The History of the HITECH Act
Part of the American Recovery and Reinvestment Act of 2009 (ARRA), The Health Information Technology for Economic and Clinical Health ACT (HITECH ACT) was enacted to motivate healthcare providers to implement electronic health records (EHR) using financial incentives.
In 2009, many practices still used paper records, and it was impossible to coordinate care between practices without waiting for signed releases to be faxed or mailed to other practices and those practices to respond by sending the records. The HITECH Act of 2009 foresaw the expansion of EHR and sharing between hospitals, private practices, etc. that store protected health information and anticipated cost savings, improved quality of care, and increased patient safety.
With the sharing of protected health information, HIPPA expanded the scope of privacy and security protections available by expanding legal liability and enforcement activity for non-compliance. By 2011, practitioners were expected to demonstrate meaningful use of EHR in exchange for monetary incentives of up to $64,000 per provider.
Enforcement Measures
The HITECH act incentivized practitioners for instituting EHR, but it also increased culpability in the event of a failure to protect patient information. It is the goal of the Department of Health and Human Services (HHS) to provide enhanced enforcement activities. HIPPA clearly outlines what can and cannot be released about a patient without their consent. Healthcare providers have a duty to secure patient records.
HHS’ HITECH compliance audits are designed to identify and stop willful neglect of Electronically Protected Health Information (ePHI) or HIPAA violations. It’s important to have Privacy and Security documentation to present to HIPAA enforcement, as penalties for neglecting HIPPA violations increased starting in 2015. Practitioners can be fined by HHS. Fines come in tiered categories and can be in amounts of up to $1.5 million for repeat offenses of the same rule. Professionals working in the healthcare field and business associates of healthcare workers can even face criminal and civil culpability for committing breaches of these laws.
The Office for Civil Rights (OCR) within HHS works closely with healthcare providers and patients to ensure patients know their rights concerning their personal health information and treatment options and providers understand their responsibilities to their patients. All healthcare providers who are covered under the HIPAA Act are also subject to HITECH Act rules and regulations. They are dubbed “covered entities,” and include health plan providers, nearly all healthcare providers, healthcare clearinghouses, and the business associates for covered entities. Professionals covered under HIPAA are subject to enforcement activities under HITECH.
The Similarities and Differences Between HITECH and HIPAA
The HIPAA act was signed into law in 1996 while HITECH was part of an economic stimulus package that was enacted and signed into law in 2009. HIPPA anticipated the need for laws and enforcement activities around how ePHI was to be handled and protected. The act outlines patients’ civil rights and gives them a chance at recourse in the event of violations.
HITECH was intended to foster the use and creation of technology in healthcare records. It closed loopholes in the HIPAA Act and strengthened HHS’s ability to enforce privacy laws. Until 2009, there were ambiguities in the HIPAA Act about how penalties were levied in situations where negligence wasn’t present but violations were or when violations were corrected quickly.
HITECH was created with the intent of making HIPAA better overall. It was meant to ensure regulations were fair and enforcement measures were appropriate and equitable. Both HIPAA and HITECH have a direct impact on healthcare organizations’ cybersecurity planning and management. Security and management activities important considerations when making decisions about how to discover, finance, and deploy health information technology.
Northstarr Recommendations for Healthcare Providers and Associates
Though giving legal advice is prohibited by law, as cybersecurity providers and professionals we can assist organizations in better understanding the purposes for HIPPA and HITECH Acts, why they were enacted, and what they mean for organizations. We can advise you on the best practices for your business to ensure your cybersecurity risks are as low as can be reasonably expected.
With a better understanding of regulatory requirements, your organizational security posture can be specifically designed to reduce risks, improve patients’ and customers’ trust in your ability to protect their ePHI, and make closing the gap between compliance and being cyber-SECURE more cost-effective.
Northstarr can lighten the burden of meeting cybersecurity requirements on your organization. Protecting your patient’s personal health information requires a team of skilled professionals, and those duties aren’t under the auspices of a healthcare provider. Contact us today and we’ll help you get back to the business of meeting your patients’ health needs.
Resources:
Health Information Privacy resources – https://www.hhs.gov/hipaa/index.html
HIPAA for Professionals – https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html
HITECH Act document (PDF format) – https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/enforcementrule/enfifr.pdf
Health IT Legislation page – https://www.healthit.gov/topic/laws-regulation-and-policy/health-it-legislation
(OCR), O. o. (n.d.). HITECH Act Enforcement Interim Final Rule. Retrieved January 26, 2021, from Health and Human Services (HHS): https://www.hhs.gov/hipaa/for-professionals/special-topics/hitech-act-enforcement-interim-final-rule/index.html
Journal, H. (n.d.). What is the HITECH Act? Retrieved January 26, 2021, from HIPAA Journal: https://www.hipaajournal.com/what-is-the-hitech-act/
Disclaimer
This article was written in whole and in part from the information referenced from HHS.gov. Health and Human Services is a reliable source for this information. This article should not be considered legal advice. If you need legal advice concerning your cybersecurity and HIPAA/HITECH requirements or potential breaches, please obtain that advice from a knowledgeable and competent cybersecurity lawyer or legal practice. We are posting this blog item as information for our customers and the general public ((OCR), n.d.).