HITECH and HIPAA - Navigating Both with Microsoft
Understandably, you may be tearing your hair out at this very moment while you try to wrap your head around all the legal and technical requirements of HIPAA. Legal requirements like HITECH and HIPAA are never written easily either, are they?
There’s always a lot of jargon that makes you wonder if you need a law or technical degree to be able to understand everything. And then you have to find business associates that are compliant with the laws. It’s a headache!
But not anymore – hopefully – because here is the cliff notes version of how the HITECH Act impacts the HIPAA Privacy and Security Rules, and why Microsoft is the business associate your business needs.
HITECH and HIPAA – Are They the Same Thing?
In a word, no.
HIPAA, or the Health Information Portability and Accountability Act, is the national standard for the protection of sensitive health information whereas the HITECH Act, or Health Information Technology for Economic and Clinical Health Act, was created to promote and expand the adoption of health information technology and, in particular, the use of electronic health records (EHRs) by healthcare providers.
In a sense, they go hand in hand, but they are not the same thing. HIPAA deals with the who, what, where, and when of the law, and the HITECH Act promotes and offers solutions for the how.
Think of it like this: HIPAA details the general laws and protocols about protected health information (PHI): who is a covered entity according to the state, what is seen as PHI, and when PHI needs to be protected by organizations and third-party vendors on a national level. The HITECH Act is the “extension pack” aimed at making those laws and protocols actionable in a digitally transforming landscape because HIPAA is itself technologically neutral.
Did the HITECH Act change HIPAA in any way?
1. Accountability of Business Associates
While HIPAA focuses on the responsibilities of ‘covered entities’ when it comes to PHI, the HITECH Act has extended accountability to include their business associates as well and requires all covered entities to have Business Associate Agreements (BAA) with all partners and third-party vendors. The BAA is a legally binding document and needs to be signed before PHI can be shared.
Although a BAA is a requirement, it can be difficult to enter into an agreement with a vendor you’ve never met – your cloud provider for example – but Microsoft is already one step ahead here, so keep reading to find out more.
2. Changes to Penalties for HIPAA Violations
While the HITECH Act extended culpability of breaches and leaks beyond the covered entity, it also provided a bit of wiggle room for them. A covered entity and its business associates can reduce any financial penalties incurred from a violation if the violation was fixed within 30 days and was not a result of willful neglect.
3. More Electronic Access for Patients
For many of us these days, it is preferable to access our sensitive information electronically, and the HITECH Act has allowed for this. Under the HIPAA Privacy Rule, patients are allowed to access their PHI, but there were no specific details about how their PHI would be provided by the covered entity.
The HITECH Act now gives patients not only the right to access their records electronically – if available in that format – but also the information and guidance on HOW to access them.
And, if you’re looking for IT guidance, consider our IT consulting services.
4. ‘Breach’ Definitions and Notifications
With the development of technology, the idea of a ‘breach’ or a ‘data leak’ has changed somewhat, and the HITECH Act has allowed for changes in this area. The definition of a breach has been extended to include unauthorized possession, access, use, or exposure, and the requirements around notifications of breaches have been limited to within 60 days of the occurrence.
How Can Microsoft Help My Business?
Getting a signed BAA from every third-party vendor can be a difficult task, especially when they are a huge technology powerhouse like Microsoft. But, again, this is not a reasonable excuse not to have that signed BAA.
Because your organization’s PHI is most likely stored electronically in the cloud, your cloud provider must also sign a BAA to show that they are aware of the legal requirements on their side when it comes to protecting sensitive health information.
As one of the leading cloud platforms and service providers for many covered entities, Microsoft provides guaranteed adherence to HITECH and HIPAA through accredited independent auditors.
Although there is currently no Department of Health and Human Services (HHS) approved certification standard, Microsoft services are covered by the Microsoft ISO/IEC 27001 certification and the HITRUST CSF certification as well as FedRAMP assessments. Microsoft’s BAA is by default for covered entities or business associates, but this does not mean that Microsoft is responsible should there be a breach.
It just means that Microsoft can ensure that their cloud platforms and services are HIPAA and HITECH Act compliant, so your business is still required to implement the necessary best practices, protocols, and security settings needed to keep your organization’s PHI secure.
HITECH and HIPAA - The Responsibility of Securing PHI
The security of your organization’s PHI is a collaborative effort that relies on you. Just like you have taken control of your business to make it successful, you must also take control of your systems and protocols to ensure you are fulfilling your legal responsibilities from every perspective.
It’s a big job. But with the right people on your side, it’s not as big as you think. Partnering with business associates that understand and adhere to HIPAA regulations is the smart thing to do.
As a HIPAA-verified managed service provider, Merit Technologies is well-positioned to help your business become more HIPAA-compliant.