What is the HITECH ACT?
The Health Information Technology for Economic and Clinical Health Act (HITECH Act) is part of the American Recovery and Reinvestment Act of 2009 (ARRA). Why is the HITECH ACT important? The HITECH Act was created to motivate the implementation of electronic health records (EHR) and supporting technology in the United States. President Obama signed HITECH into law on February 17, 2009 as part of the American Recovery and Reinvestment Act of 2009 (ARRA), an economic stimulus bill.
The HITECH Act of 2009 anticipated the expansion in the exchange of electronic protected health information (ePHI) between doctors, hospitals, and other entities that store ePHI for the sole reason of cutting down on the cost of healthcare by sharing. The HITECH Act of 2009 expanded the scope of privacy and security protections available under HIPAA by increasing the potential legal liability for non-compliance and it providing for more stringent enforcement. The HITECH Act specifies that by the beginning of 2011, healthcare providers will be given monetary incentives for being able to demonstrate meaningful use of electronic health records (EHR). These monetary incentives will be offered until 2015, after which time penalties will be levied for failing to demonstrate such use. Many of the HITECH Act’s requirements became effective 12 months from the date of enactment.
Audits for Neglect
The industry perception is that HITECH compliance has not been strictly enforced in the past. As time has shown us, the new powers that are in Washington have taken this rule to heart and are now performing audits on entities that have been reported to be in willful neglect or have severely breached ePHI data. The HITECH Act requires mandatory penalties for “willful neglect.” What “willful neglect” means will need to be determined on a case-by-case basis, but speaking from experience, if you do not have the necessary Privacy and Security documentation to present to an investigator, covering all aspects of the rule, you will likely be found in willful neglect.
The penalties for willful neglect are increased under the HIPAA HITECH Act. These HIPAA violation penalties can extend up to $250,000, with repeat/uncorrected violations extending up to $1.5 million. Under certain conditions, HIPAA’s civil and criminal penalties now extend to business associates. As stated in the original HIPAA rule, which as of late has been ignored, if you are a covered entity and you share information with a business associate, you are supposed to get assurance that they were going to protect the data. In most cases that never happened.
Health and Human Services’ (HHS) obvious goal is to provide for “enhanced enforcement.” HHS has released reports that show significant fines and audits in 2012 show that HHS is serious about Healthcare Organizations complying with the enacted regulations.
HIPAA clearly outlined release of information guidelines, and what can and cannot be released without authorization from the patient. HITECH notification requirements were built similar to many state data breach laws relating to personally identifiable financial information. The HITECH Compliance Act requires that patients be notified of any unsecured breach. If a breach impacts 500 patients or more then HHS must also be notified. In this instance, local media will need to be notified as well. Lastly, the State Privacy Officer will need to be notified. All breached patients will need to receive a first class mailing that addresses personally what happened and what steps are being taken to resolve the breach, with the entity sometimes paying for the breached patients to have free access to their credit reports.
Electronic Health Record Access
If a provider has implemented an EHR system, HITECH compliance provides the patient the right to obtain their ePHI in an electronic format. The patient can also assign a third party to be the recipient of the ePHI. HITECH compliance provides that charge, equal to the labor cost, for an electronic request.
For providers that have an EHR, it should be rather easy for them to accomplish this task. However, on further examination, EHR vendors did not make this easy on them in some cases and more work is required to produce such a file.
HITECH Act’s incentives are driven by the implementation of “Meaningful Use.” “Meaningful Use” gauges you implementation of an EHR and if the EHR you have chosen meets all the requirements the government has laid out. Not being able to show meaningful use may decrease or eliminate incentive payments.
Business Associates and Business Associate Agreements
As stated in the opening, HITECH compliance now covers certain HIPAA provisions directly aimed at business associates. Privacy and Security requirements were always supposed to be imposed on business associates via contractual agreements with covered entities. What we have experienced is that many providers did not get the necessary assurances that the Business Associate had or was planning on doing, including the necessary documentation that showed they were meeting the regulation guidelines. In many cases Business Associate Agreements exist but do not meet all the requirements of the rules. Because HHS failed to enforce the rules vehemently, this issue still exists today, which will prompt the Government to again make new rules to make sure that Business Associates that receive and store ePHI will be compliant under the HIPAA regulations.
The handwriting is on the wall with HITECH compliance. Business associates and providers will be sharing joint responsibilities with the protection of ePHI due to the increased amount of sharing that will be taking place. This will not only be between provider and EHR vendor, but eventually to hubs that others will be able to access. Small providers are still having problems not only with the HITECH Act but with the original HIPAA rule as well. With new regulations on the horizon, specifically Omnibus, small to medium entities will continue to struggle to comply and understand the mass of rules that are being thrown their way to protect patient’s data privacy and security.
Other HITECH Hits
HIPAA HITECH compliance continues on with rules regarding marketing communications, restrictions to uses and disclosures, and accounting of those disclosures. HIPAA did a fairly good job at covering these items but it is good to note that you should have policies and procedures outlining the aspects of each type of Use and Disclosure and what you need to track and store this information.
The HITECH Act was mainly enacted to further elaborate on breach notification. What do you need to do as a provider when you have a breach? The HITECH Act helps answer what it is you actually need to do, who you need to report to, and more. The government knows you have small breaches every day. For example, you have a fax that went to Joe’s Bar and Grill, a phone that was lost, or numbers were transposed on a letter and it came back opened. Those are things that happen every day, and the government is looking to you for answers, such as: what did you do after you found out, did you notify the patient, did you try to retrieve the document on the fax, was the phone encrypted, can you remotely wipe. Being able to answer and prove those are what needs to happen on a daily basis in your organization when it comes to HITECH Breach Notification.
We Can Help
With the addition of the HITECH Act of 2009, staying HIPAA HITECH compliant has become even more difficult for health providers. Even with potential monetary incentives for being compliant, businesses will need to be on their toes to stay compliant as ePHI becomes more widespread.
Compliancy Group is here to remove that stress and give you the tools to make your business safe. At Compliancy Group, no client has ever failed a HIPAA audit because of our proven methodology. We make compliance simple and affordable, and will make sure you protect yourself from any HIPAA HITECH obstacles that come your way.