Which federal law made substantive changes to HIPAA


The Health Insurance Portability and Accountability Act (HIPAA) enacted in 1996 aims to protect the privacy and security of patients’ health information. Later in 2009, Congress passed the Health Information Technology for Economic and Clinical Health (HITECH) Act to strengthen HIPAA in light of increased adoption of electronic health records (EHRs).

The HITECH Act made significant changes to HIPAA by expanding its scope, increasing penalties for violations, and imposing new compliance requirements on covered entities and business associates.

In this comprehensive guide, we will cover:

  • What is HIPAA and what are its core privacy and security protections?
  • How did HITECH Act change HIPAA compliance requirements?
  • Key areas of impact on covered entities and business associates
  • Challenges in achieving HIPAA compliance
  • Resources for implementation
  • FAQs on HIPAA compliance after HITECH

What is HIPAA and What Protections Does it Offer?

The Health Insurance Portability and Accountability Act was passed in 1996 to:

  • Protect the privacy and security of patients’ protected health information (PHI)
  • Enable individuals to retain health insurance coverage when switching jobs
  • Standardize electronic data interchange in healthcare

HIPAA is applicable to the following covered entities:

  • Healthcare providers
  • Health plans
  • Healthcare clearinghouses
  • Business associates

Under HIPAA, these entities must implement safeguards related to:

  • Privacy of PHI: Obtain patient consent before use or disclosure of PHI; provide patients access to their medical records.
  • Security of PHI: Protect confidentiality, integrity and availability of PHI by implementing physical, technical and administrative safeguards.
  • Breach notification: Report breaches of PHI to Office for Civil Rights (OCR) and notify affected patients.

However, before the HITECH Act, the requirements were limited and penalties for non-compliance were also low.

How Did the HITECH Act Change HIPAA Compliance?

The HITECH Act introduced the following key changes:

  • Expanded scope: Business associates are now directly subject to HIPAA Security and Privacy Rules.
  • Increased penalties: Penalty structure expanded to four tiers with fines from $100 to $50,000 per violation.
  • Breach notification: Requirement added to notify OCR of breaches affecting 500+ individuals within 60 days.
  • Enhanced enforcement: OCR got more powers to conduct audits and impose fines for non-compliance.
  • Privacy protection: Tightened limits on use of PHI for marketing and fundraising purposes.
  • Assistance for compliance: Provided federal funding to aid HIPAA compliance, especially for EHR adoption.

Clearly, the HITECH Act vastly expanded the responsibilities around HIPAA compliance for covered entities and business associates. Next, let’s go over some of the key areas impacted.

privacy and security

Key Areas of Impact on Covered Entities

The HITECH Act made significant changes in the following aspects of HIPAA compliance for healthcare organizations:

1. New privacy protections

  • Obtain patient consent for using PHI for marketing communications
  • Honor additional restrictions requested by patients on disclosures
  • Allow patients to opt-out of fundraising communications
  • Limit disclosures to only minimum necessary PHI

2. Expanded requirements for security safeguards

  • Conduct security risk analysis and address identified risks
  • Implement encryption and destruction to safeguard PHI
  • Maintain written policies and procedures for information security
  • Designate security official responsible for compliance

3. Breach notification

  • Notify OCR of breaches impacting 500+ individuals within 60 days
  • Notify patients and media (if over 500 people affected) of the breach
  • Maintain breach logs and records for 6 years

4. Staff training on HIPAA

  • Train staff on HIPAA policies, procedures and security safeguards
  • Maintain training logs and ensure new hires complete training

5. Audits for compliance

  • Perform routine audits of HIPAA privacy and security compliance
  • Document findings and corrective actions to fix gaps

6. Business associate oversight

  • Sign business associate agreements with all vendors handling PHI
  • Audit business associates’ compliance with HIPAA Security Rule

Clearly, healthcare organizations now need to invest more resources into maintaining HIPAA compliance programs that cover all these requirements.

Impact on Business Associates

An important change under HITECH Act is that business associates are now directly subject to compliance with HIPAA Security and Privacy Rules, similar to covered entities.

