This applies to the health care industry: providers, health plans, health care clearinghouses, and all their business associates.
HIPAA and the subsequent HITECH (US Health Information Technology for Economic and Clinical Health) Act concern, among other things, national standards for electronic health care transactions. They require protection of the privacy and security of individual health information.
HIPAA was signed into law in 1996. The law was broadened in 2009 via the HITECH Act.
Penalties for noncompliance
Fines for noncompliance increased a great deal with the HITECH Act, to as much as $1.5 million per calendar year for each violation.
The HIPAA/HITECH push for widespread use of electronic health records brings with it security and privacy risks, which the regulations try to address. Just for example, HITECH requires the issuance of technical guidance on rendering protected health information “unusable, unreadable, or indecipherable to unauthorized individuals.” Encryption is one way to render such information unusable if it is lost or stolen. In the event of a breach of “unsecured protected health information,” the affected individuals and the Secretary of the US Department of Health and Human Services must be notified.