HIPAA and HITECH Responsibilities

To improve the efficiency and effectiveness of the health care system, the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Public Law 104-191, included Administrative Simplification provisions that required HHS to adopt national standards for electronic health care transactions and code sets, unique health identifiers, and security. At the same time, Congress recognized that advances in electronic technology could erode the privacy of health information. Consequently, Congress incorporated into HIPAA provisions that mandated the adoption of Federal privacy protections for individually identifiable health information.

  • HHS published a final Privacy Rule in December 2000, which was later modified in August 2002. This Rule set national standards for the protection of individually identifiable health information by three types of covered entities: health plans, health care clearinghouses, and health care providers who conduct the standard health care transactions electronically. Compliance with the Privacy Rule was required as of April 14, 2003 (April 14, 2004, for small health plans).
  • HHS published a final Security Rule in February 2003. This Rule sets national standards for protecting the confidentiality, integrity, and availability of electronic protected health information. Compliance with the Security Rule was required as of April 20, 2005 (April 20, 2006 for small health plans).
  • The Enforcement Rule provides standards for the enforcement of all the Administrative Simplification Rules.
  • HHS enacted a final Omnibus rule that implements a number of provisions of the HITECH Act to strengthen the privacy and security protections for health information established under HIPAA, finalizing the Breach Notification Rule.
  • View the Combined Regulation Text – PDF (as of March 2013). This is an unofficial version that presents all the HIPAA regulatory standards in one document. The official version of all federal regulations is published in the Code of Federal Regulations (CFR). View the official versions at 45 C.F.R. Part 160, Part 162, and Part 164.

As part of the Health Insurance Portability and Accountability Act (HIPAA), the U.S. Criminal Code was amended, and it is a crime to knowingly and willfully execute, or attempt to execute a scheme or artifice to defraud any federal health care program, or obtain by means of false or fraudulent pretenses, representations or promises, any money or property owned by or under the custody or control of any federal health care program. 18 U.S.C. §1347.

The Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part of the American Recovery and Reinvestment Act of 2009, was signed into law on February 17, 2009, to promote the adoption and meaningful use of health information technology. Subtitle D of the HITECH Act addresses the privacy and security concerns associated with the electronic transmission of health information, in part, through several provisions that strengthen the civil and criminal enforcement of the HIPAA rules.

Section 13410(d) of the HITECH Act, which became effective on February 18, 2009, revised section 1176(a) of the Social Security Act (the Act) by establishing:

  • Four categories of violations that reflect increasing levels of culpability;
  • Four corresponding tiers of penalty amounts that significantly increase the minimum penalty amount for each violation; and
  • A maximum penalty amount of $1.5 million for all violations of an identical provision.

It also amended section 1176(b) of the Act by:

  • Striking the previous bar on the imposition of penalties if the covered entity did not know and with the exercise of reasonable diligence would not have known of the violation (such violations are now punishable under the lowest tier of penalties); and
  • Providing a prohibition on the imposition of penalties for any violation that is corrected within a 30-day time period, as long as the violation was not due to willful neglect.

This interim final rule conforms HIPAA’s enforcement regulations to these statutory revisions that are currently effective under section 13410(d) of the HITECH Act. This interim final rule does not make amendments with respect to those enforcement provisions of the HITECH Act that are not yet effective under the applicable statutory provisions.

This interim final rule will become effective on November 30, 2009. HHS has invited public comments on the interim final rule, which will be considered if received by December 29, 2009.

Under HITECH Act, HIPAA covered entities must promptly notify affected individuals of breaches of PHI, as well as the HHS Secretary and the media in cases where a breach affects more than 500 individuals. Breaches affecting fewer than 500 individuals must be reported to the HHS Secretary on an annual basis. Business associates must notify covered entities of breaches at or by the business associate. The HITECH Act also modified the HIPAA enforcement regulations, establishing four tiers of violations reflecting increasing levels of culpability with four corresponding penalty levels.

Examples of HIPAA and HITECH violations are:

  • Disclosing member PHI to an unauthorized third party
  • Using member PHI for an unauthorized purpose
  • Accessing member PHI without proper authorization
  • Failing to maintain the Security of electronic PHI
  • Failing to notify CareSource of a HIPAA breach