When asked about the Obama administration’s efforts to reform the American healthcare system, most people will think of the Patient Protection and Affordable Care Act, also known as “Obamacare.” Many forget or fail to realize that a year prior to the ACA’s creation, Congress had already passed the largest healthcare reform measure in decades in the form of the Health Information Technology for Economic and Clinical Health Act (HITECH).
One of the reasons why HITECH’s addition went mostly unnoticed and unremarked is that it was a subsection of President Obama’s American Recovery and Reinvestment Act of 2009. Few realized that this stimulus package introduced sweeping changes to the healthcare industry that had far-ranging impacts on the relationship between patients and providers, especially pertaining to healthcare provider treatment of private health information.
Do you want to know what is HITECH in healthcare and how it protects your private information? Read on to find out.
The Genesis of HITECH
Before we can answer the question of “what is the HITECH Act,” you must first understand the factors and circumstances that contributed to its formation. In short, its reason for being was the result of questions and complications related to the relationship, or lack thereof, between medicine and technology. To better grasp the issue, it helps to remember the context of time.
In the mid-2000s the digital revolution was sweeping across the world, changing it in ways never hitherto considered possible. Computer technology was not only becoming a daily facet of American life but business and industry as well. Digitization contributed to the following key changes:
- Revolutionized how jobs could be done.
- Fueled growth.
- Increased productivity.
- Changed how we communicate and share information.
- Altered how we store data.
As a result, the way things had always been done was now becoming obsolete. If you wanted to not just compete but thrive, you had to embrace the advantages made possible by the technological revolution.Assess your HIPAA / HITECH compliance
Healthcare’s Initial Opposition to Change
One sector where this digital transformation was met with the fiercest resistance was that of the healthcare industry. Naturally, this might surprise you; it seems counterintuitive that a field focused on pushing boundaries, increasing knowledge, and improving treatment methodology would be the ones to act like Luddites. But, when you consider the fact that the practice of medicine was steeped in decades, if not centuries, of tradition, this resistance becomes less of a mystery.
In addition, the nature of the field of medicine in and of itself often acted as a barrier for investments. Factors for this included:
- Financial costs of changing standard practices.
- Workflow interruptions caused by adoption of new tech and procedures.
- Lack of standardized products.
- Problems with privacy and security.
- Payment policies that ignored input costs.
Despite this, many within the field soon realized that modernizing the outmoded health IT system was a necessary step, even if it resulted in some initial disadvantages. They posited that it would accomplish the following:
- Prevent medical errors that lead to unnecessary deaths.
- Make it easier to adapt to changes in medicine.
- Streamline the integration of new treatments into patient care.
- Simplify and categorize the deluge of information.
The Government’s Role
The Bush administration saw that it would take far too long for the market to naturally respond to technological change, and then course-correct. The government had to step in and encourage providers to embrace health IT and make improvements to the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Their first action was the formation of the Office of National Coordinator for Health Information Technology (ONCHIT). After that, congress pushed two key bills meant to protect information, provide funding, and establish universal standards:
- Wired for Health Care Quality Act (S1693) – Established a national health information technology system. According to JACR, this measure “required that all federal information technology purchasers follow national standards and provide a number of financial grants to help providers purchase, implement, and keep current electronic health record systems and other components of a fully wired practice.”
- Protecting Records, Optimizing Treatment, and Easing Communication through Healthcare and Technology Act (HR 6357) – The PRO(tech)T act was created to:
- Determine standards, implementation, and certification for the exchange of health information.
- Improve coordination and communication about health IT policy with other executive branch agencies.
The goal of these and subsequent policies wasn’t simply to change recordkeeping methods from physical copies to digital. Instead, it was about using novel tech to improve the quality of healthcare. Once President Bush’s second term came to a close, he passed the baton to the Obama administration. They, in turn, built upon the previous administration’s policies by introducing HITECH.
What is HITECH?
President-elected Obama entered the White House during the global financial crisis caused by the subprime mortgage collapse. In an attempt to stimulate the economy, the Obama administration introduced its 2009 stimulus package, which included a provision on updating the health IT industry via the HITECH act.
