The Health Insurance Portability and Accountability Act (HIPAA) was enacted by the U.S. Congress in 1996 to support and encourage the development of Electronic Health Records (EHR). Though enacted in 1996, the regulation did not go into effect until the early 2000s. The protection of patient information, called Protected Health Information (PHI) was one of a number of significant requirements of HIPAA. The Privacy Rule, the Security Rule (two of HIPAA’s five rules) require that any organization in possession of healthcare-related information take reasonable steps to effectively prevent unauthorized access.

From the beginning, HIPAA was administered by the Department of Health and Human Services (HHS), and enforced by the Office for Civil Rights (OCR), which resides within HHS. When HIPAA first appeared and HHS was asked for an example of the physical security measures HIPAA referenced, HHS responded by saying that the proper destruction of discarded patient information was such a measure.

HITECH Brings Big Changes

In 2009, in response to the feeling HIPAA’s information security provisions were unclear and unenforced; Congress passed the Health Information for Technical and Clinical Health Act (HITECH), which dramatically strengthened HIPAA data security requirements as well as the enforcement provisions. Here is a list of the most significant HIPAA data security and enforcement enhancements introduced by the HITECH amendment.

Health Data Breach Notification (already in effect), requiring health care providers to inform patients, authorities and possibly the media in the event of there was a potential of unauthorized access to any of their personal information.

Mandatory Fines (likely to go into effect in 2011), which require HHS to issue fines when any health care provider is discovered to negligently violate HIPAA. When again asked for an example of the type of infraction that would lead to such a fine, HHS stated that improper disposal of patient information caused by lack of proper procedures would be the type of negligence that would warrant a mandatory fine (minimum $10,000 per record).

States Attorneys General Enforcement Powers Established (already in effect), under which HHS trains and encourages state-level enforcement of HIPAA/HITECH. HHS has already begun this training with the expectation that state law enforcement officials will begin enforcement in earnest as soon as possible.  State Attorneys General are further incentivized to pursue such violations by allowing their offices to retain any of the fines assessed in doing so.

HIPAA Fines Increased 6,000% (already in effect) from a maximum of $25,000 to $1,500,000.