Business and Legal Insights

If your company does business with a health care provider, or if your company is a subcontractor to a company that does business with a health care provider, it may be subject to the HITECH Act (the Health Information Technology for Economic and Clinical Health Act).

HITECH was created in 2009 to stimulate the adoption of electronic health records and supporting technology. An additional purpose of the HITECH Act was to require business associates of health care providers to implement adequate safeguards to protect electronic health records under their control.

One way in which HITECH attempts to ensure compliance by business associates is by making the weighty penalties available under HIPAA (the Health Insurance Portability and Accountability Act) directly applicable to them.

What is a business associate under the HITECH Act?

According to the HITECH Act, a business associate may include any business that creates, receives, maintains or transmits protected health information (PHI). A few examples of types of companies that may constitute business associates under this broad definition are banks, law firms, actuaries, accountants, consultants, data aggregation companies, claims clearinghouses, billing firms, health information exchanges, software companies, video conference providers, and data providers.

Requirements for business associates under the HITECH Act.

The HITECH Act includes a long list of required and addressable standards that business associates must implement in order to be HIPAA-compliant. These standards include:

• administrative safeguards (such as security policies and training);
• physical safeguards (such as device and media controls); and
• technical safeguards (such as audit controls and transmission security).

The HITECH Act also requires business associates to implement policies for providing notice of any breach that has, or is reasonably believed to have, resulted in an unauthorized disclosure of PHI.

Depending on the extent of the breach, the business associate may be required to provide notice to the affected victims, the contracted health care organization, the U.S. Department of Health and Human Service (HHS) and the media.

To ensure compliance with HIPAA and HITECH privacy and security requirements, the HITECH Act authorizes HHS to conduct audits of business associates.

Penalties for failing to comply with the HITECH Act.

Violations of the HITECH Act can result in significant monetary fines and criminal penalties. Civil fines for noncompliance can be up to $250,000 per violation, with repeat or uncorrected violations incurring fines as high as $1.5 million.

Criminal penalties may be imposed against those business associates that intentionally disclose PHI and can include fines of up to $250,000 and prison terms of up to 10 years.

Possible mitigation under the HITECH Act.

The type or severity of penalty imposed under the HITECH Act can vary based on the measures taken by the business associate to prevent the unauthorized disclosure of PHI.  Business associates can mitigate potential civil and criminal penalties by conducting thorough analyses of the requirements of the HITECH Act and tailoring their privacy and security policies and procedures to comply with these requirements.