The Health Information Technology for Economic and Clinical Act (HITECH) focuses on the transition of paper healthcare files to electronic reports, making it easier for patients to access their records. The act also covers protected health information (PHI) by requiring healthcare organizations and their third-party associates to be HIPAA compliant. Prior to the HITECH Act healthcare organizations could avoid fines due to non-compliance but this has changed. Now, organizations and their third-party associates are required under the HITECH Act to meet all HIPAA compliance rules.
However, before healthcare organizations can start addressing issues that may affect their ability to meet compliance regulations, they first need to understand what the HITECH Act is.
What is the HITECH Act?
The HITECH Act was passed in 2009 and is part of the American Recovery and Reinvestment Act. The act encourages healthcare organizations to transition from paper patient records to electronic ones. It uses financial incentives that help offset the cost of implementing an electronic records system. The act also increases the penalties for healthcare and third-party organizations that are not in compliance with HIPAA security requirements.
How HITECH helps organizations meet HIPAA compliance regulations is by mandating security audits of the standards and protocols implemented to protect patients’ privacy and health information. The HITECH Maturity Model sets the areas and controls that are then scored to determine compliance. The goal of the assessment is to protect the patient’s privacy, while also making it easier for records to be shared between different healthcare providers.
The HITECH Act supports and requires healthcare organizations to follow the security requirements set down by the HIPAA Act. This includes the security of patients’ privacy and health information. A HITECH compliance checklist will help organizations meet HIPAA requirements.
HITECH Compliance Checklist
The primary goal of HITECH is to encourage healthcare organizations to adopt electronic records, while also increasing security safeguards. To do this, HITECH has three meaningful use phases. Each phase deals with the deployment of EHRs, and the security measures the organization has in place.
The requirements for phase 1 vary depending on the type of healthcare profession or organization. For example,
- Healthcare professionals are required to meet the 15 core objects, 5 “menu” objectives, and 6 CQMs (Clinical Quality Measures).
- Hospitals must meet 15 core, 5 menu, and 15 CMQ objectives.
- Private healthcare providers are exempt from any of the objectives that do not apply to their profession.
The purpose of meeting the phase one requirements is to increase the quality of medical care by ensuring EHRs are up-to-date and security protocols are properly implemented. The first phase is designed to explain the technology the HITECH Act requires, along with the standards that must be met for organizations to be in compliance.
The second phase of the HITECH compliance checklist covers EHRs and electronic security. Often healthcare organizations turn to a certified CSF firm like RSI Security to help them implement the necessary protocols. For HITECH compliance healthcare organizations need to,
- Have support for five or more clinical decisions.
- Over 60 percent of prescriptions and 30 percent of radiology and lab orders need to be recorded in the appropriate electronic patient records.
- Over 50 percent of prescriptions need to be transmitted.
- Care records need to be transmitted when patients transfer to another healthcare provider.
- Organizations must provide “patient-specific” information to over 10 percent of their patients.
- A verified accurate list of medications patients take when they’re transferred must be compiled.
- Patients must have access to their electronic health records.
- Organizations must provide patients with a secure way to communicate online.
- Immunizations and other public health data must be tracked.
Like phase one, the second phase of HITECH also covers the quality of patient care, but its main goal is to protect a patient’s health information by ensuring security protocols are in place.
The third phase of HITECH is to continue to improve healthcare with the use of EHRs and the security protocols needed to protect patients’ privacy.
- Have rigorously tested security in place, while also keeping patient health records up-to-date in a timely manner.
- Patients have a secure network to access their health information.
- High priority concerns are addressed, including any protocols that must be implemented for compliance.
- All third-party associates must be HIPAA certified if these entities have access to PHIs (protected health information).
- Improve healthcare by making patient records readily visible to other authorized personnel.
All three phases build off each other. Phase One covers necessary preparations for compliance, and the second phase is designed for proper implementation and training for healthcare personnel. The third phase ensures that all the measures and protocols are operable and in place. It also makes sure that healthcare and third-party associates are familiar with the standards.
Once healthcare organizations meet the requirements in phases one, two, and three the next step for HITECH compliance is to be HIPAA certified.
HITECH and HIPAA Compliance
In order to be HITECH compliant, organizations must be HIPAA certified. The two acts work together to improve healthcare and protect patient information, as stated in the Omnibus Rule. HITECH encourages the use of EHRs while promoting the security protocols required by the HIPAA Act. How HITECH and HIPAA compliance works together is outlined in the following rules.
Breach Notification Rule
The 1996 HIPAA Act only required patients to be notified if the organization covered by HIPAA saw a threat to the party whose protected health information (PHI) was breached. HITECH strengthened this by requiring that any PHI breach be reported to the patient and HHS (Department of Health and Human Services). If the security breach warrants it, the media might also be required to be notified.
