Healthcare information security

HITECH Act and IT Security

Any company working in the health care industry needs to be aware of the laws they are expected to follow. Breaking them won’t just put their organization in danger but could jeopardize the well-being of their customers too. Perhaps nowhere is this truer than with the HITECH Act. This legislation was put in place specifically to protect patients so that their trust in a health care company won’t be repaid with their information ending up in the wrong hands and all the consequences that would follow.

For a better idea of what this act calls for, why it was put in place, and what’s expected of your organization, we’ve put together the following HITECH Act timeline, as along with some other helpful information.

Implementing HIPAA Controls

Learn how to protect ePHI from unauthorized use and disclosure, and how to help employees stay compliant with HIPAA rules.

Get Started

When Was the HITECH Act Implemented?

The HITECH Act timeline begins on February 7, 2009. It was then that the American Recovery and Reinvestment Act of 2009 was passed (you may also know this legislation as the recovery act or the stimulus act). Inside this bill was the Health Information Technology for Economic and Clinical Health Act under Title XIII.

Part of this stimulus put nearly $26 billion into supporting and enforcing the new laws called for under the HITECH Act. Since that time, though, another $10 billion or more may have been spent on these efforts. This should give you some idea of how important this legislation was treated by policymakers.

Though this is technically where the act started, some would argue that a HITECH timeline should actually go all the way back to 1996. If nothing else, this context will make it easier to understand the purpose of the HITECH Act and why it was considered necessary.

The Health Insurance Portability and Accountability Act

It was back on August 21st, 1996, that Congress passed the Health Insurance Portability and Accountability Act (HIPAA). Amongst other things, this legislation was aimed at protecting the privacy and security of PHI (protected health information). This would eventually turn into two main rules: The HIPAA Privacy Rule and the HIPAA Security Rule.

Their official names are "Standards for Privacy of Individually Identifiable Health Information" and "Security Standards for the Protection of Electronic Protected Health information," respectively.

The former put in place national standards for keeping PHI safe, an important move given the onset of the World Wide Web and the shift to storing information virtually as opposed to in a physical form.

The latter created national security standards for keeping PHI safe when it is being transferred in electronic form. It was also meant to take the standards outlined in the Privacy Rule and specify technical and non-technical safeguards that had to be used by “covered entities.” According to HIPAA, these organizations were:

Health care clearinghouses
Health plans
Health care providers that transmit health information electronically in connection to transactions

Prior to the passing of HIPAA, there were no legislated standards that all companies in the health care industry had to use to keep PHI safe. Legislators began seeing this as a problem with the advent of widespread adoption of the Internet by businesses. Suddenly, organizations could transfer sensitive data across the world in the blink of an eye. At the same time, cybercriminals were becoming aggressively more sophisticated with their attempts to intercept this information and use it for all kinds of malicious purposes.

With HIPAA, it seemed as though the health care industry was now safe from the dangers of negligence and cybercriminals. Unfortunately, that wasn’t the case.

The HITECH Act Becomes Necessary

You may wonder, then, why the HITECH Act was ever required. As we just mentioned, cybercriminals were already evolving quickly in 1996. Over the next 10 years, this evolution wouldn’t slow down. Hackers implemented everything from brute-force attacks to simple phishing scams in order to get their hands on PHI and, again, there was no end to what they could do once they secured this data.

Furthermore, many legislators voiced concerns that companies weren’t really taking HIPAA all that seriously. In their defense, they had every reason to want to keep patient information safe. They had a lot to lose by getting hacked and not just where money was concerned.

Nonetheless, it was the opinion of many politicians that these businesses were treating HIPAA more as an afterthought than a legal mandate. The HITECH Act set to change this by not just ordering these organizations to adopt further protocols, but also to notify customers and authorities when a breach occurred in a specific manner. In addition, the HITECH Act also introduced more severe penalties for not playing by the rules.

What Are the HITECH Act Security Requirements?

Therefore, a major reason for the passing of the HITECH Act was to give it some teeth by upping the penalties, it behooves you to know what this legislation demands in terms of security requirements.

Keep in mind, too, that the HITECH Act timeline includes Phase I of audits, which happened in 2011. While Phase II has been delayed, the government has announced that these audits will happen by the end of 2016 and could very well last into 2017. This part of the HITECH Act timeline should be of special interest because these security requirements aren’t suggestions. The authorities intend to back them up by auditing organizations they apply to and there’s reason to believe Phase II will be far more expansive as a way of proving that this legislation is to be taken seriously.

Again, the Security Rule applies to all covered entities. It’s also relevant to business associates. That includes any companies that assist covered entities and, by doing so, access PHI to any degree. They could be lawyers, accountants, transaction facilitators, and others. The HITECH Act actually puts responsibility on the covered entities to ensure that their business associates are complying with the law as well. A business associate’s agreement needs to be signed to ensure that these third parties understand the Security Rule and their role.

