The HITECH Act changed how patient health information is processed and stored. It encourages healthcare organizations to transition from paper to electronic files allowing patients to access their records in a secure online environment. It also affected HIPAA and how its rules are enforced. In short, the HITECH Act benefited patients by making it easier for them to access their records while improving and enforcing security protocols.
This is the simple explanation but there is more to understanding HITECH, its goals, and requirements for certification. This guide covers everything healthcare organizations, third-party associates, and patients need to know about the HITECH Act.
What is the HITECH Act?
The Health Information Technology for Economic and Clinical Health Act (HITECH) is part of a stimulus package that was passed in 2009. Sometimes referred to as HIPAA 2, the act has several goals that address technology and security. This includes encouraging healthcare organizations to adopt technology, especially regarding patients’ files. The other goal addresses HIPAA compliance, especially where third-party associates are concerned.
The HITECH Act is designed for patients. It encourages healthcare organizations to transition from paper to electronic patient files. The cost to do so often made organizations reluctant to switch, but the HITECH Act gives organizations financial incentives that counter the expense. Electronic files are easier for patients to access and be shared with different healthcare providers. This can improve patient care.
HITECH also works with HIPAA. It requires organizations and their associates to be compliant with HIPAA. Previously, loopholes existed that made it easy to avoid non-compliance fees. Healthcare organizations could plead ignorance if a violation was caused by a non-compliant associate. Patient protected health information could be breached, without any repercussions against the organization. HITECH closed these loopholes and requires all parties to be HIPAA certified. With HITECH, patients have access to their information and it is protected from breaches.
HITECH Compliance Rules
HITECH encourages healthcare organizations to transition to electronic patient files, but it also emphasizes the importance of and needs for adequate security. This is where the HITECH Act strengthens the HIPAA Act. An organization also needs to be HIPAA certified before it is HITECH compliant.
For an organization to be compliant several data components will be assessed for security, response, and maintenance. The following HITECH compliance rules apply to healthcare organizations and any third-party associate that manages or stores patient protected health information. This includes billing and claims houses.
One of the primary HITECH rules is complete compliance with breach notification. A breach is when protected health information (PHI) is accessed or stolen from a non-authorized entity. Before HITECH, organizations often did not notify patients that their information had been breached. Now, organizations must notify everyone affected in a security breach within 60 days of its occurrence. If the breach included 500 people or more, the Department of Health and Human Services must also be notified within the 60-day timeframe.
Often compliance regulations included in the breach notification rule include the following.
- All security breaches must be documented and submitted annually to HHS
- Third-parties must notify the healthcare organization if the breach occurs at their facility.
- The organization is responsible for contacting the patients.
- Notifying patients affected by a security breach should be done by first class mail. Electronic messaging can also be used, but only if the individual has already agreed to receive healthcare-related information in this manner.
There are exceptions to the breach rule, even if security was violated. These can include if the protected information was disclosed to an authorized recipient in error or if the data was encrypted and deemed unreadable. There is also a threshold that determines the level of harm the security breach poses to affected individuals. This is also a minor downside to the HITECH Act, healthcare organizations affected by the breach determine the level of potential harm.
The HITECH Act gives funding to federal regulators to perform routine audits on the security systems used by healthcare organizations. These audits will occur regardless if there was a breach or not. The audit simply assesses if the organization is meeting all HIPAA security and privacy rules. Healthcare organizations must agree to the audits if they want to be in compliance.
Minimum disclosure rule
HITECH compliance limits the uses and sharing of a patient’s protected health information with other entities. This was primarily put into effect to limit security risks. It also ties in with the marketing compliance rule.
Marketing compliance rule
HIPAA previously allowed healthcare organizations to accept fees from marketing companies for basic patient information. Since the marketing companies were considered to be a third-party associate, sharing patient information was legal. HITECH has limited the sharing off patient information to companies that manufacture the patient’s prescribed medications. Fees to healthcare organizations from marketers are also capped, though only in broad terms. This is currently under review and regulations are expected to be released in the future.
As previously stated, HITECH compliance rules center around patients and security regarding the sharing and storage of their protected health information. Organizations that aren’t compliant face stiff penalties under the HITECH Act.
Penalties for HITECH Non-Compliance
Before HITECH, healthcare organizations and non-compliant associates could avoid or ignore breach penalties. This has changed, and now both entities must be HITECH compliant or pay penalties based on the level of the security breach and their response to it. There are four tiers with a maximum penalty of 1.5 million for willful neglect of HIPAA security rules and minimal effort to resolve the problem. The lowest fine is $100 for unknowingly violating HIPAA rules.
The four tiers used to determine the level of non-compliance the corresponding penalty is,
- Tier 1 – Organization is unaware of the HIPAA violation and due diligence did not uncover it. Fines can range from $100 – $50,000.
