HIPAA and HITECH: Protecting Health Information
Aside from financial information, medical data is among the most sensitive and most highly regulated information out there. In an effort to hold organizations accountable for preventing such incidents and to help them bolster their systems to handle sensitive data strategically, the U.S. government created the Health Information Portability and Accountability Act in 1996, followed by the Health Information Technology for Economic and Clinical Health Act in 2009. These measures offer technical standards for meeting regulations and provide enforcement mechanisms to penalize companies that put PHI at risk.
HIPAA sets the basic standards for protecting patient data—specifically PHI—whether it is at rest, in motion, in use, and/or disposed. The Act establishes 18 identifiers for classifying data as PHI, but at a general level, it includes any information that would appear in a patient's medical record, even names and specific geographical identifiers.
HIPAA aims to restrict the number of people who have access to medical records, seeking a balance between patient privacy and information movement that enables healthcare providers to do their jobs more efficiently and effectively. Therefore, it sets technical and policy requirements for account access, physical and network security, data transfer, encryption, audits, and tracking logs. To assist its implementation, the government produced two rules:
- The Privacy Rule addresses the way patients' information is used and disclosed.
- The Security Rule establishes the "technical and non-technical safeguards" organizations must implement to protect PHI.
The HIPAA standards were updated with new rules in 2013, forming what is referred to as the final omnibus rule.
The HITECH Act builds on the HIPAA regulations and expands on their reach, taking into account the spread of EHRs and ePHI and expanding on the technical requirements to secure these resources. Addressing criticism that HIPAA was generally unenforced, HITECH includes measures that increase the legal liability of entities that don't comply with regulation, instituting mandatory penalties for willful neglect and repeat violations amounting to $250,000 and $1.5 million, respectively. Additionally, the legislation requires the Department of Health and Human Services to conduct audits periodically and better defines the responsibilities of business associates that aren't classified as healthcare organizations but handle PHI.
Who Needs to Comply?
HIPAA and HITECH apply to "covered entities" and "business associates." According to the HHS website, the former includes:
- Healthcare providers, such as doctors and pharmacies, as long as they transmit information electronically "in connection with a transaction for which HHS has adopted a standard"
- Health plans, such as health insurance companies and HMOs
- Healthcare clearinghouses, including "entities that process nonstandard health information" received from another entity into a standard, or vice-versa
All of these organizations must ensure that their physical infrastructure, network system, and processes abide by regulatory guidelines to keep PHI secure. For that reason, they should also select partners that can assist with implementing solutions that uphold security best practices.