Skip to main content

To Do List: #1 - Align Your Business with HIPAA/HITECH

June 11, 2010

In February 2009, President Obama signed into law the American Recovery Reinvestment Act (ARRA), an economic stimulus package that included new Health Information Technology for Economic and Clinical Health (HITECH) provisions. These provisions strengthened requirements for protecting patient information, extended the reach of HIPAA requirements to business associates of covered entities, subjecting them to the same civil and criminal penalties, and increased fines for non-compliance and new breach notification protocols. The federal government even earmarked $20 billion in ARRA stimulus funds for healthcare providers and business associates that could demonstrate meaningful use for these incentives.

But, here we are, nearly a year and a half later, and a recent healthcare survey conducted by the Healthcare Information and Management Systems Society (HIMSS) found that many hospitals, behavioral health sciences organizations and doctors offices, and their business associates are still unprepared to meet the new HITECH provisions. Why? Because the impact of HIPAA HITECH is far reaching, and can be overwhelming to businesses that fall within its scope.

Understanding the provisions and implications is the first step in achieving compliance. It is also a necessity if you’re going to build policies and practices that adhere to HIPAA/HITECH, and potentially secure some of those stimulus incentives. Here are what I deem to be some of the most important requirements:

  • All of the elements of the HIPAA Security Rule. While the Final Rule has been in place since 2003, many organizations took a “wait and see” approach to fully implementing these standards for protecting electronic protected health information (e-PHI). HITECH should be seen as an opportunity to revisit the overall alignment with HIPAA security and improve current security practices.
  • Under HIPAA/HITECH, business associates of covered entities such as health plans and providers are subject to HIPAA privacy and security rules. As a result, those associates are now required to implement appropriate safeguards. In addition, covered entities must now re-evaluate the way they manage contractual relationships with these entities to make sure that all patients are protected.
  • The ARRA requires the U.S Department of Health and Human Services (HHS) to audit covered entities and their business associates regarding HIPAA privacy and security compliance, and to formally investigate a covered entity or a business associate upon receipt of a complaint. Under the ARRA, penalties can range, depending on type of violation, from $100 to $50,000 per violation, with a cap of $25,000 to $1.5 million per year for violations of an identical requirement during the same calendar year.
  • The HIPAA security standard did not previously include explicit breach notification requirements. Now, individuals affected by a breach of the privacy and security of their e-PHI must be notified within 30 days after HHS issues guidance. Breach notification applies to covered entities, but also extends to their business associates.

The bottom line is that regulation complexity continues to increase, combined with stiffer penalties and disclosure requirements for breaches. It is imperative that healthcare participants understand the implications for their organizations and respond appropriately.


Related Blogs

August 29, 2014

Why Are Healthcare Breaches on the Rise? (Part 2)

In my last blog post, I discussed how the visibility of electronic healthcare records (EHR), and the lucrative financial gain attackers can realize by...

See Details

August 28, 2014

Why Are Healthcare Breaches on the Rise? (Part 1)

The recent announcement of a security breach of millions of healthcare records has raised yet another alarm in the security world. Is healthcare going...

See Details

February 24, 2015

Encryption: The Solution to Corporate Breaches?

In the aftermath of recent breaches, the discussion has centered around encryption of data, more specifically, data at rest, when data resides in the ...

See Details

How Can We Help?

Let us know what you need, and we will have an Optiv professional contact you shortly.

Privacy Policy

Related Insights

July 21, 2015


Learn how we can help you address HIPAA compliance and improve PHI security.

See Details

March 01, 2013

Webinar Recap: HIPAA & HITECH - How IAM Bridges the Compliance Gap

On February 28th, healthcare information security and compliance experts from FishNet Security and Ping Identity presented a joint Webinar to some of ...

See Details

May 23, 2013

Healthcare Information Security in 2013

This year will be a major milestone for information security in the healthcare industry. The Department of Health and Human Services (HHS) Office of C...

See Details

Stay in the Know

For all the latest cybersecurity and Optiv news, subscribe to our blog and connect with us on Social.


Join our Email List

We take your privacy seriously and promise never to share your email with anyone.

Stay Connected

Find cyber security Events in your area.