- Tier 2 – It is reasonable that by performing due diligence the organization would have been able to prevent the security breach. Fines can range from $1000 – $50,000
- Tier 3 – Security neglect was willful but changes were made within 30 days of the breach. Fines can range from $10,000 – $50,000
- Tier 4 – Willfully neglecting security and making no effort to resolve the problem within 30 days. Fines can range from $50,000 – $1.5 million.
When it comes to assessing fines, the minimum is usually applied to first offenses and increasing with each documented security breach.
Within HHS is the Office of Civil Rights. This is the branch that is responsible for enforcing breach notification rules. If the healthcare organization is found to be non-compliant HHS can assess and determine penalty amounts and patients affected can file civil lawsuits against the entity. This stricter enforcement was one of the goals of the HITECH Act.
How to Meet HITECH Compliance Rules
In order for healthcare organizations to avoid costly penalties, they must be HITECH and HIPAA compliant. The first step in achieving HITECH compliance is being HIPAA certified. This means that electronic patient records are protected against security breaches. Organizations must have security protocols clearly outlined and implemented by employees that understand and are familiar with the technology across all facilities and third-party associates. This is a major requirement for HIPAA compliance.
HITECH compliance is separated into three phases, each one supports the other to ensure patient access to medical records in a secure online environment.
Phase 1: Rules for phase one depend on the type of healthcare organization. Not all standards will apply to every healthcare provider. In this case, the provider will be exempt from that standard.
- Healthcare professionals must meet 15 core, 5 menu, and 6 clinical quality measures objectives.
- Hospitals are required to meet 15 core, 5 menu, and 15 CMQ objectives.
- Healthcare providers are required to meet the same standards as health professionals unless it does not apply to them.
The core objectives are used to assess patient files and how quickly information is updated, along with the measures taken to secure EHRs.
Phase 2: The second phase covers EHRs (electronic health records). It assesses their use and security protocols that are in place. HITECH compliance requires organizations to use EHRs or their computer resources to:
- 5 or more clinical decisions must be electronically supported.
- Over 60-percent of prescription and 30-percent of radiology and lab orders must be electronically recorded.
- When a patient is transferred their care records must be transferred.
- A verified, accurate list of patient medications must be recorded and transferred with them.
- The system must allow a patient’s access to their records online. Printing the records can still come with a fee charged by the healthcare organization. HITECH does require that the fee be reasonable.
- The system must be able to give patients secure online access.
- Immunization records and other health trends must be tracked and documented.
The second phase focuses mainly on security, while also addressing patient’s rights to privacy and access. It encourages routine risk assessments, along with strong encryption codes.
Phase 3: The third phase deals with the operability of the EHRs, and the ability to share the health records with patients and other authorized professionals. It assesses the protocols used in the first and second stages for workability and improvements.
- Patients’ data can be accessed through a secure health information exchange monitored for security by the organization.
- Data must be entered quickly and efficiently to improve patient health outcomes.
- All high priority conditions are supported, including the HER incentive program and adopt HITECH certification protocols across all facilities.
- Patients must have access to tools that improve their healthcare, including exchanging information with other doctors and health professionals.
- Improved access to information related to health trends.
The third phase focuses on improvements made in security protocols and patient access to health information. It also addresses EHRs and the incentives provided in the HITECH Act that encourage all healthcare facilities to switch to electronic patient files.
Meeting the standards outlined in the three phases, along with HIPAA certification are required for HITECH compliance
HITECH compliance does resolve many technical security problems, but there will always be the possibility of human error. This is why routine assessments and regular maintenance are a part of the compliance requirements. Passwords on employee devices can be weak putting the network at risk. Patients can also access an unattended healthcare organization’s computer. If access to other patients’ records is obtained this is a breach. There are tools that can help prevent security breaches due to some errors, and CSF certified firms like RSI Security can provide additional information.
How HITECH Affects Healthcare Workers
The HITECH Act not only affects patients but also healthcare professionals. It gives patients easier access to their health records, prevents organizations from selling information to marketers, and ensures adequate security protocols are in place. How the act affects healthcare organizations is a little different.
Switching to electronic files and improving security measures falls on healthcare professionals. Transcribing patient’s health information into an electronic format takes time. Most healthcare workers do not know how to implement security protocols or set up a database that patients can access.
This has created jobs for IT professionals, and the HITECH Act requires that all third-party individuals or organizations be certified. This helps to ensure that anyone with access to protected health information knows how to keep it secure and out of reach from unauthorized individuals.
The act has also made it easier for healthcare professionals to share patient information with other authorized entities. This can improve a patient’s healthcare and help streamline treatment between different physicians.
HIPAA and HITECH Compliance
The Omnibus Rule joined HIPAA and HITECH on the same legislation. According to the standards healthcare providers had to be HIPAA certified before they would be considered HITECH compliant. To prevent healthcare organizations from continuing to ignore non-compliance fees, the HITECH Act dramatically increased them.
To avoid penalties and stay HITECH compliant, call to ask about an assessment from RSI Security. It will locate any weaknesses and resolve the problem before non-compliance becomes an issue.