Determining when a breach notification is needed often depends on the following factors,
- Any exception to the breach rules
- If the patient is at risk
- The PHI (protected health record) was improperly disclosed or used
If any of these factors apply, a breach notice must be given. If an organization has never had to give one, these are the steps that need to be taken.
- The organization must notify the patient
- If the breach occurred at a third-party site, the associates must notify the organization
- It cannot take longer than 60 days from the time of the breach to notify the patient
- The breach incident must be logged
- If protected health information is involved in the security breach, an assessment must be conducted
If protected health information is not encrypted it is considered unsecured. This data is often destroyed for the patient’s protection if it is,
If data is destroyed for these reasons notifications are not required. The destruction of the unsecured data meets HITECH and HIPAA guidelines, as long as it was properly destroyed. Paper documents must be shredded and disposed of through proper authorities. If the data is already in an electronic format, there are protocols that cover how it is to be destroyed. When a notification is required organizations must have documentation. This includes documenting the security measures taken to prevent another data breach.
The HITECH Act went on to expand the HIPAA requirements for compliance to include all businesses that use, process or store PHIs. This means that third-party business associates are liable for any security breaches or not being HIPAA compliant. To meet compliance standards, organizations and their associates must have a security strategy that covers all required aspects.
HITECH Compliance and Business Associates
As previously mentioned, HITECH strengthened the rules and penalties for not being in compliance with HIPAA regulations. This affects business associates of healthcare organizations. According to HITECH guidelines that enforce HIPAA compliance, the security of protected health information will be the shared responsibility of the organization/provider and third-party associates.
This responsibility was extended due to the increase in third-party vendors working with PHIs and the growing number of HUBs where patients and healthcare providers can access protected patient information. IT personnel that implement security protocols or have access to PHIs due to inputting accurate patient data must be HIPAA certified. If not, the organization will be non-compliant and could be fined. They might also be required to notify all patients that had health information viewed by personnel not HIPAA certified. This can leave the organization open to civil suits filed by the affected patients.
In summary, HITECH eliminated the loopholes that allowed organizations and their third-party associates to avoid penalties for non-compliance.
Penalties for HITECH Non-Compliance
The penalties for non-compliance have changed. The HITECH Act effectively strengthened HIPAA requirements by increasing maximum penalty amounts and ensuring that all third-party associates were not exempt. To ensure fairness when assessing penalties, HHS created four categories or tiers for HIPAA violations. Each category has a minimum and maximum fee based on the frequency and severity of the violation.
Tier 1: The organization exercised reasonable diligence and did not know that the third-party associate was not in compliance or was violating regulations.
Tier 2: There was a reasonable cause for the security violation, it was not due to neglect by the organization or associate.
Tier 3: Willful neglect caused the violation but it was corrected in a timely manner.
Tier 4: The violation was due to willful neglect and not quickly corrected.
The penalties for the violations are assessed by the Department of Health and Human Services. Maximum fines begin at $25,000 and can go as high as $1.5 million depending on the severity of the security violation. In 2015, legislation was passed that allows HHS to adjust the fines according to current inflation rates.
Higher penalties for violations are increasing the number of healthcare organizations and their associates that are in compliance with HITECH and HIPAA, but there are security problems that fines and technology cannot resolve.
Maintaining HITECH Compliance
Implementing security protocols is the first step in HITECH and HIPAA compliance, but technology cannot resolve all the problems healthcare organizations face. A strong encryption algorithm is only as good as the passwords employees use. Wireless encryption has made it more difficult for the same keys to be used repeatedly in a password, but this doesn’t stop employees from creating one that could be easy to hack. Weak passwords are one of the main reasons for security breaches.
To prevent security breaches, medical organizations need to combine assessments along with employee and patient feedback, with their technology policies. Frequent monitoring and feedback can help to maintain security on all levels. Organizations also need to have safeguards in place outside of their IT security. This includes preventing patients from accessing PHI from a doctor’s or hospital computer.
Security keycards for employees can limit unauthorized access to computer systems preventing a breach. If a breach occurs due to a patient’s unauthorized access to health records, the extent of the security lapse will determine if notification is needed. If it does require a security breach notification, the organization could be penalized. However, it would only classify as a tier-one penalty.
The most effective way to maintain security compliance requirements is with constant monitoring and routine self-assessments. A self-assessment will highlight any area or control that presents a security risk. This gives organizations the chance to resolve the issue before it becomes a potentially expensive problem. Healthcare providers also need to remember that maintaining their HITECH compliance is also dependent on their third-party associates if used.
The HITECH Act has made it easier for patients to access their health information by encouraging healthcare providers to use electronic records. This has made it easier for healthcare providers to share patient information as needed. However, this has come at a risk. With PHI digitized, hackers can attempt to breach the security protocols accessing private health data. In order for organizations to be HITECH compliant, they must meet HIPAA security requirements. This is when many healthcare organizations turn to a professional IT firm.
RSI Security is available to answer any questions about HITECH compliance. Their experts can also implement protocols that will provide the security needed to meet the requirements necessary for compliance.