At the time that the HITECH ACT was passed, 2009, it was referred to as “the most important piece of healthcare legislation to be passed in the last 20 to 30 years.”
Along with an program that sought to create a digital version of all US citizen’s health information inside of five years, it created processes to safeguard electronic Protected Health Information (ePHI). An incentive program made Business Associates and subcontractors responsible for all illegal sharing of ePHI attributable to their own negligence. Prior to this, Business Associates and subcontractors could disregard liability for breaches of ePHI by stating that they did not know about HIPAA compliance.
HIPAA breaches must not be allowed to occur by Covered Entities and Business Associates if they are processing PHI. When the HITECH Act and Meaningful Use incentive program heightened the limits of financial penalties that could be sanctioned by the HHS Office for Civil Rights (OCR), it allowed the OCR more powers to police HIPAA compliance, carry out additional audits and apply more fines. Some of the settlements to have reached the public domain include:
- The Center for Children´s Digestive Health in Illinois settled a HIPAA breach for $31,000 when there was no Business Associate Agreement completed with a document holding group to whom it had shared the health records of 10,728 patients April 2017 (read more).
- Presence Health agreed a HIPAA breach settlement of $475,000 when it was found to be in breach of the HIPAA Breach Notification Rule which states that OCR must be notified of PHI breaches (of more than 500 records) inside sixty days of the breach being discovered January 2017 (read more).
Additional Procedures of the HITECH Act and Meaningful Use Program
Many additional measures were created by the passing of the HITECH ACT and Meaningful Use incentive program that apply to every company that can view or share PHI – whatever formats it is stored or shared in. For example, a new Breach Notification Rule, increased fines for businesses liable for violations of PHI, and the introduction of HIPAA compliance audits. Businesses seeking for Meaningful Use incentive payments also had to complete a HIPAA Security Rule risk assessment.
For Business Associates and subcontractors the HITECH ACT and Meaningful Use incentive program forced them for properly be aware of and comply with HIPAA, they could be audited to check on their compliance procedures, and penalized if it was discovered that they were in breach of the requirements
Covered Entities were obligated to conduct due diligence on the Business Associate prior to completing a Business Associate Agreement with a third-party service provider who will have access to PHI.