The key requirements for business associates include:

  • Signing business associate agreement with covered entity outlining HIPAA responsibilities
  • Implementing security safeguards for PHI such as access controls, encryption, security training etc.
  • Reporting breaches of PHI to covered entity
  • Cooperating with audits by covered entity related to HIPAA compliance
  • Following minimum necessary standard for PHI access and disclosures
  • Maintaining compliance with HIPAA for all subcontractors handling PHI

Essentially, business associates must now implement formal HIPAA compliance programs, if they hadn’t earlier.

Challenges in Achieving HIPAA Compliance

While the HITECH Act’s enhancements have strengthened health data protections, HIPAA compliance has become more complex for covered entities and business associates alike. Some key challenges include:

  • Resource intensive – Implementing safeguards, training staff, conducting audits and managing third-party risks requires investment of time and money.
  • Expertise gap – Developing comprehensive policies and compliance programs requires specialized healthcare privacy and security skills.
  • Compliance ambiguity – With evolving digital healthcare, applying HIPAA controls to new technologies like cloud, mobile and AI can be unclear.
  • Third-party oversight – Monitoring business associate compliance requires formal audits and corrective measures.
  • Breach risks – Increased data generation and transmission amplifies breach risks from insiders, hackers and third parties.
  • Enforcement actions – Hefty penalties, with average fines of $472,000 per OCR enforcement action make non-compliance prohibitively expensive.

Resources for HIPAA Compliance

Thankfully, covered entities and business associates have many resources available to tackle HIPAA challenges:

  • OCR Guidance – OCR website contains compliance checklists, case examples, training resources, and guidance on emerging technologies.
  • AHA Resources – American Hospital Association offers templates, checklists and webcasts to aid compliance.
  • Consulting Firms – Engage specialized healthcare consulting firms to create customized compliance programs.
  • Technology Solutions – Leverage software tools for audit management, risk analysis, breach reporting and security monitoring.
  • Training Programs – Conduct mandatory training periodically for workforce members to reinforce HIPAA policies.
  • Peers and Associations – Connect with industry peers and associations to share best practices for compliance.

With the right focus and resources, covered entities and business associates can ensure they meet their expanded HIPAA obligations post-HITECH.

FAQs Related to HIPAA Compliance After HITECH

Q1. Can patients sue healthcare providers under HITECH for HIPAA violations?

Yes, the HITECH Act empowers patients to file lawsuits against covered entities and business associates for HIPAA violations related to breach of privacy or security. Courts can award monetary damages based on the extent of the violation.

Q2. What are the penalties for non-compliance with HITECH requirements?

HITECH introduced a four-tiered penalty structure based on level of negligence. Fines range from $100 to $50,000 per violation with an annual maximum of $1.5 million for identical violations. Criminal charges are also possible for willful neglect.

Q3. How long must covered entities retain HIPAA-related documentation?

As per HITECH, covered entities must retain required HIPAA documents such as policies, training records, business associate agreements, and security audits for 6 years from date of creation or last effective date.

Q4. Can employees be penalized personally by OCR for HIPAA non-compliance?

Yes, if OCR determines an employee willfully neglected HIPAA Rules, they can impose fines directly on the individual ranging from $10,000 to $50,000 per violation.

Q5. What are some best practices for HIPAA compliance?

  • Conduct risk analysis and implement safeguards accordingly
  • Maintain comprehensive HIPAA policies and procedures
  • Regularly train workforce on HIPAA requirements
  • Audit business associates and covered entity’s compliance periodically
  • Obtain OCR guidance on new healthcare technologies
  • Document all compliance activities and breaches
  • Purchase data breach insurance and cyber liability coverage

Q6. How are emerging technologies like cloud computing and mobile health apps covered under HIPAA?

OCR has released guidance clarifying that HIPAA regulations apply equally to PHI in new digital formats like cloud and mobile. Covered entities must perform due diligence to ensure PHI remains secure when adopting new technologies and address associated risks.


The HITECH Act significantly expanded the responsibilities around HIPAA compliance for covered entities and business associates handling PHI. From increased penalties to new breach notification mandates, the Act leaves no room for ambiguous privacy and security measures. While HIPAA compliance has become more stringent, covered entities can tap into many resources to develop and maintain effective compliance programs. The Act has worked as intended to enhance protections and standards for health data security in the digital age. With proactive planning and investment, healthcare organizations can successfully integrate HIPAA’s heightened safeguards into their operations and culture.

Leave a Reply

Your email address will not be published. Required fields are marked *