From 1996 to 2009, U.S. healthcare organizations operated under a strict regulatory act known as HIPAA. HIPAA, or the Health Insurance Portability and Accountability Act, intended to protect patient health data, make health insurance affordable, and to simplify hospital administrative procedures.
As the years progressed, loopholes arose, electronic systems (which were supposed to be incorporated) were ignored, and the U.S. healthcare infrastructure was in jeopardy of falling behind. Not to say that HIPAA was a failure, but after 13 years in operation, it was in desperate need of an update. In 2009, Congress passed the Health Information Technology for Economic and Clinical Health Act (HITECH) to give HIPAA the update it needed. HITECH closed loopholes and encouraged the adoption of electronic health records by enforcing stricter guidelines and increasingly high noncompliance fees.
Now, to avoid facing penalties, healthcare providers and subsidiary companies must be HITECH compliant. But what does that entail? Read ahead to find out.
Understanding HIPAA Compliance
Before you ask, “What is HITECH compliance?” you have to understand what HIPAA compliance is first. HIPAA compliance was defined under the HIPAA Privacy Rule, which determines how to use and disclose a patient’s protected health information (PHI). The requirements and regulations of HIPAA-covered entities included:
- Data security – It is a patient’s right to have their PHI protected and secured. Their medical records, medical history, and other relevant information cannot be shared, altered, or destroyed unless in accordance with HIPAA guidelines.
- Risk analysis and management – HIPAA-covered entities are also required to perform a risk analysis regularly as a part of security management to ensure their systems are updated and protected.
- Safeguards – Administrative, physical, and technical safeguards are part of HIPAA compliance. These cover broad sections of healthcare-related work from hiring security personnel to installing specific software.
Problems with HIPAA
Although HIPAA laid the groundwork for future healthcare improvements, it wasn’t comprehensive enough to make significant changes. The problems with HIPAA included:
- Technological issues – HIPAA was created in 1996, before the mass inculcation of computers everywhere. This meant it was insufficient at regulating electronic privacy and security measures.
- Technical loopholes – In the past, business associates of HIPAA-covered entities were able to escape many of the intended regulations due to loopholes in the system.
- Lenient fees – The penalties associated with noncompliance wasn’t sufficient in altering certain privacy methods.
Assess your HIPAA / HITECH compliance
Then Came the HITECH Act
To help fix these problems, the HITECH Act was split into four subtitles:
- Subtitle A—Promotion of Health Information Technology – The first part of the act deals with the creation of the new electronic healthcare infrastructure, including the adoption of electronic health records (EHRs). The idea is to make a national standard of healthcare quality, safety, and efficiency. The second part deals with the application of these adopted standards (how to coordinate them with the federal government and private entities).
- Subtitle B—Testing of Health Information Technology – These standards of health information technology must be further researched. This section of the HITECH Act involves who can apply for grants and funding to be a part of this testing. Institutions of higher education, nonprofit entities, and federal laboratories may receive grant funds to conduct research on healthcare delivery and health information technologies.
- Subtitle C—Grants and Loans Funding – This section outlines how the grant and loan funds are to be used, who ensures that the funds are being used properly, and what standards for health information technologies are to be met.
- Subtitle D—Privacy – The fourth subtitle deals with improved security and privacy provisions, the relationship of these to other laws, and the effective dates. This section also deals with non-HIPAA covered entities, ensuring that they are held to the same regulations and standards.
Objectives of HITECH
One of the major reasons why the HITECH Act came to be was the dramatically slow adoption of electronic health records. Prior to 2008, before this act was proposed, only about 11.8% of office-based physicians had basic EHRs set up. That meant nearly 9 out of every 10 doctors were still using paper documents to record patient medical history, past treatment, and all other healthcare-related information.
This posed a huge problem in the coming digital age. By 2007, the first iPhone was released. People were able to access the internet from a device in their pocket, yet 90% of them couldn’t receive access to digital health records.
