Understanding the Difference Between HIPAA and HITECH

To increase the effectiveness and efficiency of the healthcare system, the Health Insurance Portability and Accountability Act (HIPAA) of 1996 was implemented.

Understanding the Difference Between HIPAA and HITECH

To increase the effectiveness and efficiency of the healthcare system, the Health Insurance Portability and Accountability Act (HIPAA) of 1996 was implemented. HIPAA contained national standards for electronic healthcare transactions to protect sensitive patient data. The Health Information Technology for Economic and Clinical Health (HITECH) Act was implemented as a segment of the American Recovery and Reinvestment Act of 2009 to adopt the meaningful and safe use of health information technology. While they are close in content, there are vast differences between HIPAA and HITECH that must be understood to properly comply.


The major points of HIPAA compliance were created to protect health insurance for employees and their families when they lose or change jobs. HIPAA further assures the security of personal health information (PHI) while upholding its confidentiality and integrity. That means medical groups and providers are held accountable for the mishandling of this information. HIPAA is the specific reason different carriers submit a Notice of Privacy Procedures and why documents containing sensitive data are stored in locked drawers or on highly encrypted information technology networks.

Electronic Data Interchange

HIPAA also lengthened its reach to assist medical groups with their usage of electronic data interchange. Furthermore, HIPAA implemented regulations to standardize digital healthcare transactions which include health care payment, health claims, and remittance advice.


The HITECH Act was created to further build on HIPAA’s reinforcement of the use of health information technology. It sparked the adoption of electronic health records (EHR) by providing motivations to those medical groups who proved they effectively implemented EHR technology. A different section of the HITECH Act increased regulations related to the Privacy and Security Rules of HIPAA. Through this addition, HITECH added technical requirements to doctors ad hospitals that use EHR. The provisions to HITECH enhance HIPAA regulations focusing directly on business associates. In other words, HITECH was created to expand HITECH compliance notices. Providers must report any considerable information breach to the government and those impacted. From these notifications, patients can request access to that information at any time.

Business Accountability

HITECH required business associates of HIPAA entities to sign a business associate agreement (BAA) and agree not to provide PHI other than for those falling within HIPAA rules. Business associates were also required to adhere to determined provisions of the HIPAA Security Rule, including the enactment of physical, administrative, and technical controls that safeguard the integrity, confidentiality, and availability of PHI.

HITECH required business associates to enter a BAA with subcontractors and were directly accountable for any actions that breach the rules. Business associates could also be financially penalized for violating those rules.

Increased Penalties

In addition to business associate fines, HIPAA entities could be fined for HIPAA rule violations by those associates. HITECH required investigations into data breaches and complaints to determine if any rules were violated. The resulting penalty structure for those violations was changed for HITECH by allowing penalties that occurred without the knowledge of the business associate or entity if they should have been aware of the violation by exercising proper due diligence. However, HITECH prohibited financial penalties if the violation was corrected in 30 days.

Patients Having Access to Medical Records

The HIPAA Privacy Rule gave health plan members and patients the right to acquire copies of their PHI. HITECH expanded those rights to include receiving said copies in electronic form if the information was readily available in that format. HITECH also stopped the sale of PHI except under extenuating circumstances which closed the marketing loophole thus barring providers from receiving compensation for treatment recommendations.

HITECH was an evolution of HIPAA that expanded coverage and protection of sensitive client or patient information. Therefore, providers must understand the differences between HITECH and HIPAA. Having a clear understanding of compliance regulation can mean the difference between a tiny mistake and a career-ending situation.

Speak with a LaScala IT Expert

Provide your details and speak with a LaScala IT information technology expert or call for additional information.