By Type (4)
HIPAA Medical Release Form – A request made by a patient to share their medical records with a third party.
Download: PDF, MS Word, OpenDocument
Business Associate Agreement – When a covered entity shares medical records with a third party (business associate).
Download: PDF, MS Word, OpenDocument
Employee HIPAA Agreement – When an organization shares access to medical records with an employee.
Download: PDF, MS Word, OpenDocument
Subcontractor HIPAA Agreement – When a business associate shares PHI with a subcontractor.
Download: PDF, MS Word, OpenDocument
What is the HITECH Act?
Also known as the Health Information Technology for Economic and Clinical Health (HITECH) Act, it was enacted to promote the meaningful use of health information technology.
It was signed on Feb. 17, 2009 by Barack Obama and was made effective on Feb. 18, 2009 as part of the American Recovery and Reinvestment Act of 2009.
The Act offered government incentives to adopt Electronic Health Records (EHRs) as a means of sharing Protected Health Information (PHI). This has increased EHR adoption from 48.3% in 2009 to 85.9% in 2017.[2]
The HITECH Act also closed loopholes and tightened restrictions to fault a covered entity for negligence. Violations of this Act are separated into four tiers of penalties.
Sharing Medical Records (3 Rules)
When sharing medical records, three rules must be followed:
2. Make Agreements with Subcontractors
If a contractor or subcontractor is utilized by a business associate for the handling of patient information, a subcontractor agreement must be written. The subcontractor must sign and acknowledge that they consent to the same security and protection standards when dealing with patient information.
3. Comply with HIPAA Rules
It must be written that the business associate agrees to comply with the laws, procedures, and policies stated in the 45 CFR Subpart C.[5]
HIPAA Penalties ($)
HIPAA penalties are administered by the Office for Civil Rights (or OCR). In the last 5 years, the office has collected anywhere from $10 million to $30 million annually in fines. The office even has a “wall of shame” displaying publicly all past and current breaches.
Four Tiers
Fines administered by OCR can range from $100 to $1.5 million per incident depending on the circumstances of the violation. Therefore, the penalties for violating are segmented into four tiers:
INCIDENT | FINE ($) ESTIMATE* | |
TIER 1 | The breached party was unaware of the breach and under the given circumstances could not have known about it. | $100 to $50,000 |
TIER 2 | The breached party was aware, or by following reasonable HIPAA protocols, could have known about the violation. The breached party must have exemplified actions of willful neglect. | $1,000 to $50,000 |
TIER 3 | The breached party acted with willful neglect although corrected the issue within thirty (30) days. | $10,000 to $50,000 |
TIER 4 | The breached party acted with willful negligence and failed to correct the issue within a reasonable time period. | $50,000 to $1.5 million |
*Any fine may be up to $1.5 million of OCR deems the negligence or penalty to warrant the amount. |