What is the HITECH Act?
The Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 is a provision of the American Recovery and Reinvestment Act of 2009 and provides guidelines for the use of health information technology. Specifically, this Act clarifies concerns over the privacy and security regarding the transmission of medical records electronically, in accordance with the Health Insurance Portability and Accountability Act of 1996. Ambiguities over privacy and security regulations have confused some medical record holding entities, lead to an abundance of caution when disclosing patient records. The HITECH act clarified these regulations and provided a meaningful enforcement mechanism against violators to these rules.
What is the HIPA Act and how does it relate to the HITECH Act?
HIPAA primarily protects the right of families to retain their insurance upon the termination of employment in Title 1. For the purposes of the HITECH Act however, the relevant provisions are in Title II. Title II sets criminal and civil liabilities in the healthcare system to prevent fraud and violation of privacy. The Privacy Rule establishes regulations that entitle the client to view his or her personal medical records or billing information within 30 days of filing a request. The insurance provider must also provide that information to law enforcement, if necessary in cases of suspected child abuse or other criminal wrongdoing.
The Privacy Rule also minimizes the amount of private information a holder of medical information may disclose to another party, depending heavily on the authorization of the individual to release such data. Individuals that are provided unauthorized access to view personal data can create liability for the records holder, which can in turn result in civil damages against the records holder to the clients
The Security Rule, which took effect in 2003 relates to the privacy rule and forces holders of private medical information to abide by stringent security rules in three categories.
– Administrative: The holder of private information must maintain privacy procedures and have at least one employee ensuring compliance with privacy regulations. Individuals that have access to private data must be clearly indicated as well as the scope of their privileges and responsibilities with that data. As a general rule, the disclosure and access must be strictly job-related and minimize the unnecessary exposure of the records. Lastly, there must be internal audits and emergency procedures to protect the data from future breaches and non-compliance with HIPAA regulations.
– Physical: This requirement simply means keeping the records in a safe space, controlling who may access the data storage units and proper use of workstations that contain private data
– Technical: This requirement ensures that the holder of private medical records takes adequate electronic precautions such as optional encryption, and message authentication to prevent the leak of private medical information via electronic means. The organization must routinely evaluate its electronic security procedures.
How does the HITECH Act of 2009 improve on the HIPAA provisions?
The HITECH Act expands the privacy regulations on the holders of private medical records (insurance, billing companies) to include business associates as well as the disclosure of these new privacy rules in any future agreements between record holding entities and new business associates.
The HITECH Act also enforces notification requirements for the breech of personal information. In the event that secured information is leaked by the entity, this must be acknowledged and the client must be made aware of the leak. Leaks that affect more than 500 patients must be reported to the Department of Health and Human Services. Patients may not bring suit against entities that breach security and privacy regulations, but the attorney general may file suit on their behalf.
The last improvement in the HITECH act enforces stricter regulations on the disclosure of patient information by the entity by reducing the amount of time they have to account for the disclosure from six years to three.
What does the HITECH Act mean for enforcement?
Prior to the HITECH Act, HIPAA violations were rarely prosecuted and complaints rarely amounted to action or civil penalties on the part of the Department for Health and Human Services. HITECH changed this dramatically with the most infamous example of the sentencing of a hospital employee to four months in prison for the unauthorized access of coworker and celebrity medical records in 2010.
Patient-doctor electronic communication is also now covered in the HITECH act. Doctors must encrypt communication with patients, which provides obvious problems for the tech-illiterate patient. Healthcare providers can obtain consent from a patient to communicate via unencrypted email that can be waived at any time. Email communication initiated by the patient operates under the assumption of unencrypted communication consent.
Information cleaned from email communication must be added to the patient’s medical record and should be treat the same as an in-person doctor visit. The use of electronic portals, rather than emails, which enables a patient to log in and communicate with doctors or access their records, is a preferable option to complex email decryption.
What is Section 13410(d) of the HITECH Act?
Section 13410(d) provides stiffer penalties for “noncompliance due to willful neglect,” provides maximum penalties for violation of privacy requirements, and entitles the patient to recoup monetary damages for the breach of personal information. The maximum penalty is $1.5 million dollars for repeated violations. It also modified section 1176(b) that had absolved entities of liability if they were not aware of regulations. Instead, entities are now assigned the lowest level of liability and conversely, the lowest level of penalties for non-compliance.
There is criticism that HIPAA and HITECH requirements bury doctors in paperwork and create unnecessary bureaucracy that impedes patient care. Additionally, clinical research is impeded by privacy requirements as researchers do not enjoy the same level of access to patient records as they did prior to the increased regulations. HITECH clarified disclosure rules and streamlined procedures as the original requirements were at time unclear to the record holding entities, forcing them to be overly cautious with the disclosure of personal information.
What is “meaningful use?”
In response to criticism over the stall of clinical research and patient care, the HITECH act provides protections for medical institutions that need to use patient data to improve patient care and research. Those that qualify for meaningful use may access and use Electronic Health Records (EHR) for various tasks such as prescribing medication. For an institution or provider to receive meaningful use status, they must meet stringent regulations regarding the disclosure of their data to patients. Those that apply EHRs correctly to improve patient care will receive incentive payments from the federal government to maintain that standard of care, enabled by the use of EHRs.
Doctors using EHRs will need to report data on patient’s blood pressure level, smoking status and weight as well as other statistics to improve data collection on health trends. Efforts are ongoing to help doctors qualify, maintain and comply with meaningful use status to improve patient care as a whole.