HITECH vs. HIPAA: What’s the Difference?

Businesses and organizations must protect many different types of personal information to prevent serious consequences in the event of a breach. However, among the most serious and specifically regulated is personal health information.

Medical confidentiality has been a fundamental concept within medicine for millennia and is enshrined in U.S. law today in the form of HIPAA and, more recently, HITECH. But what exactly is the difference between the two? And what are the practical applications for organizations in terms of data security?

What Is HIPAA?

To understand HITECH, you need to understand HIPAA first. The Health Insurance Portability and Accountability Act was enacted in 1996. It put in place wide-ranging responsibilities for organizations to maintain medical confidentiality and patient privacy. Its dictates cover all types of communications and records, paper and electronic.

HIPAA defines various categories of personal health information (PHI). When organizations of any kind fail to uphold the privacy of personal health information, they can face fines and further repercussions. HIPAA includes several standards for data storage and access protocols, including both secured networks and physical locks protecting paper files.

What Is HITECH?

The Health Information Technology for Economic and Clinical Health Act came into effect in 2009. The bill builds on the existing HIPAA framework, giving more explicit guidelines and expanding the use of electronic health records. The act also clarifies many technical requirements for electronic health records, as the practical implementation of electronic records has changed substantially since 1996.

The lack of clear guidelines before HITECH led to very low adoption of much more efficient electronic health records. With HITECH, hospitals and other organizations now know that they’re meeting compliance requirements with an effective framework in place (rather than simply hoping they are).

What Are the Differences Between the Two in Practice?

For organizations, the primary difference between the two is their responsibilities in terms of breach notifications and penalty structure. HITECH casts a far wider net of responsibility for any organization handling personal health information.

Under HITECH, any organization must report breaches of personal health information, with time frames depending on the number of individuals involved. For breaches involving more than 500 people, the organization must also report to the U.S. Department of Health & Human Services. They must also send out a letter to the affected persons through personally addressed first class mail.

HITECH takes several measures to prevent companies from simply choosing to pay fines in place of rectifying issues. Compliance violations now have tiers that scale steeply from $100 to $50,000 for each violation. Before this measure, organizations could simply continue to pay fines indefinitely instead of coming into compliance.

Properly Disposing of Personal Health Information

If your organization handles personal health information in South Dakota or North Dakota, you should be aware that both HIPAA and HITECH carry severe consequences for data breaches. SEAM provides professional shredding services and NIST standard-compliant hard drive disposal. Contact our team to ensure you’re meeting the required standards for personal health information disposal.