As computers would become central players to every sector, healthcare needed an incentivization program to adopt EHRs. Thus, one of the objectives of HITECH. However, it wasn’t the only one; the other objectives include:
- Removing loopholes from HIPAA
- Ensuring that non-HIPAA covered entities, including the business associates of healthcare providers, comply with HIPAA rules and regulations
- Notifying patients when privacy and health information are compromised
- Enforcing tougher penalties attached to HIPAA compliance failures
What is HITECH Compliance?
In order for healthcare providers and their associates to avoid the massive fees attached to HITECH HIPAA violations, they need to be compliant. Be sure you’re up to date on the following five branches of HITECH compliance:
- Meaningful Use Program
- Business Associates HIPAA Compliance
- Breach Notification Rule
- Willful Neglect and Auditing
- HIPAA Compliance updates
Meaningful Use Program
Part of the HITECH Act funds went to incentivizing the adoption of EHRs. With this, the Department of Health and Human Services created the Meaningful Use Program where healthcare providers would receive monetary incentives if they adopted EHRs and put them to use in a meaningful way.
According to the CDC, the concept of meaningful use is determined by five health outcomes:
- Improving the quality, safety, and efficiency of patient care while reducing health disparities
- Informing patients and their families of health and health concerns
- Improving health care coordination
- Improving public healthcare
- Ensuring security and privacy protection for ePHI (electronic personal health information)
What meaningful use looks like in practice could be:
- Ordering prescription medicine online
- Transferring medical records and patient history between hospitals, insurers, and other healthcare providers
- Viewing the results of medical tests online
- Communicating with physicians online
Incentives and Reductions
If meaningful use could be proven by 2011, HITECH would offer incentives ranging from $44,000 for Medicare healthcare providers to $63,750 for Medicaid providers. This helped promote the proliferation of EHRs and to cover the burden of implementation. These incentives lasted five and six years, respectively, and dramatically shifted how patient records were kept. By 2015, 77.9% of office-based physicians had certified EHRs — “certified” implying meaningful use.
After 2015, healthcare providers who did not comply with the Meaningful Use Program would see a reduction in their Medicare and Medicaid fees. This would start at a 1% reduction and build up to 3% by 2017.
Business Associates HIPAA Compliance
Back in 1996, when HIPAA was first passed, business associates of healthcare providers had a contractual obligation to follow compliance regulations. However, this was easily dodged. Business associates were able to throw their hands up and claim that they didn’t know the healthcare provider wasn’t HIPAA compliant.
Unfortunately, this placed millions of patients’ healthcare information at risk. Without any privacy and security regulations overseeing the business associates, there was no liability to protect ePHIs.
With the HITECH Act, the HHS laid out strict requirements for business associates and made them liable for HIPAA violations, including (but not limited to):
- Failure to meet data and information security standards
- If a data breach occurs, failure to report it appropriately
- Retaliating in any way against individuals who file a HIPAA complaint
- Failure to cooperate with complaint and compliance reviews
Data Breaches and The Breach Notification Rule
While the effort of the HITECH Act to increase the number of EHRs was successful, the downside quickly became apparent: more data and information breaches. There was more information being stored on computers per patient and more entities storing information in general. This meant that the number of data breaches and security failures was going to rise.
HITECH reigned in this problem in two ways. The first was to increase security provisions to match the current age and to raise the penalties for noncompliance. It’s no surprise that in 1996, Congress didn’t have the technical knowhow to prevent computer data breaches 13 years down the road. By increasing the penalties for breaches, healthcare providers now have to keep up with modern encryption and security technology to avoid being subject to fines.
The second way HITECH addressed this problem was with the Breach Notification Rule.
Breach Notification Rule
Now, under the breach notification rule healthcare providers and their business associates must inform affected individuals when their data has been breached. How they notify the public depends on the size of the breach.
If the breach was under 500 people, the entity must notify individuals within 60 days with a letter that explains the size and type of breach. It must be sent through first-class mail and provide the following information:
- It must inform patients of what types of ePHI were compromised
- The measures being taken to address security issues and to prevent future breaches
- What the individual can do to reduce the negative consequences of the breach
If the breach involves 500 or more patients, additional steps must be taken by the healthcare entity.
