What is the HITECH ACT?

The Health Information Technology for Economic and Clinical Health Act (HITECH Act) is part of the American Recovery and Reinvestment Act of 2009 (ARRA). Why is the HITECH ACT important? The HITECH Act was created to motivate the implementation of electronic health records (EHR) and supporting technology in the United States. President Obama signed HITECH into law on February 17, 2009 as part of the American Recovery and Reinvestment Act of 2009 (ARRA), an economic stimulus bill.

The HITECH Act of 2009 anticipated the expansion in the exchange of electronic protected health information (ePHI) between doctors, hospitals, and other entities that store ePHI for the sole reason of cutting down on the cost of healthcare by sharing. The HITECH Act of 2009 expanded the scope of privacy and security protections available under HIPAA compliance by increasing the potential legal liability for non-compliance and it providing for more stringent enforcement. The HITECH Act specifies that by the beginning of 2011, healthcare providers will be given monetary incentives for being able to demonstrate meaningful use of electronic health records (EHR). These monetary incentives will be offered until 2015, after which time penalties will be levied for failing to demonstrate such use. Many of the HITECH Act’s requirements became effective 12 months from the date of enactment.

What is the HITECH Act?

Become Hitech Compliant

Whether its HIPAA or HITECH becoming compliant is key for your business.

Audits for Neglect

The industry perception is that HITECH compliance has not been strictly enforced in the past. As time has shown us, the new powers that are in Washington have taken this rule to heart and are now performing audits on entities that have been reported to be in willful neglect or have severely breached ePHI data. The HITECH Act requires mandatory penalties for “willful neglect.” What “willful neglect” means will need to be determined on a case-by-case basis, but speaking from experience, if you do not have the necessary Privacy and Security documentation to present to an investigator, covering all aspects of the rule, you will likely be found in willful neglect.

The penalties for willful neglect are increased under the HIPAA HITECH Act. These HIPAA violation penalties can extend up to $250,000, with repeat/uncorrected violations extending up to $1.5 million. Under certain conditions, HIPAA’s civil and criminal penalties now extend to business associates. As stated in the original HIPAA rule, which as of late has been ignored, if you are a covered entity and you share information with a business associate, you are supposed to get assurance that they were going to protect the data. In most cases that never happened.

Health and Human Services’ (HHS) obvious goal is to provide for “enhanced enforcement.” HHS has released reports that show significant fines and audits in 2012 show that HHS is serious about Healthcare Organizations complying with the enacted regulations.

Breach Notification

HIPAA clearly outlined release of information guidelines, and what can and cannot be released without authorization from the patient. HITECH notification requirements were built similar to many state data breach laws relating to personally identifiable financial information. The HITECH Compliance Act and its relationship to HIPAA and EMRs requires that patients be notified of any unsecured breach. If a breach impacts 500 patients or more then HHS must also be notified. In this instance, local media will need to be notified as well. Lastly, the State Privacy Officer will need to be notified. All breached patients will need to receive a first class mailing that addresses personally what happened and what steps are being taken to resolve the breach, with the entity sometimes paying for the breached patients to have free access to their credit reports.

Electronic Health Record Access

If a provider has implemented an EHR system, HITECH compliance provides the patient the right to obtain their ePHI in an electronic format. The patient can also assign a third party to be the recipient of the ePHI. HITECH compliance provides that charge, equal to the labor cost, for an electronic request.

For providers that have an EHR, it should be rather easy for them to accomplish this task. However, on further examination, EHR vendors did not make this easy on them in some cases and more work is required to produce such a file.

HITECH Act’s incentives are driven by the implementation of “Meaningful Use.” “Meaningful Use” gauges you implementation of an EHR and if the EHR you have chosen meets all the requirements the government has laid out. Not being able to show meaningful use may decrease or eliminate incentive payments.