The security requirements of this rule can be summarized in the following four points:

All PHI Must Be Safeguarded

Your company needs to use security software to make sure your PHI isn’t waiting on the other side of a digital open door that any hacker could just walk through. This also requires that your company upgrade their security software in a timely manner.

Hackers aren’t the only threat, though. Your also need to make sure that PHI is accessible only to employees and third parties who actually need it to carry out their jobs. No one should have more access than they absolutely need. Even if an employee never uses the information for inappropriate or illegal purposes, if a HITECH audit reveals they had the ability to do so and had no business need for that access, your company will face a penalty.

Identify and Protect Against Realistic Threats

The HITECH Act doesn’t require that you or your staff become clairvoyant and somehow see into the future of cyber attacks. After all, part of the reason the HITECH Act was passed in the first place was because HIPAA couldn’t foresee how these attacks would evolve.

That being said, your company is expected to be prepared for threats they can reasonably anticipate. For example, phishing has been around for over 20 years. The law expects that your organization understands the nature of this threat and trains its employees in how to guard against it. Not doing this, even if you’re never the victim of such an attack, could also result in fines.

Identify and Protect Against Reasonable Misuse

Likewise, the HITECH Act also expects that you’ll foresee how employees or business associates could misuse PHI. An example of this would be an employee who needs to travel for business and moves PHI to a laptop that isn’t secured. Another common version is when employees are moved around and their need for access changes. As we covered above, if an employee doesn’t absolutely need to see certain PHI, they shouldn’t have access to it. Considering how foreseeable the chances of this kind of problem occurring are, you’d be wise to document which employees have what kind of access and keep track of whether or not they truly need it.

Ensure Compliance

Finally, this one is pretty self-explanatory, but no less important: The Security Rule is clear about the fact that your company must make sure its employees are following the letter of the law. This means training any new hires and offering ongoing education as necessary. Document your efforts to do this in case you’re ever audited. The government puts a lot of emphasis on effort (again, recall that the HITECH Act was largely passed because it looked as though businesses didn’t care).

Although it may seem like a lot, the Security Rule boils down to common sense. HIPAA mandates that your company designates a security officer, so put them in charge of ensuring you’re following the HITECH Act – and documenting that you’re doing so – and this rule shouldn’t be a problem.

Who Regulates HIPAA Compliance?

HIPAA compliance is enforced by the Department of Health and Human Services. Specifically, it falls under the jurisdiction of the Office of Civil Rights. They enforce this legislation two ways.

One is simply that they accept reports of possible misconduct. Many of these come from the companies themselves. The HITECH Act has outlined what a true breach entails and demands that businesses report when they’ve been the victim of one.

Of course, others can report covered entities and business associates to the Office of Civil Rights, as well. In both cases, some degree of an investigation will be done to assess whether or not penalties need to be handed out.

The other method the Office of Civil Rights has at their disposal for regulating HIPAA compliance is an overall audit. They’ve only conducted a widespread audit once, though. On a HITECH Act timeline, you’d find it occurring in 2011, and ending in 2012. It targeted some 115 different companies.

In short, these audits involve a written notice and request for relevant documents. Companies have 10 business days to comply. After a review of these documents, the Office of Civil Rights will schedule a site visit. A draft of the agent’s findings will be provided to the company and they’ll have another 10 days to respond with any comments before a final draft is provided to the authorities.

A second audit is scheduled to take place in 2016, though no exact date has been given.

What Is the Role of the CDC Regulations in Healthcare Agencies?

The Centers for Disease Control and Prevention obviously has a hand in the healthcare industry too. However, they handle much different matters. While HIPAA and the HITECH Act are focused on the security of PHI, the CDC is focused on rules and regulations meant to keep patients themselves safe and healthy. Its main priority is to prepare for potential disasters that would threaten the health of Americans on a huge scale. As their name suggests, their priority is to control the spread of disease and prevent its onset as much as possible. In this way, the CDC and these two pieces of legislation cover the same industry, but in very different ways.

That being said, it’s worth pointing out that many of the documents and data that employees of covered entities and business associates may access are those that were provided by the CDC. They even issued their own overview of the Privacy Rule to help organizations remain in compliance.

As you can see, the HITECH Act needs to be treated with the utmost importance. Hopefully the HITECH Act timeline we prepared for you showed how seriously the Department of Health and Human Services takes it, especially with an upcoming audit on the horizon. Furthermore, as following these rules will often mean you end up in the territory of the CDC, you’d be especially wise to make every letter of these laws a priority with your organization.