You Know HIPAA, But Are You HITECH?
Written by David Johnson
In 2009, the Health Information Technology for Economic and Clinical Health Act, also known as HITECH, established four different categories of violations of health information sharing related to electronic Protected Health Information (ePHI) under HIPAA. One key provision to healthcare providers or covered entities is that business associates are directly liable for HIPAA breaches. On December 28th of 2017, the Department of Health and Human Services (HHS) fined a cancer care group called 21st Century Oncology (21CO) $2.3 million dollars. Specifically, HHS pointed out a failure to take necessary measures to encrypt ePHI distributed to business associates.
The ruling indicated 21CO held liability for the breach. From the HHS press release, 21CO:
“failed to implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level; failed to implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports; and disclosed protected health information (PHI) to third party vendors without a written business associate agreement.”
Although 21CO was liable for a host of HIPAA issues, 21CO may have avoided fines had they been aware of the the HITECH Act. 21st Century Oncology had failed to create business associate agreements. Through HITECH, business associates could have shared some of the liability and fines with formalized agreements. Under those circumstances, 21CO took full liability for any misuse of patient ePHI.
Congress adopted the HITECH act right after the 2008 recession in the American Recovery and Reinvestment Act. The goal of HHS was to create guidelines for covered entities to ensure patient privacy while accommodating changes in technology.
Nevertheless, plenty of large organizations overlook the details wrapped up in HIPAA and other government regulation. At American Medical Compliance, we offer courses that explain the role of Business Associates tailored to clinical and non-clinical individuals. It’s easy to over overlook HIPAA, but understanding the details of business associate agreements is essential to mitigating risk and preventing ePHI misuse.