The Health Information Technology for Economic and Clinical Health Act (HITECH ACT) is another relevant patient protection act. HITECH is part of the American Recovery and Reinvestment Act of 2009 (ARRA) enacted in 2009 in response to the recession of 2008. The HITECH Act expanded the scope of HIPAA privacy and security protections and expanded the legal liability for non-compliance.
Entities covered under the law and businesses affected by the law are required to notify patients of any data breaches. Covered organizations include healthcare providers, health plans, and healthcare clearinghouses. Entities that work with covered organizations may also need to comply with the HIPAA privacy requirements. The privacy requirements cover:
- The patient’s identity including Social Security number
- The patient’s diagnosis and condition
- The record of any care provided to the patient
- Any payment information that could be used to identify the patient
Penalties for breaching ePHI records
Entities who fail to disclose breaches and who fail to secure the privacy of the records can be subject to substantial fines and penalties. Penalties include:
- Unknowing violations are $100 for each violation up to $25,000 each year for subsequent violations
- Willful neglect of HIPAA that is corrected within a reasonable time frame can be $10,000 for each violation up to a quarter-million dollars yearly
- Willful neglect that is not corrected is $50,000 per violation up to $1.5 million
Additionally, individuals and entities who intentionally disclose (or obtain) protected information can be sentenced to prison in addition to having to pay substantial fines.
Data Center Compliance Requirements
Many healthcare companies are storing patient records and data in offsite data centers. Data centers can store, send, and process large amounts of electronic protected health information (ePHI). But storing ePHI comes with a price. Data centers that contract with qualified HIPAA medical entities must comply with HITECH and HIPAA compliance requirements or run the risk of substantial penalties and even imprisonment.
Whether ePHI records should be kept at the healthcare center or the data center is a delicate balance. The healthcare provider can directly monitor the information and train employees while the professional data center normally has better security and better redundancy abilities.
HIPAA compliance means satisfying the following two rules.
- The HIPAA Privacy Rule is a national set of security standard for protecting health information.
- The HIPAA Security Rule covers the technical and the non-technical standards the covered organizations must have in place.
Covered entities are required to protect the integrity, confidentiality, and availability of the ePHI records against threats, improper disclosures, and security violations that can be reasonably anticipated.
HIPAA Privacy and Security Safeguards
Some of the compliance protocols data centers who are business associates of medical companies must meet are:
- Administrative safeguards. These requirements include a process for identifying security risks, implementing security measures, designating a responsible security official, implementing access procedures, training the workforce, and periodically evaluating how well the policies are working.
- Physical safeguards. These safety needs include limiting access to data to authorized personnel and creating policies for the transfer, removal, and re-use of digital media.
- Technical Safeguards. These protocols include procedures that limit access to the ePHI records, audit controls to record and examine software and hardware, integrity controls, and security transmission controls.
Data centers will be inspected by the HHS Department to determine whether the data center is a qualified business associate of a covered health entity and if the data center is compliant with the two HIPAA rules on privacy and security. HIPAA will prepare a report on compliance sometimes called an HROC (HIPAA Report on Compliance). There really isn’t any formal certification. The data center is basically HIPAA compliant or it is non-compliant.