by Wally Moore

on November 2, 2015

in blog, The HITECH Act


This is the topic for this third post in our “compliance - why and how” series. For good measure, we will also address the Payment Card Industry Data Security Standard.

The HITECH Act, also known as The Health Information Technology for Economic and Clinical Health Act, enacted as part of the American Recovery and Reinvestment Act of 2009, was signed into law on February 17, 2009, to promote the adoption and meaningful use of health information technology. It focuses on the establishment of a national health infrastructure. It also provides monetary incentives for the adoption of electronic health records (EHRs), and "enhanced" privacy protections. This Act now places both the Privacy Rule and the Security Rule as front and center issues for health care providers.

Now, not only are companies still subject to civil penalties (and potentially criminal penalties also) for non-compliance, such non-compliance may actually prevent you from receiving financial incentives for EHR adoption and from otherwise obtaining full reimbursement down the road (i.e. as provided for in the HITECH Act).

HIPAA got teeth

In the past, the Health Insurance Portability and Accountability Act (HIPAA) was regarded as the toothless wonder of compliance mandates for its lax enforcement. But all that changed as of January 2013 when the new Omnibus rule regulations were issued by the U.S. Department of Health and Human Services (HHS).

Starting Sept. 23, 2009 a data breach involving unsecured protected health information of more than 500 people must be reported promptly to the U.S. Department of Health and Human Services (HHS), major media outlets and each individual affected by the breach. Breaches affecting fewer than 500 people must be reported annually to the HHS secretary and the individuals. The data breach notification rules apply not only to health care providers, health plans and other HIPAA-covered entities, but also to business associates of covered entities that handle personal health information.


The HIPAA Omnibus Rule (Health Insurance Portability and Accountability Act of 1996 Omnibus Rule), in a health information technology (HIT) context, is a rule enacted by the U.S. Department of Health and Human Services’ Office of Civil Rights (OCR). The rule is used to modify the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security and Enforcement Rules to implement statutory amendments under the Health Information Technology for Economic and Clinical Health (HITECH) Act.

The HIPAA Omnibus Rule marks the most extensive changes to the HIPAA Privacy and Security Rules since they were first implemented.

Changes include:
• Strengthening the privacy and security protection for individuals' personal health information.
• Modifying the Breach Notification Rule for Unsecured Protected Health Information. This means putting in place more objective standards for assessing a health care provider's liability following a data breach.
• Modifying the HIPAA Privacy Rule to strengthen the privacy protections for genetic information.
• Outlining the Office for Civil Rights' data privacy and security enforcement strategies, as updated for the electronic health record (EHR) era mandated by the HITECH Act.
• Holding HIPAA business associates to the same standards for protecting PHI as covered entities, including subcontractors of business associates, in the compliance sense.
• Stipulating that when patients pay by cash they can instruct their provider not to share information about their treatment with their health plan.
• Setting new limits on how information is used and disclosed for marketing and fundraising purposes.
• Prohibiting the sale of an individuals’ health information without their permission.
• Making it easier for parents and others to give permission to share proof of a child’s immunization with a school.
• Streamlining individuals’ ability to authorize the use of their health information for research purposes.
• Increasing penalties for non-compliance based on the level of negligence, with a maximum penalty of $1.5 million per violation.
• Guaranteeing that organizations can operate with certainty that their privacy and security policies comply with all applicable regulations.

Payment Card Industry Data Security Standard

If your business is in the healthcare industry, you not only have to concern yourself with HIPAA, you should also be aware of the Payment Card Industry Data Security Standard.

On June 30, 2005, the four major credit card associations in the United States (Visa, MasterCard, American Express, and Discover Network) adopted a consolidated data security standard labeled: Payment Card Industry Data Security Standard (PCIDSS). Under PCIDSS, all companies that accept credit cards must comply with 12 security-related requirements that call for, among other things:
• Encrypted transmission of cardholder data.
• Periodic network scans.
• Logical and physical access controls.
• Activity monitoring and logging.
• Procedural mandates, such as the implementation of formal security policies and vulnerability management programs.
• Larger merchants have to undergo an annual audit to confirm compliance with the standard.

As we stated in our last post, complying with all aspects of HIPAA will require providers and virtually all entities within the healthcare industry (including clinical research) to make significant changes to their information systems, operations policies and procedures, and business practices.

DTS InfoTech Can Help

Many health care providers are not HIPAA Compliant. If this describes you, we can help you Achieve compliance, Illustrate compliance to auditors and Maintain full compliancy.

Return to main HIPAA page

For more information:

Dedicated to your success,
Wally Moore
General Manager and Compliance Officer
dts|infotech . . . computer networks that work