Most of us have at least heard of the GDPR (General Data Protection Regulation) and the  CCPA (California Consumer Privacy Regulation). These are the key data privacy laws that ensure the appropriate controls are put into place to in order help safeguard the PII (Personally Identifiable Information) datasets that businesses store. But there is also yet another privacy regulation called HIPAA (Health Insurance Portability and Accountability), and its extension, called HITECH. These two topics will be further explored in this article.

What Is HIPAA?

This is an acronym that stands for the “Health Insurance Portability and Accountability Act.”  This was created and signed into legislation all the way back in August 1996. Its primary intent at the time (and continues to be) the protection and confidentiality of patient data. This Act enforces this from two different perspectives:

  • Access to patient records must be authorized by at least two more layers of security (also known as 2FA). For example, if a healthcare worker needs to access some information about a patient, they must be authenticated by a combination of passwords, challenge/response questions and answers, One Time Passwords (OTPs), Biometrics (such as Fingerprint and Iris Recognition), RSA Tokens, etc.
  • Records can only be released to certain parties by the written and explicit consent of the patient. In this regard, even family members cannot gain access to this unless the patient has signed the proper release forms.

After the first legislation, there have been two subsequent ones as well, which are as follows:

  • The HIPAA Privacy Rule in 2003.
  • The HIPAA Security Rule in 2005.


This is an acronym that stands for “Health Information Technology for Economic and Clinical Health Act.”  It was passed in 2009, and one its primary difference from HIPAA is that it does not mandate the use of 2FA or Multifactor Authentication (MFA) per se, but it strongly promotes the use of what is known as “Electronic Health Records”, or “EHR” for short.

In other words, rather than relying upon the slow and tedious methods of faxing patient records, HITECH now mandates the use of electronic means for such purposes. This is especially critical if the patient is in a life and death situation. In an effort to make this a reality, the HITECH legislation has mandated three distinct compliance stages, which are as follows:

1) Stage 1:

This stage lays down the framework for the healthcare providers to start engaging in the exchange of patient data and other relevant medical information in an electronic way that is both safe and secure. For example, using “e-prescribing” versus giving the patient or their family member a handwritten prescription to be filled. Rather, the primary healthcare provider can send an electronic message to the patient’s pharmacy for it to be filled, saving both time and money.

2) Stage 2:

This stage requires that healthcare workers start to use more sophisticated, electronic means to communicate with their patients. Here are some examples of this:

  • The recording and transmission of testing orders to be carried out on the patient;
  • Adopt on a much wider scale the use of e-prescription technology (like described in the previous example);
  • Facilitate the electronic transmission of patient to another healthcare facility in case the patient is transferred to another hospital;
  • Make more use of e-learning tools to educate patients about the medications they are going to take or the procedures that they will undergo.
  • Give the patient 100% online access to a specialized medical portal where they can specifically view their own records and communications with other healthcare providers that they have consulted with;
  • Keep a detailed history of the patient’s immunization and vaccination records.

Especially important in this stage are the usage of encryption tools/technologies, conducting regular security analyses, and keeping Operating Systems of all devices updated with the latest software/firmware patches.

3) Stage 3:

This stage is still being worked on, there is no specific information available at this time on it.

How HITECH Has Strengthened HIPAA

It is also important to note that HITECH has also greatly beefed up the enforcement arm of HIPAA. Here are some of the areas in which this is currently happening:

  • Any security breach involving patient records must be reported not only to the affected parties (primarily the patient), but also to the Department of Health and Human Services, and in even rare cases, to the media. This is the strengthening of the of what is known as the “HIPAA Breach Notification Rule.
  • Any other external, third-party vendors that the healthcare organization hires is also subject to all the HIPAA compliance requirements when it comes to the storage and processing of patient records.
  • It has also increased not only the financial penalties but has also stiffened up the compliance enforcement of HIPAA. For example, there are now four levels of violations, and with each increasing one, the monetary fines also increase, up to a maximum of $1.5 million.


If you are an organization that makes use of Microsoft Office 365 and Azure to store and process patient data, and have questions about the compliance standards that have been set forth by both HIPAA and HITECH, contact us today.