HITECH Act Ramps up HIPAA Compliance Requirements

Lora Bentley

Among tax cuts and credits, more bailout fund requirements, and restrictions on executive pay packages, the American Recovery and Reinvestment Act of 2009 (ARRA) also includes a section that expands the reach of the Health Insurance Portability and Accountability Act (HIPAA) and introduces the first federally mandated data breach notification requirement.


Title XIII of ARRA, also known as the Health Information Technology for Economic and Clinical Health Act (HITECH Act), reserves $22 billion to "advance the use of health information technology" -- in large part so the U.S. will be able to move to e-health records by President Obama's 2014 deadline.


It also expands the reach of HIPAA data privacy and security requirements to include the "business associates" of those entities (health care providers, pharmacies, and the like) that are subject to HIPAA. Business associates, according to Goodwin Procter attorney Jacqueline Klosek, are companies like accounting firms, billing agencies, law firms or others that provide services to the entities covered under HIPAA.


Under the HITECH Act, those companies are now directly subject to HIPAA security and privacy requirements, as well as to the same civil and criminal penalties that hospitals, pharmacies and other HIPAA-covered entities face for violations. Before HITECH came into force, Klosek explains, business associates that failed to properly protect patient information were liable to the covered entities via their service contracts, but they did not face governmental penalties.


Kelly Hagan, a shareholder in the law firm of Schwabe, Williamson and Wyatt, says the most significant (and least publicized, in his opinion) changes in the HITECH Act are those that strengthen HIPAA enforcement measures. In particular, Hagan points to subsection 13410(c), which requires civil penalties that are collected under the HITECH Act to be funneled back into the Department of Health and Human Services' Office of Civil Rights enforcement budget.


He says the situation now is reminiscent of the creation of the Fraud and Abuse Control Account: "It was remarkable when they put the Fraud and Abuse Control Account in place and started funneling the monetary penalties back into the enforcement agency's budget how quickly that became a priority. If history repeats itself, what that suggests is that the OCR's traditional approach to enforcement, which has been complaint-driven and compliance-oriented, is going to ... become more proactive, more punitive."


Moreover, monetary penalties are mandatory for violations involving "willful neglect" as of Feb. 17, 2011. At that point, "all of a sudden HIPAA compliance becomes a fact of life instead of a paper tiger," Hagan says.


If that's not enough, Proskauer Rose associate Sara Krauss observes yet another enhancement: The HITECH Act provides for the Department of Justice to pursue criminal penalties for a violation that rises to the level of criminal activity. However, in the event that DOJ declines to act on a violation, the HITECH Act allows OCR to pursue civil penalties for that same violation.

Add Comment      Leave a comment on this blog post
Aug 2, 2009 9:56 AM mindy rodriguez mindy rodriguez  says:

obama and his marxist followers are taking away every bit of freedom we have...why was this put in the stimulus bill when hitech act could have been included in the duty to die we hate seniors health (isn't that a joke) bills

Sep 9, 2009 2:30 AM John John  says: in response to mindy rodriguez

Oh Pleeeeeez,

You need to see a psychiatrist for paranoid delusions.....

Sep 23, 2009 11:18 AM Crystal Crystal  says: in response to mindy rodriguez


You have no idea what you are talking about. As a HIM professional this bill holds libility for indivuduals PHI in the hands of their health care providers. This bill is to protect you, not do anything else. Please study up before you make a comment that is so far off the mark. This bill stengthens HIPAA regulations to notify you if there has been a breach your medical records and other PHI.

Feb 18, 2010 6:02 AM Richard Richard  says:

I had also wondered why the HITECH act was part of the stimulus package. After further reading, it appears to make sense that an Act that is providing $19.2 billion for EHR (Electronic Health Records), should also put some teeth into the provision of the money, making sure pateint protection is in place BEFORE everyone is out there spending it on various EHR projects.

I certainly don't understand our political system the way I need to, but I'm guessing that attaching additional HIPAA criteria to the bill was faster and more effective than trying to change or update the HIPAA laws already in place. I too view this Act and the provisions, as an increase in patient protection AND with power to enforce. 

Feb 18, 2010 9:12 AM chance chance  says: in response to Crystal

Well it sure make a lot of problems for everyone especially small business and is again one more way to insure we are becoming the HIPPA police as a healthcare provider.

If we ran our business like the government runs the VA Hospital system, its for sure, we would need this new broad reaching legislation.

Lets hope we never breach the personal medical records like banks breach personal banking information and never told their account holders

So why were banks never penalized after they breached personal financial information of ite depositors.??

quid pro quo boys!

Jun 13, 2011 6:07 AM Tami Tami  says: in response to Crystal

As a HIPAA Consultant, let me tell you your personal and medical information can be accessed very easily. Most medical places are NOT HIPAA Compliant, nor are they HITECH ACT Compliant. Oh, they are saying they are, are they really, NO. That makes me MAD as hell, I want to know who is looking at my information and why. I want to know I am protected. I took my grandmother to the doctors last month and when I was signing her in, I looked across the desk and saw a computer screen that had someones information on it, name address, soc. sec. and so on. I asked if they were HIPAA Compliant and of course they said Yes we are. I told them no you are not, you are beaching information and who knows where else they are beaching information and yes I turned them in. Nothing gets done if you don't speak up. Quit being lazy concerning your personal and health information, unless you don't care. If you don't care I don't want to hear when your information gets in the wrong hands.

Sep 14, 2012 4:07 PM sophmortimer sophmortimer  says:
I appreciate the spirit of hippa compliance, but I find the day-to-day execution of the policy hard to follow. In our office, we have so many temps come through and nurses that don't stay long, so we have to double check everything. Is there a way to streamline or simplify it? Thanks. Reply
Feb 4, 2014 6:40 AM HIPAA Information HIPAA Information  says:
Great post! Rather interesting to continue to watch the developments of this act over the years. Thanks for the info! Reply

Post a comment





(Maximum characters: 1200). You have 1200 characters left.



Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.

Resource centers

Business Intelligence

Business performance information for strategic and operational decision-making


SOA uses interoperable services grouped around business processes to ease data integration

Data Warehousing

Data warehousing helps companies make sense of their operational data