HITECH Act applies to businesses keeping personal health data
HITECH Act is the Health Information Technology for Economic and Clinical Health Act, a large part if which extends the reach of HIPAA to what are referred to as ‘Business Associates’ of those health entities to which HIPAA Act applies.
What that means to you in a nutshell is that if you have any dealings whatsoever to any business or authority to which HIPAA applies, and that business or authority can provide you with personal health information (henceforth PHI) then it also applies to you! So let’s take an example of that.
Say you are an insurance broker with a health insurer on your books – just like the health insurer, you too will be subject to HIPAA because you are technically a business associate of that health insurer. Let’s take another example: you provide IT support to a dental practice, and in the course of your work are liable to be able to access the patient files of the practice. Whether you like it or not, under HITECH you are classed a business associate of that dental practice, and so both HITECH Act compliance and HIPAA compliance apply to your business.
You cannot get out of this, and you must therefore set up a HIPAA policy and maintain it to include all of the relevant sections of HIPAA that may appertain to your business. Included in HITECH is the fact that should you, or any of your employees, note a violation of HIPAA in any of the businesses you have dealings with, you are legally obliged to report it at the risk of severe financial penalties.
HITECH has also increased the penalties for violation of HIPAA from a minimum and maximum of $100 and $50,000 to $10,000 and $1.5 million, so HITECH has given teeth to HIPAA that it did not previously have.
You can read anything into that you want, but the way you should perhaps read it is that the government is sick of HIPAA transgressions and is now prepared to stamp down hard on them with financial penalties for each level of transgression multiplied by between 100 times and 250 times. That’s a massive increase, so you had better make sure you are complying, because they won’t accept many excuses for not doing so.
So how can you make sure you are complying, even if you just supply prosthetics to an orthopedic surgery and have PHI in order to do that? There is software available that can help you stay legal with regard to HIPAA, but fundamentally, you have to develop a mindset of security: security of patient’s records and making sure that your business can never possibly either have access to these records, or release them if you do have. Then record everything you are doing to ensure that.
That is basically what HIPAA is: a set of regulations to ensure the privacy of patient information between the patient and those to whom it must be revealed. People with access to such information must make sure it is not revealed down the line and so on till it reaches you – then you have to do the same and prove you have done it.
If you have a formal Business Associate Agreement (BAA) with a business with access to PHI, then HITECH covers you – if you are not sure, then contact your lawyer to determine your status under HITECH and HIPAA. In fact, some lawyers must also technically comply with HITECH, although there is still a great deal of uncertainty whether lawyers who have access to PHI must comply. It would appear strange if they did not.
HITECH also applies to contracted foreign language interpreters and sign language experts hired by health services to interface between patients and health authorities such as doctors. You are advised that, should you feel that you have a business associate that may come within HITECH, then you should formulate a formal BAA with their need for HIPAA compliance included as part of that agreement.
HITECH is designed to make sure you understand these obligations and stick to them, with the ultimate objective of backing up HIPAA and underlining its importance to the entire medical world, including consultants, doctors, nurses, pharmacies, dentists and everybody who has direct contact with patients. As stated, the situation between HITECH and lawyers is unclear.
And then it starts going down the levels to receptionists, clerks, insurers and so on, and then down another level to suppliers to each of these such as the insurance broker and even guy that services your photocopier if you believe that they could have access to PHI.
Everybody that can possibly receive and pass on the health information of a patient comes under HIPAA through the terms of HITECH. It’s like a domino effect – every domino is covered by HITECH in respect of a patient’s health information – referred to as PHI, and you may see that abbreviation a lot more from now on!