HITECH ACT – Expanded HIPAA Rules: Are You Aware of Your Obligation?

June 10, 2014
This article posted in: Human Resources  Tags: HR Legal

If you think no one will notice if you’re not in compliance – think again.


If you think no one will notice if you’re not in compliance – think again.

The Health Information Technology for Economical and Clinical Health (HITECH) Act was part of American Recovery and Reinvestment Act (ARRA aka the stimulus package) that President Obama signed into office in 2009. This is probably where you stop reading and move on. Don’t!

The HITECH Act expanded the scope and liability of Business Associates for failure to comply with the Health Insurance Portability and Accountability Act (HIPAA) of 1996. I’ll admit, that does sound very dry and it has too many acronyms, but stay with me as we have to cover some important stuff.

Historically, business associates were not directly subject to liability under HIPAA but, instead, they were required to sign a Business Associate Agreement (BAA) to be held liable. Now, however, the HITECH Act statutorily imposes direct liability on business associates for failure to comply with HIPAA with or without an executed BAA. (Yes, more acronyms, why is everything in acronyms?). Business associates could face civil monetary penalties, and in some cases criminal penalties for the failure of their agents, including subcontractors, to comply with the HIPAA regulations.

To complicate matters further the omnibus final rule of the HITECH Act, published on Jan 25, 2013 broadens the definition of business associate effectively bringing many new organizations under the authority of HIPAA.

Okay. Now I have to go legal on you and be very boring, but there is no sexy way to cover the new broad definition of business associate but to lay it out the way the Act defines it. But as you will see below, your business, and everyone related to your business and their mother will now be held accountable!


The definition of business associate includes the following categories of organizations:

  1. Subcontractors
    The final rule expanded the definition of business associate to include all subcontractors of business associates that create, receive, maintain or transmit Protected Health Information (PHI) on behalf of business associates. The reach of this designation will apply to subcontractors irrespective of how far downstream the subcontractor is, contractually, from the covered entity. Each subcontractor, as a business associate under the new definition, will be directly liable for its own compliance with the provisions of the privacy and security rules applicable to business associates.
  2. Entities Providing Data Transmission Services
    The final rule stated that any organization that provides a covered entity with data transmission services involving PHI, and that requires access on a routine basis to such PHI, will be considered a business associate, including but not limited to health information organizations and e-prescribing gateways. There is a narrow exception provided under the final rule for entities that act as “mere conduits for the transportation of PHI” but do not access the PHI other than on a random or infrequent basis, such as Internet service providers (ISPs) and telecommunications companies.
  3. Document and Data Storage Organizations
    The definition of business associate was expanded to include entities that “maintain” PHI. Organizations that maintain PHI, such as document and/or data storage companies, are considered business associates of covered entities, regardless of whether the entity actually accesses the PHI maintained for a covered entity.
  4. Personal Health Record Vendors
    Vendors that provide and manage personal health records on behalf of covered entities are business associates under the final rule; however, those vendors that offer the personal health record directly to the individual and not on behalf of the covered entity will not be considered business associates.
  5. Financial Institutions Lending to the Health Care Industry
    The preamble to the final rule clarified the circumstances under which a banking or financial institution may become a business associate. The mere act of providing payment processing activities for covered entities will not render a financial institution a business associate. However, performing functions above and beyond the mere processing of remittance advice, such as accessing accounts receivable documentation that contains PHI in connection with the provision of working capital financing to a health care provider, may qualify the institution as a business associate. Accordingly, a lender with access to PHI within the covered entity’s accounts receivable will likely be considered a business associate.

Now that we have discovered that everyone with a pulse is held accountable, the next step is to figure out what will get you into trouble. Business associates may face civil monetary penalties, and in some cases criminal penalties, for failure to comply with the following obligations:


Okay, did I lose you in the last segment? Are you still with me? Did your eyes glaze over and decided to skip to this section? Well the penalty section will not disappoint. Now we will examine the civil penalties we keep alluding to.

The HITECH Act not only expanded civil penalties to include new organizations, but they also increased the original HIPAA fines.

The new penalty structure is as follows:

Did Not Know $100 to $50,000 $ 1,500,000
Reasonable Cause $1,000 to $50,000 $ 1,500,000
Willful Neglect – Corrected $10,000 to $50,000 $ 1,500,000
Willful Neglect – Not Corrected $50,000 $ 1,500,000


One-time violations stay under $50K, but repeat violations within the same year can hold a fine of $1.5 million across all HIPAA violation categories, up substantially from the previous $250K minimum. That’s a bit of a hike. However, the average economic impact on your company will be more than the civil penalties mentioned above. You also have to consider federal investigation, legal fees, business downtime and decreased credibility so you could be looking around a total of $2.4 million give or take a few dollars.

I bet I got your attention now. And if you think no one will notice if you’re not in compliance – think again.

One of the lesser-known requirements of the HITECH Act is that it mandates periodic and random audits of covered entities and business associates alike. While previously in a testing pilot phase, the OCR (Office for Civil Rights, enforcing entity of HIPAA) audit program has been up and running since 2013.


In conclusion, any HR, IT, or Finance professional handling any information that is private (or as the Act defines – protected health information) is now liable. You should inform your employees as well as your subcontractors of your newfound responsibility. Don’t forget ignorance of the law is not a defense. As clearly demonstrated above, ignorance of the law will cost you thousands of dollars.


Follow HRMS

HRMS on LinkedIn HRMS on Twitter HRMS on Google+

Share This Article:

About the Author:

Roz Maiorino, MDJD

Roz Maiorino is a Legal Advisor for HRMS Solutions. Dr. Roz Maiorino is a dual trained medical doctor/attorney with 10 years of experience in business and healthcare law. Dr. Maiorino earned her Juris Doctor (J.D.) law degree from Catholic University of America, Columbia School of Law and her Doctor or Medicine (M.D.) degree from The George Washington University, School of Medicine. Dr. Maiorino has extensive knowledge in healthcare regulations including but limiting to HIPAA, fraud, and abuse. In addition to healthcare law, Dr. Maiorino has many years of practice in business law and corporation’s life cycle, including corporate formation, employment agreements, employment termination, sales or service contracts and partnership agreements. Dr. Maiorino started her legal carrier in patent law and transitioned to health care/corporate law in 2012. Licensed to practice law in Colorado and Maryland.

LinkedIn | 

get in touch with us today

contact us