What is the HITECH Act?
The HITECH Act, or the Health Information Technology for Economic Clinical Health Act, is part of the Recovery and Reinvestment Act of 2009 (ARRA), an economic stimulus package introduced by the Obama administration. The legislation works to create incentives for the adoption and meaningful use of healthcare information technology or electronic health records (EHR) among providers. After HITECH’s creation in 2009, the adoption of EHR systems among healthcare providers proliferated.
The HITECH Act expands the scope of privacy and security protections available under the Health Insurance Portability and Accountability Act (HIPAA). Specifically, the HITECH Act introduces increased legal liability for non-compliance and added enforcement actions. Additionally, HITECH establishes a precedent for breach notifications among healthcare providers, ensures patients have access to their private health information (PHI), and defines compliance requirements for business associates.
HITECH Act Summary
The act contains four subtitles:
- Subtitle A: Promotion of Health Information Technology
- Part 1: Improving Healthcare Quality, Safety, and Efficiency
- Part 2: Application and Use of Adopted Health Information Technology Standards; Reports
- Subtitle B: Testing of Health Information Technology
- Subtitle C: Grants and Loans Funding
- Subtitle D: Privacy
- Part 1: Improved Privacy Provisions and Security Provisions
- Part 2: Relationship to Other Laws; Regulatory References; Effective Date; Reports
HITECH Act and Meaningful Use
The HITECH Act proposed the meaningful use of interoperable electronic health records (EHR) throughout the United States healthcare system as a critical national goal. “Meaningful use” can be defined according to the five pillars of health outcomes policy priorities:
- Improving quality, safety, efficiency, and reducing health disparities
- Engage patients and families in their health
- Improve care coordination
- Improve population and public health
- Ensure adequate privacy and security protection for personal health information (PHI)
HIPPA’s Breach Notification Rule requires covered entities to notify patients when their unsecured PHI is used or disclosed without permission and in a way that compromises the privacy and security of the PHI. Once a covered entity knows that a breach of PHI has occurred, the entity has an obligation to relevant parties (individuals, HHS, the media, etc.) up to 60 calendar days following the data of discovery, whether the entity knows the PHI was compromised or not. If a breach impacts 500 people or more than HHS and, under certain conditions, local media must be notified. All breached individuals will need to receive a first class mailing that addresses personally what happened and what steps are being taken to resolve the breach.
A physician must take an active role in breach notifications in order to determine the severity of improper use or disclosure of PHI. To do this, they use a 4-step test:
- The nature and extent of the PHI involved, including identifiers and likelihood or reidentification
- To who (or whom) the PHI was impermissibly disclosed
- Whether the PHI was actually viewed
- What mitigation processes have occurred to rectify the breach of the PHI
Electronic Health Record Access
In the case that an entity has implemented an EHR system, the HITECH Act stipulates that individuals, or designated third parties, have a right to obtain their PHI in an electronic format (ePHI). Only a fee to compensate for the labor can be charged for an electronic request.
While HIPPA has not been effectively enforced in the past, new government enforcement entities will be performing audits on entities that are reported to have breached PHI data. The HITECH Act requires mandatory penalties for “willful neglect” which is determined on a case-by-case basis but aims to penalize providers who have an insufficient compliance strategy.
Penalties for willful neglect have increased under the HITECH Act. Violations of HIPPAA and HITECH can extend up to $250,000 and up $1.5 million for repeated offenses. HIPPA’s civil and criminal penalties now extend to business associates. HITECH does not allow an individual to bring a cause of action against a provider. Instead, a state attorney general is required to bring an action on behalf of their residents. For consistent regulation and enforcement purposes. HHS is now required to conduct periodic audits of covered entities and business associates.
Best Practices for HITECH Act Compliance
In order to ensure that PHI data is kept private and safe, entities must implement an effective information security program, including solutions that ensure the protection of data and the monitorization of access. Forcepoint’s DLP is designed to ensure and simplify regulatory compliance and includes out-of-the-box solutions for regulations involving PII and PHI data. Additionally, Forcepoint’s DLP has additional protection for: DICOM, DNA Profiles, ICD Codes, HICN, SPSS, and Medical Forms.