HIPAA & HITECH

The Health Insurance Portability and Accountability Act (HIPAA) sets national standards for electronic health-care transactions and national identifiers for providers, health insurance plans, and employers. It also addresses security and privacy of health data and encourages widespread use of electronic data interchange.

The Health Information Technology for Economic and Clinical Health Act (HITECH) calls for voluntary adoption of heath information technology throughout the health-care system. The law substantially expands the federal government’s effort to establish a national electronic patient records system providing for comprehensive records privacy and security standards.

Regulation Explained

Under HITECH, only encryption and destruction are approved methods to render protected health information secure. While HITECH does not require encryption for protected health information (PHI), the act’s breach notification rule includes a safe harbor that exempts reporting breaches of properly encrypted data. Encrypting email messages offers an easy way to ensure security.

Penalties for Non-Compliance

A person who knowingly obtains or discloses PHI in violation of the Privacy Rule may face a criminal penalty of up to $50,000 and up to one year in prison. Criminal penalties increase to $100,000 and up to five years in prison if the wrongful conduct involves false pretenses, and to $250,000 and up to 10 years in prison if the wrongful conduct involves intent to sell, transfer, or use identifiable health information for commercial advantage, personal gain, or malicious harm.

Affected Industries

  • Healthcare
  • Insurance
  • Pharmacies

Enforcement

  • U.S. Department of Health and Human Services (HHS) Office of Civil Rights (OCR)
  • State attorneys general

Penalties

  • Fine up to $250,000 per violation
  • Fines up to $1.5 million annually
  • Imprisonment up to five years
  • Individual and class-action lawsuits
  • State attorneys general

Examples

Although HIPAA provides no private right of action, Walgreens had to pay $1.44 million in 2013 based on a successful common law claim of negligence and malpractice in which a plaintiff’s attorney used HIPAA to establish a standard of care that Walgreens failed to meet. HHS keeps a list of case examples and resolution agreements.

Useful Links
HHS Health Information Privacy
Public Law 104-191
HIPAA Compliance Solutions