The general focus of the HITECH Act was to:
- Further protect electronically protected health information (ePHI) between patients, doctors, hospitals, and insurers.
- Strengthen criminal and civil enforcement of HIPAA rules by levying tougher penalties for compliance failures.
- Close loopholes in HIPAA.
- Fix privacy and security concerns.
According to Health and Human Services, it accomplished this by establishing the following revisions to previous policies:
- “Established four categories of violations that reflect increasing levels of culpability;
- Set four corresponding tiers of penalty amounts that significantly increase the minimum penalty amount for each violation; and
- Created a maximum penalty amount of $1.5 million for all violations of an identical provision.
It also amended section 1176(b) by:
- “Striking the previous bar on the imposition of penalties if the covered entity did not know and with the exercise of reasonable diligence would not have known of the violation (such violations are now punishable under the lowest tier of penalties); and
- Providing a prohibition on the imposition of penalties for any violation that is corrected within a 30-day time period, as long as the violation was not due to willful neglect.”
How HITECH Protects Your Information
One of the principal aims of HITECH was to protect ePHI. It expanded upon the best practices for security and privacy originally found in HIPAA. Its goal was to prevent the disclosure of “individually identifiable health information” without patient consent except for:
- Healthcare operations
HITECH significantly increased the automatic repercussions for a breach of your personal information. The mechanisms for this included the following addendums:
- Notification of breach – HITECH requires that patients and/or the public at large be alerted when security breaches occur or when unsecured personal health information is used or divulged for unsanctioned reasons.
- In cases of breaches that impact more than 500 individuals, the healthcare provider must notify the Health and Human Secretary as well as the media.
- In cases of breaches that impact less than 500 individuals, the healthcare provider must include it in their annual report to the HHS Secretary.
- Businesses must promptly notify those they cover of breaches.
This new federal law ensures that covered entities and business associates are accountable to the Department and to individuals for proper safeguarding of the private information entrusted to their care. These protections will be a cornerstone of maintaining consumer trust as we move forward with meaningful use of electronic health records and the electronic exchange of health information.
- Electronic health record access – Whenever a healthcare organization implements an electronic health record (EHR) system, the patients or designated third parties have the legal right to electronically access their personal health information. It stipulates that patients can only be charged for these requests according to labor costs associated with providing that information.
- Business associates and business associate agreements – HITECH compliance extended further coverage of specific HIPAA provisions to business associates. Previously, privacy and security could only be enforced on business associates through contracts with covered entities, which created a loophole that was only loosely enforced. After the update, business associates could be found out of compliance since they’re also compelled to obey the security rules of HITECH.
- This specifically impacts software vendors offering EHR systems and requires that they comply with privacy laws. It also obligates them to report security breaches to those they cover. Finally, it allows them to be audited and fined if found guilty. As a result, business associates are forced to share responsibility when it comes to protecting client’s vital information.
- Audits for neglect – Despite the fact that HITECH is federal law, it grants both HHS and State AG’s authority to impose the regulations via investigations and penalties on those found to be “willfully negligent.” Although there is no clear-cut definition of this term, it’s ascertained during an audit on a case-by-case basis. Civil penalties are considered to be mandatory and include:
- A minimum penalty of $100 per violation with a penalty cap of $25,000 for repeat violations within the calendar year.
Penalties for willful neglect were increased and include:
- A minimum penalty of $10,000 per violation with a penalty cap of $250,000 for repeat violations within a calendar year.
- Maximum penalty of $50,000 per violation with a penalty cap of $1,500,000 for repeat violations within a calendar year.
HITECH and Meaningful Use
Initially, the HITECH charter laid out a timeline for the implementation of the new rules. Starting in 2011, healthcare providers would be able to obtain financial enticements for showing meaningful use of EHRS. This program ran until 2015. Afterward, penalties were levied on those who failed to demonstrate meaningful use.
