The Health Information Technology for Economic and Clinical Health Act (HITECH Act) legislation was created in 2009 to HIPAA - HITECHstimulate the adoption of electronic health records (EHR) and supporting technology in the United States. It introduced the Meaningful Use program incentivizing healthcare organizations to maintain the Protected Health Information of patients in electronic format, rather than in paper files.

Health Insurance Portability and Accountability Act (HIPAA), a Federal legislation that promulgated in 1996 requires the US Department of Health and Human Services (HHS) to develop national standards to protect the privacy and security of patients’ medical records and other personal health information. It got ratified in 2013 calling as the “Final Omnibus” rule, to include Enforcement and Civil Penalties.

HITECH and HIPAA, are separate and unrelated laws, but they do reinforce each other in certain ways. For example, HITECH requires that any physician and hospital that attests to meaningful use must also have performed a HIPAA security risk assessment as outlined in the Omnibus rule.


Who does HIPAA affect?

According to HIPAA, if you belong to the category of “covered entities” or “business associates,” and you handle “protected health information (PHI),” you are required to be HIPAA-compliant.

1.Covered Entities:

  • Health Care Providers like Doctors, Surgeons, Dentists, Psychologists, Podiatrists, Laboratory technicians, Optometrists, Hospitals, Clinics, Nursing homes, organizations in the life sciences field such as medical devices, biotechnology, Pharmacies, schools when they enroll students in health plans, nonprofit organizations that provide some healthcare services, and even government agencies.
  • Health Plans like Health Insurance Companies, HMOs, Employer-Sponsored Health Plans, Government Programs like Medicare, Medicaid, Military and Veterans’ health programs.
  • Healthcare Clearing Houses. These are organizations that collect information from a healthcare entity, processes the data in an industry-standard format and delivers it to another entity. Examples of clearinghouses include: Billing services, Community health management information system.

2. Business Associates:

  • Business associate” refers to any organization or individual who acts as a vendor or subcontractor with access to PHI.
  • Examples of business associates include: Data transmission providers, Data processing firms, Data storage or document shredding companies, Medical equipment companies, Consultants hired for audits, Electronic health information exchanges, External auditors or accountants, Medical transcription companies, Answering services, Data conversion and data analysis service providers, Law firms, Software vendors and consultants, Financial institutions (if engaging in accounts receivable or other functions extending beyond payment processing), ISPs, ASPs, Cloud vendors, Researchers (if performing HIPAA functions for a covered entity), etc.

HIPAA Enforcement Rule has penalty structure, where penalties can range from $100 to $50,000 per violation depending on culpability, up to an annual maximum cap of $1.5 million on a per provision basis. Business associates and subcontractors are directly liable for their violations, but covered entities also can be penalized for their violations. Look back at the biggest HIPAA penalties with corrective action plan between healthcare organizations and HHS in last 3 years:

  • The US Office for Civil Rights (OCR), fined MAPFRE Life Insurance Company of Puerto Rico for failing to safeguard ePHI on USB Storage Device. They settled for $2.2 million penalty plus corrective action plan.
  • Advocate Health Care – the largest system in Illinois paid $5.55 million to HHS' Office for Civil Rights for violating HIPAA. The settlement is the biggest to-date HIPAA payment involving one entity. Advocate Health is also required to adopt a corrective action plan to address all HIPAA failures.
  • Insurance holding company Triple-S, based in San Juan, Puerto Rico, settled potential HIPAA violation allegations by paying HHS a $3.5 million fine.

What can we do?

  • Ensure that you comply with HIPAA regulations if your organization has access to electronic Protected Health Information (ePHI).
  • Ensure that you comply with PCI-DSS standard if your organizations accepts, processes, stores or transmits credit card information.

How prepared are you for your organization? 24By7Security’s IT experts with experience of over 25 years, can help you strengthen your cybersecurity program and ensure that all aspects of your organization are secure and operating effectively, while simultaneously meeting industry requirements.


Our Services include:

  • Assessing Compliance With HIPAA Standards
  • Security Risk Assessment
  • Policy and Procedures
  • Incident Response
  • Internal and External Penetration Testing
  • Training staff on Privacy Awareness
  • Insider Threat and APT Assessment
  • PCI-DSS compliance
  • Part-time CISO Services
  • Part-time Privacy Officer Services
  • Web Application Testing
  • Social Engineering Testing
  • Physical Security Testing