Total Tests:

HIPAA and HITECH Compliance and Cybersecurity

Read Time: 15 min. Updated: September 8, 2023

The Health Insurance Portability and Accountability Act (HIPAA) is a US federal law, designed to streamline
the flow of patient data between healthcare providers and to secure protected health information (PHI).
It was enhanced with the Health Information Technology for Economic and Clinical Health Act (HITECH Act),
which tightened up data protection rules, including bolstering data breach notification requirements for
US healthcare entities and their suppliers that handle health records.

HIPAA and HITECH Compliance and Cybersecurity

What are HIPAA and HITECH and how do they impact cybersecurity?

The HIPAA is a federal law in the United States that came into force in 1996. HIPAA is a fairly complicated piece of legislation, consisting of five Titles spanning over 160 pages. The law was initially designed to: improve portability and continuity of health insurance coverage; to combat waste, fraud and abuse in health insurance and healthcare delivery; to promote use of medical savings accounts; to improve access to long-term care services and coverage; and to simplify the administration of health insurance.

HIPAA compliance ImmuniWeb can help you comply with HIPAA / HITECH cybersecurity and data protection requirements. How We Help

Among cybersecurity professionals, HIPAA is well known for addressing data security and privacy of PHI. Under the Act, PHI is broadly defined as any information about past, present or future health or medical condition of an individual including but not limited to diagnoses, treatment information, medical analyses or prescriptions that are attributable to the individual. For example, a medical prescription with a patient’s name constitutes PHI, whereas a prescription without any mention of the patient, their contacts or identifiers, is unlikely to amount to PHI.

PHI data protection and privacy are addressed by virtue of the Security Rule and the Privacy Rule from the Second Title of HIPAA. The Privacy Rule covers both digital and paper-based PHI, while the Security Rule applies only to electronically stored PHI (also referred to as “ePHI” or “e-PHI”).

The HITECH Act was enacted in 2009 with the primary purpose of bolstering digital healthcare in the US, such as by encouraging organizations to use Electronic Health Records (EHR). The HITECH Act introduced important enhancements of HIPAA’s data protection regime by expanding the list of non-healthcare entities that must comply with its privacy and security requirements, by increasing penalties for violations of the rules and by setting a higher standard for data breach notifications. The US Department of Health and Human Services (HHS) implemented HITECH’s amendments with the Omnibus Final Rule passed in 2013.

Who is covered by HIPAA and HITECH cybersecurity regulations?

HIPAA applies to “covered entities” of all sizes, composed of a wide spectrum of public, private and even individual healthcare organisations in the US. Covered entities include healthcare providers (e.g. hospital, clinics, nursing homes, pharmacies, doctors, psychologists, dentists and chiropractors), health insurance companies, governmental programs such as Medicare and Medicaid, and clearinghouses that process healthcare data on behalf of third parties (e.g. billing or payment processing services).

The HITECH Act expanded coverage of the Security Rule and the Privacy Rule to “business associates” : suppliers of covered entities that handle, store or process PHI on behalf of the covered entity. Therefore, vendors and companies that provide services to the covered entities and have access or process their PHI, are also covered by HIPAA. According to the HHS guidelines, even if a vendor, such as a cloud service provider, merely stores encrypted PHI data and has no decryption key, the vendor is still subject to HIPAA security requirements, including the duty to preserve integrity and availability of the PHI.

Importantly, covered entities should also keep in mind the Federal Trade Commission (FTC) Act, vigorously enforced by the FTC, that prohibits companies from engaging in deceptive or unfair commercial practices. Under the Act, any misleading, materially incomplete or deceptive statements made to consumers of healthcare services about how their health data will be used, stored or processed, may be sanctioned by the Commission under Section 5(a) of the FTC Act.

Covered entities that handle genetic data of individuals should also ensure they meet their obligations under the Genetic Information Nondiscrimination Act (GINA), a dedicated US federal law that prohibits certain usage of genetic data. Additionally they need to abide by any relevant state laws, some of which require a higher level of PHI privacy protection than HIPAA.

Who enforces HIPAA compliance and what are the penalties?

The HHS’s Office for Civil Rights (OCR) is responsible for enforcing HIPAA. The OCR may conduct ad hoc audits of covered entities at its own discretion or investigate alleged violations of HIPAA upon receipt of any complaint. The OCR enjoys pretty broad investigatory powers during an audit.

