Audits for Neglect
The industry perception is that HITECH compliance has not been strictly enforced in the past. As time has shown us, the new powers that are in Washington have taken this rule to heart and are now performing audits on entities that have been reported to be in willful neglect or have severely breached ePHI data. The HITECH Act requires mandatory penalties for “willful neglect.” What “willful neglect” means will need to be determined on a case-by-case basis, but speaking from experience, if you do not have the necessary Privacy and Security documentation to present to an investigator, covering all aspects of the rule, you will likely be found in willful neglect.
The penalties for willful neglect are increased under the HIPAA HITECH Act. These HIPAA violation penalties can extend up to $250,000, with repeat/uncorrected violations extending up to $1.5 million. Under certain conditions, HIPAA’s civil and criminal penalties now extend to business associates. As stated in the original HIPAA rule, which as of late has been ignored, if you are a covered entity and you share information with a business associate, you are supposed to get assurance that they were going to protect the data. In most cases that never happened.
Health and Human Services’ (HHS) obvious goal is to provide for “enhanced enforcement.” HHS has released reports that show significant fines and audits in 2012 show that HHS is serious about Healthcare Organizations complying with the enacted regulations.
HIPAA clearly outlined release of information guidelines, and what can and cannot be released without authorization from the patient. HITECH notification requirements were built similar to many state data breach laws relating to personally identifiable financial information. The HITECH Compliance Act and its relationship to HIPAA and EMRs requires that patients be notified of any unsecured breach. If a breach impacts 500 patients or more then HHS must also be notified. In this instance, local media will need to be notified as well. Lastly, the State Privacy Officer will need to be notified. All breached patients will need to receive a first class mailing that addresses personally what happened and what steps are being taken to resolve the breach, with the entity sometimes paying for the breached patients to have free access to their credit reports.
Electronic Health Record Access
If a provider has implemented an EHR system, HITECH compliance provides the patient the right to obtain their ePHI in an electronic format. The patient can also assign a third party to be the recipient of the ePHI. HITECH compliance provides that charge, equal to the labor cost, for an electronic request.
For providers that have an EHR, it should be rather easy for them to accomplish this task. However, on further examination, EHR vendors did not make this easy on them in some cases and more work is required to produce such a file.
HITECH Act’s incentives are driven by the implementation of “Meaningful Use.” “Meaningful Use” gauges you implementation of an EHR and if the EHR you have chosen meets all the requirements the government has laid out. Not being able to show meaningful use may decrease or eliminate incentive payments.