Understanding the HITECH Act and its Role in IT
The Health Information Technology for Economic and Clinical Health Act (HITECH Act) is part of the American Recovery and Reinvestment Act of 2009 (ARRA), a broader plan that aims to incentivize the adoption of healthcare IT. The ARRA is largely designed to speed up the adoption of electronic health records (EHRs).
The technological nature of the HITECH Act also serves to increase the scope of privacy and broaden security requirements under HIPAA —this means it will increase potential liabilities associated with non-compliance.
The HITECH Act also outlines some enforcement guidance for broader HIPAA and other new requirements.
Securis has put together this page to highlight some of the main HITECH Act provisions.
How does the HITECH Act change enforcement?
Part of HITECH Act is designed to properly enforce HIPAA, with new penalties for concepts like willful neglect and improperly protecting patient data.
Civil penalties for willful neglect are increased under the HITECH Act, reaching up to $250,000 for an initial instance — with the ability to grow to $1.5 million based on how long the violations go uncorrected.
More importantly, many HIPAA civil and criminal penalties now extend to businesses and associates, empowering a state attorney general to bring action against providers on behalf of state residents.
HHS is now required to conduct periodic audits of covered entities and business associates.
What are the big IT changes with the HITECH Act?
A widespread adoption of electronic health records and relevant exchanges creates increased access to a broad set of patient information. This has prompted concerns over access, security, and removing confidential information in some settings.
To boost the overall work of the federal government and security, HITECH also provides a specific framework and patient information breech protocol.
HITECH Notification of Breach
The HITECH Act imposes data breach notification requirements for unauthorized uses and disclosures of “unsecured PHI (protected health information).”
Notification requirements mirror many existing stat data breach laws around the broader category of personally identifiable financial information, such as credit card and banking information. Unencrypted patient health information — which can be easily read by anyone who can see the data — is typically considered unsecured.
In general, the Act requires that patients be notified of any unsecured breach. If a breach impacts 500 patients or more, HHS must also be notified.
If you experience a breach, your company’s name will be posted to the HHS website and the agency can determine if local or national media are notified of the breach. Posting will also share some broad details such as if the breach occurred externally or internally.
Electronic Health Record Access Updates: Patients Have a Right to EHRs
HITECH provides patients with the individual right to see their health information in an electronic format and they can designate a third party to receive that electronic document. You’re only able to charge a fee related to the labor costs for that electronic request.
This coverage applies to all providers who have an EHR system and will extend to many partners.
What Access Means for Your Business
If your company deals with EHRs, then you need the ability to transmit information quickly and securely. The problem is that there are many different EHR platforms in place and you have to rely on outside exchanges for some security.
So, you need to control that data and deliver it safely, or you face liability.
And, when the equipment’s life is over, you need to make sure the data that it stores does not fall into the wrong hands. You must destroy it and recycle it in a way that eliminates the risk of breach.
Business Associates and Agreements
The HITECH Act now applies certain HIPAA provisions directly to business associates. Previously, privacy and security requirements were imposed on business associates only in the contracts they had with entities covered by HIPAA.
So, if you provide support for medical facilities or practitioners and your system touches on an EHR, you must meet security guidelines as well. You are “on the compliance hook” now.
It is unclear exactly who a business associate will include, but you should expect the reading of the law to be fairly broad. So, software vendors will likely qualify, IT professionals, technology specialists, hardware techs, and many other IT vendors are expected to qualify.
Partners Must Look Beyond Basic Compliance
HITECH also requires that business associates report security breaches to covered entities consistent with the notification requirements mentioned above.
Associates can now be subject to civil and criminal penalties under HIPAA when breaches are large and other conditions are met.
You, as a care provider or a business associate, now share a joint responsibility that’s more significant and risky than before.
What About My Equipment?
The HITECH Act provides guidelines that apply to HIPAA but also defers to HIPAA for hardware and infrastructure requirements in many cases. This includes the use of equipment, refurbishing it, recycling it and more.
To learn about the hardware and disposal requirements, see our HIPAA page here.
There’s one big thing we’d like to remind you from that page, right here:
Business such as Securis can be hired to dispose of protected health information
Healthcare organizations and medical facilities are allowed to hire third-party vendors to dispose of protected health information. There must be an agreement or contract that requires the vendor to safeguard the PHI through disposal. See 45 CFR 164.308(b), 164.314(a), 164.502(e), and 164.504(e).
It’s how we do our part, and we welcome a conversation with you about how you can do your part to protect your organization, customers, and even the environment.