The OCR uses a four-tiers model for civil penalties, under which the most serious violations of HIPAA are punished by a 50,000 USD fine per violation, going up to a maximum total of 1,500,000 USD per year. In 2022, the HHS adjusted these numbers for inflation to attain 63,973 USD and 1,919,173 USD thresholds respectively - and the multiplier for 2023 has been confirmed as 1.07745.

The HITECH Act also empowers state Attorneys General (AG) to bring civil actions on behalf of state residents for violations of the Privacy Rule or the Security Rule to obtain damages and to enjoin further violations of HIPAA in their states.

Deliberate misuse or misappropriation of PHI may also constitute a federal crime. OCR collaborates with the US Department of Justice (DOJ) to refer potential criminal violations of HIPAA for prosecution by the DOJ. Criminal penalties include a maximum term of 10 years in jail. Individual employees may also be held criminally liable, and ignorance of HIPAA requirements does not constitute a defence against prosecution.

What are the privacy requirements under HIPAA?

According to the HHS, the Privacy Rule (45 CFR Part 160 and Subparts A and E of Part 164) protects all "individually identifiable health information" held or transmitted by a covered entity or its business associate, in any form or media whether electronic, paper or oral.

The Privacy Rule establishes a national privacy regime for PHI of US citizens and lawfully permanent by creating a range of obligations for covered entities, including the requirement to: publish and rigorously follow a privacy policy; limit usage of PHI to the necessary minimum unless expressly consented by the patient; and to regularly conduct privacy training for personnel with access to PHI.

Like the GDPR, the Privacy Rule empowers individuals to request access and correction of their PHI from a covered entity. Furthermore, covered entities must establish a process for receiving and responding to privacy complaints from individuals - and they are prohibited from retaliating against a person for exercising their rights granted by the HIPAA Privacy Rule.

What are the cybersecurity requirements under HIPAA / HITECH?

The Security Rule (45 CFR Part 160 and Subparts A and C of Part 164) applies to electronic PHI (ePHI) only. In contrast to the Privacy rule, it does not apply to PHI transmitted orally or in writing. After enactment of the HITECH Act, covered entities, their business associates and all their subcontractors must abide by the Security Rule.

The Security Rule expressly mandates the covered entities to:

  • Ensure the confidentiality, integrity and availability of all ePHI they create, receive, maintain or transmit;
  • Identify and protect against reasonably anticipated threats to security or integrity of the information;
  • Protect against reasonably anticipated, impermissible uses or disclosures;
  • Ensure compliance by their workforce.

The covered entities must establish risk-based safeguards to protect ePHI including (i) administrative safeguards, (ii) physical safeguards and (iii) technical safeguards. The safeguards should adequately mitigate reasonably foreseeable risks and threats that must be meticulously identified by a risk analysis. The HHS says that risk analysis should be an ongoing process, in which a covered entity regularly reviews its records to track access to ePHI and detect security incidents, periodically evaluates the effectiveness of security measures put in place, and regularly re-evaluates potential risks to ePHI.

The HHS provides more detailed cybersecurity and data protection requirements in its guidance “Framework for the Independent Assessment of Security and Privacy Controls for Enhanced Direct Enrollment Entities” for Centers for Medicare & Medicaid Services (CMS). The guidance mandates yearly security and privacy auditing by a qualified external assessor, including penetration testing of web applications for OWASP Top 10 vulnerabilities (Section 5.6 “Penetration Testing”). Other practical insights may be found in the HHS guides dedicated to various hot topics, such as HIPAA and Cloud Computing that elaborates on specific duties of Cloud Service Providers (CSPs) when processing or storing ePHI on behalf of a covered entity.

Corporate cybersecurity strategy must be carefully documented. The HHS says that a covered entity must adopt reasonable and appropriate policies and procedures to comply with the provisions of the Security Rule. A covered entity must also maintain and preserve written security policies, procedures and written records of required actions, activities or assessments.

In 2020 the HITECH Act was amended (under HR 7898) with the aim of incentivising cybersecurity best practice. The amendment requires the HHS to take into account the adoption of certain recognized security practices, such as NIST guidelines, by covered entities and business associates when determining sanctions and penalties.

Covered entities should regularly update their data protection and cybersecurity processes, in response to the rapidly changing cyber threat landscape and evolution of technology.

HIPAA compliance ImmuniWeb can help you comply with HIPAA / HITECH cybersecurity and data protection requirements. How We Help

What are the data breach notification requirements under HIPAA / HITECH?

