HITECH Act Summary Definition
The HITECH Act came into being because of the increasing use of technology.
The acronym stands for Health Information Technology for Economics and Clinical Health Act – a perfect example where the name of the legislation was obviously devised after the acronym!
Notwithstanding that, it is a powerful piece of legislation that increases the power of HIPAA by giving it teeth, improving transparency and accountability, and extending its scope. Here is a summary of its main provisions:
1. Inclusion of Business Associates
Prior to HITECH Act, HIPAA only applied to business associates when the contract between them and health service providers specifically stated this. Now, irrespective of contract, all business associates must comply with HIPAA including software vendors, third party billing companies and even contract cleaners with access to areas where health records are stored.
This is a significant expansion of the regulations, and many businesses that were hitherto not covered by HIPAA now are. In fact, as with the health services themselves, business associates are now obliged to report security breaches of the law, and even minor suppliers of services will now become ‘business associates’ in the eyes of the law. If you are contracted to shred private health documents you now come under HIPAA, just the same as if you provide the locks for the doors where such records are stored.
2. Electronic Protected Health Information (ePHI)
Any health service provider that holds patient information in electronic form must provide the patient, or a third party named by the patient, with an electronic copy of these records on request. The provider must charge no more for this than the cost of doing so. What this means is that if your organization is not equipped to do this, then you should acquire the technology to enable it. ePHI must be provided immediately upon request and not ‘some time later’ to suit you. Technology is expanding, and requests for paper copies are expected to be rapidly overtaken by request for electronic copies.
3. Penalties for Non-Conformance
HITECH applies severe penalties for what is termed ‘willful neglect’, which can be translated as being a failure to make much of an attempt to conform to the terms of HIPAA. The maximum penalty under HIPAA of $250,000 has been increased to over $1 million for repeated offences with similar penalties applying to business associates.
4. Notification of Breaches
Individual patients must be informed when a breach of the security rules relating to their private health information has occurred. The Health and Human Services (HHS) must be informed if 500 or more patients are affected, which will result in the business or organization causing the breach being published on the HHS website and the potential for local press and radio to be informed if necessary.
HITECH, HIPAA and EHR
HITECH Act was devised to expand HIPAA to take into account the increasing use of electronic storage and communications systems. Such system offer a different set of security problems than the storage of hard copies of health records. It provides thirds parties with more opportunities to breach security systems, which is why HITECH includes business associates that will have the potential to access private health information.
HITECH also increases the penalties for non-conformance, particularly where an entity deliberately fails to take the actions necessary to comply. The Act is an indication of the increased focus of federal government on HIPAA Compliance, which is reinforced by the availability of funding to health service providers to adopt an Electronic Health Record system (EHR) to take the place of the old paper records.
The US government takes the protection of an individual’s private health records seriously, but even so there have been incidences of life insurance refused or premiums raised to ridiculous prices due to a patient’s records being divulged. Not only was HIPAA a necessity when the act was passed by congress in 1996, but the increased use of computers and electronic storage devices has rendered it easier for such records to be accessed and hacked.
HITECH was introduced in 2010 in response to this, and the opportunity was taken to increase the penalties for blatant refusal to conform to its terms and also to extend these to business associates. This was because these associate entities were increasingly being given opportunities to gain access to ePHI even if they had no intention of doing so. Fundamentally, there was a need for the law to keep up with the technology that could be used to break it.
The main objective of HITECH is to promote EHR systems, to improve their protection and to increase transparency and accountability throughout those businesses that either handle private medical information or offer services to those that do.
5. Meaningful Use
Meaningful Use is defined by the use of certified EHR technology in a meaningful manner (for example electronic prescribing); ensuring that the certified EHR technology is connected in a manner that provides for the electronic exchange of health information to improve the quality of care; and that in using certified EHR technology the provider must submit to the Secretary of Health & Human Services (HHS) information on quality of care and other measures.
The concept of meaningful use rested on the ‘5 pillars’ of health outcomes policy priorities, namely:
- Improving quality, safety, efficiency, and reducing health disparities
- Engage patients and families in their health
- Improve care coordination
- Improve population and public health
- Ensure adequate privacy and security protection for personal health information