Meaningful Use is defined by the use of certified EHR technology in a meaningful manner (for example electronic prescribing); ensuring that the certified EHR technology is connected in a manner that provides for the electronic exchange of health information to improve the quality of care; and that in using certified EHR technology the provider must submit to the Secretary of Health & Human Services (HHS) information on quality of care and other measures.
This was based on the ‘5 pillars of health outcomes’:
- Enhance the quality, efficacy, and safety of healthcare in order to decrease discrepancies.
- Facilitate communication and coordination.
- Involve patients and families in monitoring their health.
- Improve the health metrics of the population as a whole.
- Ensure the privacy and security of electronic health records.
Medicare and Medicaid Promoting Interoperability Programs
Although it was successfully integrated, the program was largely unpopular, particularly with healthcare providers who had to hit dozens of benchmarks to demonstrate compliance. As a result, the program was updated in 2018 and retitled the Medicare and Medicaid Promoting Interoperability Programs. In addition, an incentive program was created to push doctors and hospitals to upgrade to certified EHR technologies (CEHRT). This EHR incentive program was measured in 3 stages:
- Stage 1 – Pushed the implementation of certified EHR technologies. It accomplished this by setting conditions for electronic capture of health information and providing patients a way to read their electronic copies.
- Stage 2 – Added to Stage 1 by clarifying the meaningful use of CEHRT. It placed a special emphasis on the transfer of private health data and coordination between healthcare providers. Also, it raised the compliance benchmark ceiling and added further rules and regulations.
- Stage 3 – Emphasized the adoption of CEHRT to better healthcare results through the implementation of various new measures such as:
- Health information exchange
- Clinical data registry and case reporting
- Clinical decision support
- Digitized provider order entry
- Coordinated care
By all metrics, the HITECH Act was a success that pushed hospitals to adopt EHR in droves. According to a Health Affairs study on the matter:
We found that annual increases in EHR adoption rates among eligible hospitals went from 3.2 percent in the pre-period to 14.2 percent in the post period. Ineligible hospitals experienced much smaller annual increases of 0.1 percent in the pre-period and 3.3 percent in the post-period, a significant difference-in-differences of 7.9 percentage points. Our results support the argument that recent gains in EHR adoption can be attributed specifically to HITECH, which suggests that the act could serve as a model for ways to drive the adoption of other valuable technologies.
Safeguarding Your Data
By this point, you should no longer be wondering “What is the HITECH Act?” As you now know, it was instrumental in pushing healthcare providers to adopt new tech and to better safeguard your data. Although these measures alone aren’t enough in and of themselves to completely protect your electronic health records, it was a critical step that increased digital security. Contact RSI Security to get started on becoming HITECH compliant.
Download Our Complete Guide to Navigating Healthcare Compliance Whitepaper
Not sure if your HIPAA or healthcare compliance efforts are up to snuff? Unsure about where to even start? Download RSI Security’s comprehensive guide to navigating the HIPAA and healthcare compliance labyrinth. Upon filling out this brief form you will receive the whitepaper via email.
Congress.Gov. American recovery and Reinvestment Act of 2009. https://www.congress.gov/bill/111th-congress/house-bill/1/text
Reisman, G. The Wired for health Care Quality Act: Beyond HIPAA. (2008). https://www.jacr.org/article/S1546-1440(08)00357-8/abstract
Health and Human Services. HITECH Act Enforcement Interim Final Rule. https://www.hhs.gov/hipaa/for-professionals/special-topics/hitech-act-enforcement-interim-final-rule/index.html
Health and Human Services. HITECH Breach Notification Interim Final Rule. https://www.hhs.gov/hipaa/for-professionals/breach-notification/laws-regulations/final-rule-update/hitech/index.html
CDC. Public Health and Promoting Interoperability Programs. https://www.cdc.gov/ehrmeaningfuluse/introduction.html
Jha, A. Health Affairs. HITECH Act Drove Large Gains In Hospital Electronic Health Record Adoption. (2017). https://www.healthaffairs.org/doi/full/10.1377/hlthaff.2016.1651