In 2009, the Obama administration announced the release of the American Recovery and Reinvestment Act. The stimulus bill covered a broad swath of policy meant to jumpstart American industry in the wake of the Great Recession. In addition, President Obama saw this as a mechanism for revising Clinton’s Health Insurance Portability and Accountability (HIPAA) Act of 1996. To that end, he introduced the Health Information Technology for Economic and Clinical Health (HITECH) Act.
The fundamental purpose of HITECH was to push the American healthcare industry into the digital age and to better protect patient’s privacy and security with regards to their confidential patient information. But that’s not all this bill sought to bring to pass. Below, discover the main objectives and goals of HITECH.
Read on to find out.
Problems with HIPAA
As is so often the case with the legislative, President Clinton’s HIPAA was not quite the sweeping healthcare reform that he had originally envisioned. Instead, it was a concession made by both parties in order to address three key issues:
- Help workers who were in between jobs or had preexisting conditions obtain health insurance coverage.
- Create safeguards for private health information.
- Encourage healthcare providers to transition from paper record-keeping to digital record keeping.
Naturally, unforeseen issues cropped up, especially in regard to protecting private electronic health records (EHR). To fix this, other provisions were tacked on, including:
- HIPAA’s Privacy Rule
- HIPAA’s Security Rule
Despite their best efforts, both providers and patients resisted the transition to electronic record keeping. Hospitals believed that it would create unnecessary paperwork, reduce efficiency, and increase the cost of service. Patients believed that little would be done to protect their private health information. Both parties wound up being largely correct.
Despite the addition of the Privacy Rule and the Security Rule, almost zero fines were levied against healthcare providers that were negligent. In addition, less than 10% of healthcare entities willingly transitioned to the electronic system.
So, when Obama became president, his administration decided that the Government needed to step in and add revisions and better enforcement mechanisms to HIPAA.
This became HITECH.
Assess your HIPAA / HITECH compliance
Goals of HITECH: What You Need to Know
The HITECH Act goals were varied and complex. However, we can briefly summarize them:
- Eliminate loopholes by changing and/or clarifying language.
- Guarantee that healthcare providers are in compliance and be held accountable.
- Improve enforcement mechanisms for violations.
- Encourage more healthcare providers to adopt EHR systems.
Although you can speak generally as to HITECH’s desired objectives, it’s much more informative to carefully peruse the bill point by point. By briefly addressing each key section, you’ll gain a clearer understanding of what the Obama administration was attempting to rectify or improve.
Subtitle A – Promotion of Health Information Technology
Part 1 – Improving Healthcare Quality, Safety, and Efficiency
The initial section of the HITECH Act was intended to address the changes to the healthcare industry and to encourage them to adopt an electronic record system. The essential section is:
- 13101 ONCHIT; Standards Development and Adoption – Established a subsection of Health and Human Services known as the Office of National Coordinator for Health Information Technology (ONCHIT). The National Coordinator would be responsible for promoting the advancement of a nationwide health IT infrastructure. This IT setup would endorse digital record keeping and improve the facilitation of electronic record exchanges. The offices charter was meant to accomplish the following:
-
- Set standards for electronic exchange and use of private health information.
- Foster the safety and security of patient health information.
- Improve healthcare quality.
- Reduce medical errors.
- Decrease healthcare disparities.
- Decrease healthcare costs that result from errors, bad information, or inefficiencies.
- Facilitate coordination between hospitals and other covered entities.
Part 2 – Application and Use of Adopted Health Information Technology Standards
Part 2 of Hitech was created to facilitate a universal set of technology standards in order to make compliance easier. Important sections include:
- Section 13111; Coordination of Federal Activities with Adopted Standards and Implementation Specifications – Any covered entity that modernized their health IT system for direct exchange of electronic health records with non-Federal entities would have to utilize systems or products that meet the standards set out in section 3004 of the Public Health Service Act. 13111 also set out measures to ensure that the Federal gathering of health information respected the standards or implementation specifications.
