The HIPAA and HITECH acts both place on healthcare providers the legal obligation to safeguard the privacy and security of health information. However, major differences exist between them. Health Insurance Portability and Accountability Act of 1996 (HIPAA) established a national set of security standards for protecting certain health information that is held or transferred in electronic form. This act covered everything from telephone message to authorization for release of protected health information (PHI). Before 1996, no national standards existed.

The Health Information Technology for Economic and Clinical Health Act (HITECH) is part of the American Recovery and Reinvestment Act of 2009 (ARRA). ARRA contains incentives related to health care information technology in general (e.g. creation of a national health care infrastructure) and to the need to accelerate the adoption of electronic health record (EHR) systems among providers. With the advance of technology and greater activity by those who exploit technology for illegal purposes, more oversight for privacy protection was needed.

Many believe that HIPAA compliance  has not been rigorously enforced in the past. Therefore, under HITECH, mandatory penalties will be imposed for “willful neglect.” Generally, willful neglect occurs when a provider has no story or such a wavering story regarding compliance that it reflects a cavalier attitude.  In addition, those affected by privacy breaches must be notified. This notice was not required under HIPAA.

Challenges in HIPAA compliance exist because current security requirements, taken independently of one another, can prove costly and time-consuming to implement adequately. Unstructured data such as credit card data or social security numbers must be protected. Lastly, access to electronic PHI must be limited to authorized persons only, whether it is the user or the recipient.

Learn More – Primary Sources:

HHS Summary of the HIPAA Security Rule

HHS HIPAA for Professionals

Meaningful Use