the covered entity requires to comply with the HITECH law’s provisions for serving their own notices.

Whether it’s a covered party or business associate, both organizations have the burden of proof in demonstrating that they carried out their breach notifications as the law requires. If a breach occurs, but they believe that it falls under one of the exceptions we outlined above, it is up to them to prove this.

The HITECH Act Means More Audits

While a HITECH summary may focus on the new laws regarding data breaches and their corresponding penalties, it’s also important to understand that this legislation calls for more auditing too.

As we mentioned at the beginning, one of the major shortfalls of HIPAA was that so many companies didn’t seem to take it seriously. Part of this is a major failing of the act itself because it was so difficult to catch offenders.

While it’s expected that health care companies will take it upon themselves to carry out their own internal audits and decide whether or not a breach needs to be reported, the HITECH Act also has provisions for funds that are to be used by federal regulators. They carry out periodic audits both of health care companies and of their business associates.

Whenever a covered party or business associate is found to be in violation of the HITECH Act, the Office of Civil Rights under the jurisdiction of the U.S. Department of Health and Human Services has the authority to prosecute if the breach notification rule wasn’t followed.

State attorneys general can also prosecute as well by bringing a civil action against the alleged perpetrators in federal court under violations of privacy and healthcare security rules.

Victims are given compensation from the fines paid by the guilty individuals or companies.

In fact, another reason the HITECH Act is seen as much tougher than HIPAA is because fines are greater and can be levied not just against companies, but also against the individuals who work for them. This way, individuals can’t afford to be careless because they know their employer will pick up the tab for unlawful actions. Aside from criminal penalties that might apply, fines can cost $1.5 million per violation.

How Is HITECH Different than HIPAA?

Nowadays, you’re likely to hear the HITECH Act mentioned nearly as much as HIPAA. As we showed above, that’s because the HITECH Act was meant to revise certain parts of the Health Insurance Portability and Accountability Act. Another way to look at it is that HIPAA was the groundwork on which HITECH was built. Although much of the original HIPAA is still relevant, HITECH law was necessary because the original legislation lacked appropriate penalties and couldn’t anticipate how the Internet would change the nature of attacks.

A HITECH Act Summary

As you can see, while a HITECH Act definition is very simple, explaining the entire piece of legislation in detail is a bit difficult to do. If you just want a simple HITECH Act summary, the law means you need to take PHI seriously by following HIPAA and conducting your own audits for any breaches. Should a breach occur, there are specific rules for either proving it wasn’t successful at reaching unsecured data or carrying out breach notices.

Now that you better appreciate the point of this law, don’t forget the HITECH ACT summary we just provided and be sure you’re taking steps to protect all sensitive data. Should you still fall victim to a successful attack, just let the authorities know right away.

Implementing HIPAA Controls

Implementing HIPAA Controls

Learn how to protect ePHI from unauthorized use and disclosure, and how to help employees stay compliant with HIPAA rules.

Sources

http://www.hhs.gov/hipaa/for-professionals/special-topics/HITECH-act-enforcement-interim-final-rule/index.html

https://www.linkedin.com/pulse/what-difference-between-hipaa-hitech-bridgette-o-connor

http://www.hitechanswers.net/hitech-act-compliance-hipaa-privacy/

http://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/understanding/coveredentities/hitechact.pdf

http://www.healthcareinfosecurity.com/essential-guide-to-hitech-act-a-2053

http://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html

Infosec
Infosec