Healthcare companies and those serving clients that handle electronic health records know that they are required to keep individual’s health data safe, private, and available in order to comply with the Health Insurance Portability and Accountability (HIPAA) Act of 1996. Failing to do so can lead to major fines and reputational damage, but many businesses are not clear on the details of how HIPAA extends to their IT environment. The final HIPAA omnibus rule, published in 2013, alters the Act’s Privacy, Security, and Enforcement Rules to implement the Healthcare Information Technology for Economic and Clinical Health (HITECH) Act. Since then, any company that requires HIPAA compliance also needs to maintain HITECH compliance, which is best achieved by having its servers hosted in an environment certified for HITECH by a third-party audit.
The HITECH Act is the regulation which governs electronic protected health information (ePHI), extending the protections HIPAA applies to personal health data to digital systems. It applies certain HIPAA Privacy and Security requirements to business associates of covered entities, which makes it important to understand for any business dealing with health data. Even for those businesses already subject to HIPAA, being compliant with HITECH also means taking a few steps beyond those required by HIPAA alone.
What Are My Responsibilities Under HITECH?
HITECH has four sections: the first sets standards for interoperability and meaningful use; the second section sets standards for testing health IT systems; the third section covers grants and loans associated with the Act; the final section deals with privacy.
The first section of the Act defines several different roles in the storage and use of ePHI. This is what establishes the requirements for the business associates of covered entities, which include IT service providers such as medical billing companies, health information exchanges, and benefit managers. Therefore, HITECH requires covered entities to have business associate agreements (BAAs) in place with their service providers. Not only that, but the requirements for these contracts are more extensive than they originally were under HIPAA, meaning that some existing BAAs, particularly if they are legacy agreements drawn up prior to the passage of HITECH, do not meet all of the requirements.
The HITECH Act requires general compliance with the HIPAA’s Security Rule and Privacy Rule, but it also sets out a number of specific obligations which involve some business associates and not others. Which HITECH Act obligations apply to the particular business associate must be specifically described in the BAA. Other required sections of the BAA include breach reporting rules, a three-year record of all data disclosures, and any confidentiality requirements.
Patients have the right under HITECH meaningful use rules to request to receive their ePHI in an electronic format and to assign a third party as the recipient of their ePHI. Further, they are able to request reports detailing who their ePHI has been disclosed to, and under what authority, so covered entities and their business associates must ensure that their systems can accommodate any such requests.
The HITECH Act requires all data breaches of any PHI which is “unsecured” (meaning unencrypted) to be reported to all affected individuals, as well as the Secretary of HHS, and in extreme circumstances, to the media.
Because the HITECH Act makes business associates liable for many HIPAA requirements, if you are handling ePHI, you need to ensure your IT environment meets the requirements of the HIPAA Privacy and Security Rules.
Enforcement of HITECH requirements is carried out by both the Department of Health and Human Services (HHS) and state attorneys general. They are empowered to levy fines for violations, normally with a minimum of $100, and a per-year maximum for a single type of violation of $25,000. In cases of “willful neglect,” the minimum is $10,000, and a cap of $250,000 for violations of a single requirement within the same year. A series of repeated violations that are judged to be caused by “wilful neglect” can reach up to $1.5 million. The Office for Civil Rights within HHS performs audits for HITECH compliance, asking employees questions to test their knowledge of compliance requirements and searching for evidence of inappropriate use or disclosure of ePHI, which is the largest cause of complaints.
Your IT Service Providers’ Responsibilities
The service provider that hosts your servers is a business associate and therefore must have a compliant business associate agreement in place. In order to enable covered entities and their business associates to maintain compliance with HIPAA and HITECH requirements, infrastructure providers must keep all ePHI secure and available, and log its use according to the terms set out in their particular BAA.
Preserving compliance with the HIPAA Security Rule while keeping it available for meaningful use is one of the main responsibilities of your IT service provider. Encryption must be applied to ePHI both at rest and in transit. Your service provider should have robust logical access control and an extensive data center physical security system to ensure the confidentiality of ePHI while protecting against threats. Administrative, physical and technical safeguards must be in place, and policies and documentation must be in order.
Likewise, your host should have robust measures in place to protect your servers against natural disasters, wildfires, power outages and overheating to extend HIPAA’s data availability requirements to patient’s digital records. At the same time, the security requirements for ePHI dictate that its capture, storage, and sharing should be minimized and also carefully logged. Detailed logs are also one of the ways service providers can comply with the rights of patients to retrieve their data, or information about who has accessed it.
HITECH certification does not offer legal protection for security breaches or other compliance failures in and of itself, but rather shows that the third party providing the certification has found that the service provider’s system and practices meet the standards of the Act. The primary value of certification, therefore, comes from the improvements it enables, and the assurance it provides for areas where no improvement or change is considered necessary under the independent assessment. HITECH certification demonstrates a commitment to honest and rigorous self-assessment, which is ultimately what will keep patient data safe, and keep business associates compliant.
Liquid Web is HITECH certified by independent accounting firm UHY LLP, an internationally trusted auditor with extensive experience. We are also compliant with other relevant standards including SSAE-16 and Safe Harbour, providing assurance to companies in the healthcare industry and their business associates.