HITECH Act Definition: What is HITECH in Relation to HIPAA?
The best understandable HITECH definition is that it is an extension of HIPAA, to bring the latter into the 20th century with respect to modern data storage and communications technology – as the acronym would suggest. It is also intended to increase the penalties for non-compliance particularly where that is, or appears to be, deliberate.
Another aspect of HITECH in relation to HIPAA is that while HIPAA initially only affected covered entities that directly handled or stored private health information (PHI), HITECH extends the need for compliance to what are referred to as ‘Business Associates’. They may be so through formal business associate agreements (BAA) or because they offer services that may bring them into contact with PHI either directly or indirectly.
HIPAA (Health Insurance Portability and Accountability Act) is the Act intended to maintain the security of the private health information of individuals, and was passed by congress in 1996. Technology has advanced since these days when the majority of records were held in paper form in filing cabinets. Yes, electronic filing was also common, but health authorities and health service providers were generally using paper files and folders at that time.
HITECH (Health Information Technology for Economics and Clinical Health) became law in 2010, and as explained above, modernizes HIPAA and adds a few additional requirements. A reasonable HITECH Act definition would be that it extends the scope of HIPAA without replacing it, and provides more severe penalties, particularly for deliberate non-compliance. Here is a more comprehensive HITECH Act definition, explaining the above in more detail.
1. Data Breach Notification: HITECH requires notification of any unauthorized use or disclosure of unsecured personal health information that is not encrypted. For example, if you believe that the health records of any patient have been used for health insurance purposes or disclosed to insurers where the patient can be identified, you are legally obliged to inform the relevant authorities of this fact.
2. Patient Access to Health Records: If a health provider maintains electronically accessible health records, patients may access their records on demand and when they wish to do so – not on appointment, but immediately. Your record storage system must be formatted to enable this immediate access.
3. Third-Party Access: A patient’s private health records may be delivered to third parties with the permission of the patient. The cost to the patient should be no more than the labor cost to deliver the record.
4. Business Associates: Under HITECH business associates of covered entities are now subject to the full terms of HIPAA. Examples of business associates are attorneys, medical billing agencies, health-related software vendors, IT services, contract cleaners, maintenance companies, auditors and any other that has potential access to paper or electronic PHI.
5. Penalties for Non-Compliance: Penalties for deliberate breach of the terms of HIPAA have been increased to a maximum of $1.5 million. This maximum penalty will applied for deliberate and fraudulent use of a patient’s private health information where no or little attempt has been made to comply with HIPAA. Financial penalties will reduce with reducing levels of intent.
6. HITECH Act Definition of ‘Breach’: Any unintentional access or use of the PHI of an individual employed by or acting for a covered entity or business associate will not be considered a breach under the HITECH Act definition if it:
a) Was made in good faith as part of their work with the covered entity,
b) The information retrieved was not used or disclosed further by any individual or body,
c) If disclosure was made from an authorized person to a similarly authorized person in the same facility and that such information was not used or further disclosed.
d) If the records were not in fact protected. HIPAA covers only protected health records.
In other words, no breach will have occurred should the protected information obtained be retained within the facility and not further used in any way or provided to anyone else other than in b) above.
These are rough versions of the actual wording, but convey the meaning of the regulations. Fundamentally, if unauthorized access of private health information was made inadvertently in the course of somebody doing their job, and was not used in any other way once accessed, then that does not construe a breach.
However, if such information is used for purposes of checking the patient’s insurability, checking for any potential hereditary defects that could affects the person’s family, or for any other reason not directly connected with their medical treatment, then that does constitute a breach.
7. Obligation to Report a Breach
Section 13402(e) States that any individual who comes across a breach of PHI is obliged to report the breach if it involves over 500 people. There can only be a breach if the information has been protected. Business associates are obliged to report the breach to the covered entity to which they provide the service, and the covered entity must report it to the patient concerned, the HHS Secretary and perhaps also the local media. Many use a lawyer to look after breaches.
It is difficult to offer a comprehensive HITECH Act definition other than to state that it bring HIPAA into the modern era of electronic data storage and communications, and also brings business associates into the melting pot.CLICK TO COMPARE PLANS
“Compliance Helper takes the guesswork out of HIPAA compliance. Not only do we have access to advice and review from a prominent HIPAA expert, the online portal also guides us, so we know exactly what tasks, forms, policies and procedures need to be updated. In addition, we embed the real-time Compliance Meter into our website, so clients always have the assurance that we take HIPAA seriously.”
“We knew the HIPAA compliance deadline was less than two weeks away and we needed a solution that would get us compliant quickly. Compliance Helper got us compliant within a short time.”
“The program worked fine for us. We were able to alter some of the elements to fit our needs as a pharmacy. We tried other applications and books, but wanted a simple CD program, and Interactive HIPAA was the program.”
“A+ in my book. I searched days, weeks and months for the information for our HIPAA compliance, and this software program made it easy! I love the program! I like the fact that if I made a mistake, I could save the page and ask my helper then go back in and correct my information. Saved me a lot of stress!”
“The program worked great. No problems with the interface and adapting the program for our type of services. Any questions we had were answered in a timely manner by our Helper. Great service. We are Compliance Helper fans for life!”
“I liked the software. Actually, I love the program! The application was very easy to use and we were able to hold our employees HIPAA awareness training with the program as a guide.”
“The Compliance Helper is such a great HIPAA tool. We are able to quickly identify exactly which tasks need to be performed each month AND if we have questions or issues, we can get assistance any time from a prominent HIPAA expert! HIPAA is mandatory and feeling secure that we are on top of HIPAA is priceless!”
“The Compliance Helper cloud based technology and task centered methodology are great, but the magic sauce is the Helper. Having a personal Helper like Rebecca Herold is like adding a privacy and security expert to your staff at very low cost.”