- Section 13122; Application to Private Entities – Every federal agency was required to have contracts in place with health plans, health insurance insurers, and healthcare providers to ensure that every plan or health IT system upgrade will meet standards and implementation specifications.
- Section 1311; Study and Reports – Within two years of HITECH’s introduction, the Secretary of HHS would be required to submit a report that covered:
- Actions are taken by the Federal Government to encourage the adoption of a nationwide, electronic health records storage and exchange system.
- Barriers that prevented or slowed this adoption.
- Recommendations for fully establishing a nationwide system.
- Methods used to facilitate an optimal reimbursement incentive system for improving healthcare quality.
- New aging services technologies meant to improve the lives of seniors and patients with disabilities.
- Ways to identify current, emerging, and future health IT that can be used to improve people’s healthcare.
Subtitle B – Testing of Health Information Technology
The goals of Subtitle B were simple—to find ways to efficiently gauge the efficacy of new health information technology. It consisted of two subsections:
-
- Section 13201; National Institute for Standards and Technology Testing – This called for the Director of National Institutes for Standards and Technology to regularly test standards and implementation specifications to ensure that they were being applied efficiently and by the books. It also created a voluntary testing program that created a conformance testing infrastructure.
- Section 13202; Research and Development Programs – Stated that the Director of NIST would establish a program to work with colleges to form centers for Health Care Information Enterprise Integration. The goals of these centers were to:
-
- Discover new ways to effectively implement and integrate top-of-the-line healthcare technologies.
- Outline methods for encouraging the development of cutting-edge healthcare tech.
Merit-based grants and funding would be awarded to centers that successfully accomplish these aims.
Subtitle C – Grants and Loans Funding
Subtitle C thoroughly outlines the planning, implementation, and use of grant funds to promote health information technology. Its primary section consists of:
- Section 13301; Grant, Loan, and Demonstration Program – Delineated the various programs meant to ensure a proper rollout and encourage the adoption of new tech. Mechanisms for this action include:
- The Health Information Technology Extension Program.
- Health Information Technology Research Center.
- Health Information Technology Regional Extension Centers.
Subtitle D – Privacy
As to the specific HITCH Act goals, Subtitle D contains the most critical updates to HIPAA and will have the largest impact on the general public as well. This important subsection addresses many of the privacy-related issues that were inadequately covered via HIPAA and other subsequent laws.
It contains several crucial sections:
- Section 13401; Application of security provisions and penalties to business associates of covered entities; annual guidance on security provisions – Previous laws failed to treat business associates the same as a covered entity. Security provisions were applied to extend the definition so that business associates, like covered entities, could face penalties.
- Business associates that violated security provisions would face the same civil and/or criminal penalties as would a covered entity that violated the same security provision.
- The Secretary of HHS would issue annual guidance on the best practices for safeguarding private health records.
- Section 13402; Notification in the case of Breach – One of the primary goals of the HITECH act is to create more transparency and accountability, especially in cases of data breaches. Covered entities that access, maintain, disseminate, or use unsecured protected health information were required to notify those victims impacted by a data breach. This included requirements to alert the following individuals:
- Harmed individuals must receive written notification of the breach.
- Media must be alerted in cases where more than 500 individuals had their private information accessed, stolen, or disclosed.
- Secretary of HHS must receive notice of the breach if more than 500 individuals had their private information accessed, stolen, or disclosed.
- If notified, the Secretary would post a notice of the breach on the HHS website.
- Section 13403; Education on Health Information Privacy – Outlined the duties of the HHS Secretary to establish regional offices that would supply guidance and education to covered entities, individuals, and business associates about their rights and potential dangers of others accessing their protected health information.
- Section 13404; Application of Privacy Provisions and Penalties to Business Associates of Covered Entities – Set out standards that a covered entity or business associate must follow in order to use or disclose protected health information. Business associates that violated provisions would be vulnerable to the same civil and criminal penalties as outlined in previous sections.
