HITECH Act

Overview

The Health Information Technology for Economic and Clinical Health (HITECH) Act was enacted as part of the American Recovery and Reinvestment Act of 2009 (ARRA). HITECH significantly strengthened HIPAA's privacy and security protections and increased penalties for violations.

Key HITECH Provisions

1. Business Associate Direct Liability

Impact: Business associates are now directly liable for HIPAA compliance

• Business associates must comply with HIPAA Security Rule requirements


• Business associates must comply with specific Privacy Rule requirements


• HHS can pursue enforcement actions directly against business associates


• Business associates face same civil and criminal penalties as covered entities

2. Breach Notification Rule

Requirement: Covered entities and business associates must notify affected individuals, HHS, and in some cases the media when a breach of unsecured PHI occurs

Definition of Breach

A breach is the acquisition, access, use, or disclosure of PHI in a manner not permitted under the Privacy Rule that compromises the security or privacy of PHI.

Exceptions (Safe Harbors):

• Unintentional acquisition, access, or use by workforce member acting in good faith within scope of authority


• Inadvertent disclosure from authorized person to another authorized person at same organization


• Disclosure where covered entity/business associate has good faith belief that unauthorized person could not have retained the information

Notification Requirements

To Individuals (Required for all breaches):

• Timing: Without unreasonable delay, no later than 60 days from discovery


• Method:

- First-class mail to last known address
- Email if individual agreed to electronic notice
- Substitute notice if insufficient or out-of-date contact information (web posting + major media notice if affecting 10+ residents of a state/jurisdiction)

• Content Must Include:

- Brief description of breach
- Description of types of information involved
- Steps individuals should take to protect themselves
- What entity is doing to investigate, mitigate, and prevent future breaches
- Contact procedures for individuals to ask questions

To HHS:

• Breaches affecting 500+ individuals: Notify HHS within 60 days of discovery


• Breaches affecting fewer than 500 individuals: Notify HHS annually (within 60 days of end of calendar year)


• HHS posts breaches affecting 500+ individuals on public "Wall of Shame" website

To Media (if breach affects 500+ residents of a state/jurisdiction):

• Notify prominent media outlets


• Timing: Same as individual notification (within 60 days)

By Business Associates:

• Must notify covered entity without unreasonable delay, no later than 60 days from discovery


• Covered entity then responsible for individual and HHS notification

3. Enhanced Enforcement and Penalties

Tiered Penalty Structure

HITECH established four penalty tiers based on level of culpability:

Tier 1: Lack of Knowledge

• Entity did not know and could not have known by reasonable diligence


• Minimum: $100 per violation


• Maximum: $50,000 per violation

Tier 2: Reasonable Cause

• Violation due to reasonable cause, not willful neglect


• Minimum: $1,000 per violation


• Maximum: $50,000 per violation

Tier 3: Willful Neglect - Corrected

• Violation due to willful neglect but corrected within 30 days


• Minimum: $10,000 per violation


• Maximum: $50,000 per violation

Tier 4: Willful Neglect - Not Corrected

• Violation due to willful neglect and not corrected within 30 days


• Minimum: $50,000 per violation


• Maximum: $50,000 per violation

Annual Cap: $1.5 million per identical violation type (across all tiers)

Criminal Penalties (Unchanged from HIPAA)

• Up to $50,000 and 1 year imprisonment for unknowing violations


• Up to $100,000 and 5 years imprisonment for violations under false pretenses


• Up to $250,000 and 10 years imprisonment for violations with intent to sell, transfer, or use PHI for commercial advantage, personal gain, or malicious harm

4. State Attorneys General Enforcement

• HITECH authorizes State AGs to bring civil actions on behalf of state residents


• Can seek damages of up to $25,000 per violation category (not per violation)


• Must notify HHS before filing action


• HHS may intervene and take over the action

5. Accounting of Disclosures

HITECH expanded accounting of disclosures requirements (implementation suspended):

• Originally required accounting for disclosures made through electronic health records for treatment, payment, and healthcare operations


• Implementation suspended indefinitely pending further rulemaking

6. Sale of PHI and Marketing

Sale of PHI: Prohibited except in limited circumstances

• Generally requires authorization unless exception applies


• Must track any remuneration received

Marketing: Requires authorization

• Exception for face-to-face communications


• Exception for promotional gifts of nominal value


• Financial remuneration for communications about entity's own health products/services requires authorization

7. Minimum Necessary

• Strengthened minimum necessary standard


• Guidance on minimum necessary for research purposes

8. Fundraising

• Limited fundraising communications to demographic information and dates of service


• Required clear opt-out opportunity

Massachusetts-Specific Considerations

Dual Breach Notification Requirements

Massachusetts entities must comply with both:

HITECH Breach Notification:

• Notify individuals within 60 days


• Notify HHS (immediately if 500+, annually if <500)


• Notify media if 500+ residents of state

M.G.L. c. 93H (Massachusetts):

• Notify MA Attorney General


• Notify MA Office of Consumer Affairs and Business Regulation


• Notify affected Massachusetts residents


• More stringent definition of personal information may apply

Best Practice: Coordinate notifications to meet both federal and state requirements simultaneously

Intersection with 201 CMR 17.00

• HITECH breach notification assumes "unsecured PHI" (not encrypted)


• 201 CMR 17.00 requires encryption of PHI in transit and on portable devices


• Proper encryption under 201 CMR 17.00 reduces breach notification burden under HITECH

Compliance Steps

1. Update Business Associate Agreements

• Ensure BAAs include HITECH requirements


• Require business associate breach notification within 60 days


• Ensure business associates understand direct liability

2. Implement Breach Response Plan

• Establish breach response team


• Create breach assessment procedures


• Document breach analysis and risk assessment


• Establish notification procedures and templates


• Train workforce on breach identification and reporting

3. Encryption Strategy

• Implement encryption for data at rest and in transit


• Use NIST-approved encryption methods


• Document encryption implementation


• Consider encryption as primary breach prevention strategy

4. Update Policies and Procedures

• Marketing and fundraising policies


• Sale of PHI policies


• Accounting of disclosures procedures


• Individual rights procedures

5. Enhanced Enforcement Preparedness

• Document all compliance efforts


• Maintain evidence of reasonable diligence


• Implement continuous monitoring


• Establish corrective action procedures for violations


• Document all workforce sanctions

6. Risk Analysis and Management

• Conduct regular risk analyses


• Address identified risks promptly


• Document risk management decisions


• Demonstrate reasonable and appropriate safeguards

Enforcement Statistics

OCR actively enforces HITECH provisions:

• Over $140 million in settlements and civil monetary penalties since 2009


• Common violations: lack of risk analysis, inadequate business associate agreements, failure to implement safeguards, delayed breach notifications


• Business associates subject to same enforcement actions as covered entities

Official Resources

• HITECH Act Enforcement Final Rule


• Breach Notification Rule


• HITECH Act Full Text


• HHS Breach Portal (Wall of Shame)


• OCR Enforcement Results