- They must inform the HHS within 60 days of discovering the breach.
- They must also inform a “prominent media outlet,” one who participates and serves the affected jurisdiction (i.e., if a breach happened in Florida, they can’t notify The Denver Post).
Preventing Data Breaches
Today, preventing data breaches is becoming increasingly difficult. With the number of breaches annually surging tenfold since 2005, security remains a constant challenge. The easiest way to protect your organization is to use a company where security is their main focus.
RSI Security can evaluate your current data security processes and identify where gaps or holes are in your system. From there, RSI Security can update your guidelines to fit all of HIPAA requirements and help prepare for an OCR audit should it arise. The specific compliance rules covered are:
- HIPAA Privacy Rule
- HIPAA Security Rule
- HIPAA Enforcement Rule
- HIPAA Breach Notification Rule
Willful Neglect and Auditing
The HHS’s Office for Civil Rights (OCR) created an audit program to ensure that HIPAA-covered entities (including their business associates) are keeping up-to-date on all HIPAA compliant policies. Within this, they created a tiered penalty system that revolves around “willful neglect.”
Willful neglect divides cases into intentional and unintentional violations of HIPAA regulations. The penalties and fines increase due to willful neglect on the following tiered system:
- Tier A – When the offender was unaware they were violating the HITECH HIPAA Act, the resulting fine is minimized to $100 per violation, not to exceed $25,000 annually. These are honest mistakes that can be corrected within 30 days.
- Tier B – When violations are due to reasonable cause, the penalty increases to $1,000 per violation with a maximum of $100,000 for the year. These cases also do not fall under “willful neglect.”
- Tier C – When willful neglect is suspected and violations occur, the healthcare provider or business associate has 30 days to correct their violations. The resulting fines are $10,000 per violation, up to a total of $250,000 per year.
- Tier D – When violations are due to willful neglect and are not corrected, the resulting fees are $50,000 per violation up to a total of $1,500,000 for the year.
HIPAA Compliance Updates and Harsher Penalties
The final purpose of HITECH was to close HIPAA loopholes and to inflict harsher penalties for noncompliance. Before HITECH, the fines were significantly less, and it would sometimes be cheaper to pay the fee than to change and update security. This allowed large entities to ignore HIPAA compliance.
Now, depending on the level of negligence of a given case, the U.S. Justice Department can impose significantly larger fees and even imprisonment. The maximum sentencing is up to 10 years.
Keeping Up With HITECH Compliance
As EHR systems become increasingly complex, the number of ways a system can be compromised also increases. To retain your patients’ trust and to avoid costly HIPAA and HITECH fees, you must be able to secure their ePHI. But as a healthcare provider, your priority should lie in top-quality patient care, not data security.
Working with RSI Security can help. By integrating cutting-edge security tools to avoid data breaches and ensure patient privacy, you can focus on what matters most: the patient’s health.
Sources:
HIPAA Survival Guide. HITECH Act. http://www.hipaasurvivalguide.com/hitech-act-text.php
Health IT Dashboard. Office-based Physician Electronic Health Record Adoption https://dashboard.healthit.gov/quickstats/pages/physician-ehr-adoption-trends.php
HHS. Direct Liability of Business Associates https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates/factsheet/index.html
CDC. Public Health and Promoting Interoperability Programs (formerly, known as Electronic Health Records Meaningful Use) https://www.cdc.gov/ehrmeaningfuluse/introduction.html
HIPAA Survival Guide. HIPAA Omnibus Rule. http://www.hipaasurvivalguide.com/hipaa-omnibus-rule.php
HHS. HHS Strengthens HIPAA Enforcement. https://wayback.archive-it.org/3926/20131018161347/http://www.hhs.gov/news/press/2009pres/10/20091030a.html
Statista. Annual number of data breaches and exposed records in the United States from 2005 to 2018 (in millions) https://www.statista.com/statistics/273550/data-breaches-recorded-in-the-united-states-by-number-of-breaches-and-records-exposed/