- Section 13405; Restrictions on certain disclosures and sales of health information – Stated that covered entities were restricted in the disclosure of protected health information except when granted by the patient, required by law, or when the health information relates to an item or service that the provider has been paid for in full.
- Section 13406; Conditions on certain contacts as part of health care operations – Stipulated that communications by a covered entity or business associate regarding the sale or marketing of a product or service would not be treated as a protected communication.
- Section 13407; Temporary breach notification requirement for vendors and non-HIPAA covered entities – Vendors or third-party service providers of personal health records that discover a breach is required to do the following:
- Notify each individual whose information was acquired without their express authorization.
- Alert the Federal Trade Commission (FTC) of the breach.
According to the US Codes, “A violation shall be treated as an unfair and deceptive act or practice in violation of a regulation under section 18(a)(1)(B) of the Federal Trade Commission Act (15 U.S.C. 57a(a)(1)(B)) regarding unfair or deceptive acts or practices.”
- Section 13410; Improved Enforcement – One of the predominant issues with HIPAA was a lack of enforcement mechanisms. HITECH was created to make clearer stipulations and then apply more stringent penalties to violators. In addition, it added in a provision that closed a loophole by creating a section for “noncompliance due to willful neglect.” 13410 outlined a tiered penalty system for noncompliance. They look as follows:
- Tier 1 – Violations of provisions by an individual that did not know (and by exercising reasonable diligence would not have known). Penalties included $100 for each violation with a maximum annual penalty of $25,000.
- Tier 2 – Violations of provisions by an individual due to reasonable cause and not willful neglect. Penalties included $1,000 for each violation with a maximum annual penalty of $100,000.
- Tier 3 – Violations of provisions by an individual due to willful neglect but were corrected within a month of notice. Penalties included $10,000 for each violation with a maximum annual penalty of $250,000.
- Tier 4 – Violations of provisions by an individual due to willful neglect and were not corrected within a month of notice. Penalties included $10,000 for each violation with a maximum annual penalty of $1,500,000.
- Section 13411; Audits – The Secretary of HHS would provide periodic audits to confirm that business associates and covered entities are being held to the provisions and requirements of new laws.
HITECH
HITECH’s goals are simple:
- Encourage more healthcare providers to switch to EHR systems.
- Safeguard protected patient information.
- Enforce penalties on violators or those found to be in noncompliance.
A decade later, we can say that its addition was largely a success. Now, more than 95% of healthcare providers use EHR systems. In addition, data breaches occur less often; and when they do occur, patients are made aware of the fact and the covered providers are punished accordingly.
RSI Security is a full service HIPAA Compliance Assessor and Advisory company, helping healthcare entities achieve compliance for over a decade. If you want an expert HITECH partner and consultant, the professional team at RSI Security is ready to assist.
Download Our Complete Guide to Navigating Healthcare Compliance Whitepaper
Not sure if your HIPAA or healthcare compliance efforts are up to snuff? Unsure about where to even start? Download RSI Security’s comprehensive guide to navigating the HIPAA and healthcare compliance labyrinth. Upon filling out this brief form you will receive the whitepaper via email.
Sources
Stark, P. AJMC. Congressional intent for the Hitech Act. (2010). https://www.ajmc.com/journals/supplement/2010/ajmc_10dec_hit/ajmc_10dechit_stark_sp24tp28?p=1
HIPAA Survival Guide. HITECH Act Summary. https://www.hipaasurvivalguide.com/hitech-act-summary.php
HITECH Act. Public Law 111-5 (2009). https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/understanding/coveredentities/hitechact.pdf
U.S. Criminal Code. 15 USC 45c. Unfair and Deceptive Acts and Practices Relating to Circumvention of Ticket Access to Control Measures. https://uscode.house.gov/view.xhtml?req=granuleid%3AUSC-prelim-title15-section45c&num=0&edition=prelim