The Breach Notification Rule (45 CFR §§ 164.400-414) mandates the covered entities and business associates to report breaches of unsecured PHI. Unusable, unreadable, encrypted and indecipherable PHI is usually not considered to be “unsecured PHI” under HIPAA for the purpose of breach notification. There are also some narrow exceptions for low-risk disclosures of PHI, for example, when the affected organization has a good faith belief that the unauthorized person, who unlawfully accessed the PHI, was not able to retain the PHI or its excerpts. Organizations should be, however, very prudent when relying on the exceptions.

The covered entities have an overall responsibility to notify individuals about a data breach but, when appropriate, they may contractually delegate this duty to their business associates who caused the notifiable breach. Business associates must inform the covered entity without undue delay about any breaches involving PHI entrusted to them.

Notification under the Breach Notification Rule must be made to each affected individual by first-class mail - or by email (if the individual consented to this method of notification). They must be notified without undue delay and no later than 60 days following discovery of the data breach. The notification must contain a brief description of the incident and suggested risk mitigation steps, explain what PHI data was compromised, and include a toll-free phone number, active for at least 90 days, where individuals can request further information about the breach.

If a data breach impacts more than 500 individuals in a state or jurisdiction, the compromised organization must also issue a press release about the data breach to prominent local media outlets, no later than 60 days following discovery of the breach.

Finally, the HHS Secretary must be notified about the breach within the same timeframe (excluding breaches affecting less than 500 individuals, which are reportable to the HHS on an annual basis). HHS provides an electronic online form to report data breaches.

Covered entities and business associates must be able to demonstrate that all required notifications have been duly provided. Therefore, the entire notification process must be carefully documented in writing and preserved for eventual audits.

ImmuniWeb Newsletter

Get exclusive updates to cybersecurity laws and regulations:

Private and Confidential Your data will stay private and confidential

What are the supply chain security requirements under HIPAA / HITECH?

According to the HHS, a “business associate” is a healthcare institution’s subcontractor that creates, receives, maintains or transmits PHI on behalf of the covered entity.

The HITECH Act expanded application of the Privacy Rule and the Security Rule to business associates, who may be fined and criminally prosecuted, in the same manner as the covered entities, for failure to comply with the HIPAA rules. The Breach Notification Rule also applies to business associates. Subcontractors of business associates may likewise be directly liable under HIPAA.

Akin to the GDPR requirements for special contractual relationships between data controllers and data processors, HIPAA requires covered entities to impose a wide spectrum of contractual duties upon their business associates. Contractual clauses, among other things, should limit usage and processing of the entrusted PHI, impose strict safeguard requirements while storing or processing PHI, and mandate data breach notifications to the covered entity. HHS provides sample business associate agreement provisions son its website.

Forthcoming changes to HIPAA / HITECH

It’s worth noting that the HSS published proposed modifications to HIPAA and HITECH in 2021. It proposes to “modify the Privacy Rule to increase permissible disclosures of PHI and to improve care coordination and case management by:

  • Adding definitions for the terms electronic health record (EHR) and personal health application; and
  • Modifying provisions on the individuals' right of access to PHI”.

These modifications are expected to come into force during 2023.

Further proposed modifications of HIPAA were announced by the HSS in April 2023, following the Supreme Court decision in Dobbs v. Jackson Women’s Health Organization. The HSS issued a Notice of Proposed Rulemaking (NPRM) which “proposes to strengthen privacy protections by prohibiting the use or disclosure of PHI by a regulated entity for either of the following purposes:

  • A criminal, civil, or administrative investigation into or proceeding against any person in connection with seeking, obtaining, providing, or facilitating reproductive health care, where such health care is lawful under the circumstances in which it is provided.
  • The identification of any person for the purpose of initiating such investigations or proceedings.”
Introduction to HIPAA by PCIHIPAA

List of authoritative HIPAA / HITECH resources

Share on LinkedIn
Share on Twitter

Share on WhatsApp

Share on Telegram
Share on Facebook
Please fill in the fields highlighted in red below

Requests with fake data will be ignored

I’d like to learn more about:*

Please briefly describe your needs:*
My contact details:
Private and ConfidentialYour data will stay private and confidential
DISCLAIMER: ImmuniWeb SA is not a law firm and does not provide legal advice or services. All legal services are provided directly by law firms to ensure the high quality, integrity and independence of legal advice. This page does not endorse the services of a specific law firm or provide legal advice.
Get your free

Book a Call Ask a Question
Talk to ImmuniWeb Experts
ImmuniWeb AI Platform
Have a technical question?

Our security experts will answer within
one business day. No obligations.

Have a sales question?
Tel: +41 22 560 6800 (Switzerland)
Tel: +1 720 605 9147 (USA)
Your data will stay private and confidential