The Health Insurance Portability and Accountability Act (HIPAA) was introduced in 1996, and compliance was (and indeed is) necessary for all U.S. healthcare organizations.
It was intended to protect patient health data, reduce health insurance costs, and create a standard hospital administration process. Of course, this implied that patient health data would go digital, which didn’t happen at the expected rate, leaving the U.S. behind other countries that had already embraced digital transformation.
In 2009, Congress passed the Health Information Technology for Economic and Clinical Health (HITECH) Act, short for high technology. It was also designed to address the shortcomings and loopholes surrounding HIPAA and encourage the adoption of electronic health records (EHRs). This was achieved by strict guideline enforcement and higher penalties for non-compliance. To avoid such penalties, healthcare organizations must be HITECH-compliant and HIPAA-compliant.
HITECH vs. HIPAA
HIPAA compliance hinges on the HIPAA Privacy Rule, with those requiring HIPAA compliance required to secure patients’ data, perform a regular risk analysis, protect their systems, and incorporate safeguards. Unfortunately, it did not go far enough, being created in a time before ubiquitous high-speed broadband and wholesale data sharing. It didn’t cover the activities of partners, business associates, and service providers. Finally, of course, the penalties weren’t high enough to discourage non-compliance.
HITECH has four subtitles labeled from A-D. Subtitle A is for the promotion of health information technology. This includes creating the health-focused infrastructure and adoption of digital/electronic health records. With a national standard in place, healthcare professionals can collaborate more effectively with colleagues, private practices, and federal regulators.
Anything created must be tested, and subtitle B handles that aspect with options for funding for qualifying institutions research new technologies and healthcare delivery methods.
Subtitle C defines how grants and funding are spent and confirms that receivers have followed the agreed guidelines when spending their funds. Expectations are also defined, generally stating that improved solutions are expected. I’m assuming my suggestion to go back to paper is not one of those.
Subtitle D relates to privacy (expectations are clearly defined for electronic data), links to other laws and regulations (including HIPAA), and effective dates for compliance. Subtitle D also specifies that non-HIPAA covered entities are bound by the same rules and standards if an associate or partner of a HIPAA-covered entity or handling the data of HIPAA-covered entity. This is perhaps the most important part of HITECH. If you are ‘handling’ personal health information (PHI), then you must be HIPAA and HITECH-compliant, even if technically you are not in the healthcare industry. Providers of cloud services take note.
A key element of HITECH is to ensure patients are informed if their data is compromised. In addition, as mentioned previously, it was designed to enhance HIPAA, encourage digital transformation and EHR adoption, and close earlier loopholes. Business associates are included in the supplemental regulation with non-compliance attracting higher penalties than before i.e., to act as an actual deterrent rather than a token slap on the wrist.
HITECH compliance is now essential to avoid those fines, and broadly speaking has five key elements. These are:
Designed to foster users of EHRs, those who fail to adopt them receive less Medicare and Medicaid fees. To be considered meaningful, there are five criteria.
Healthcare providers must demonstrate that their solution improves the quality safety and efficiency of patient care. It must inform patients and families of health and potential problems. Evidence of improved coordination/collaboration is necessary, as is the improvement in public healthcare services. Finally, and most importantly, ensuring that all electronic personal health information (ePHI) is secure and private. Practical examples of ‘meaningful use’ include online consultations, transferring medical data to insurers, consultants, etc.
Business Associate HIPAA Compliance
Under HITECH, business associates are liable for HIPAA violations.
Breach Notification Rule
All patients must be informed if their data has been compromised. Public obligations vary depending on the number of patients involved. For 500 or more, the U.S. Department of Health & Human Services (HHS) must be informed within 60 days. Same for a prominent media outlet in your jurisdiction.
Wilful Neglect and Auditing & HIPAA Compliance Updates
Suffice to say that each non-compliance incident is different, and it is no longer cost-effective to accept the penalties rather than implement a secure system for ePHI. Unintentional violations are capped at $25,000 ($100 per violation), but at the highest tier D, fines are $50,000 per violation and capped at $1.5m per annum. Even these fines can be increased for excessive negligence, and the U.S. Justice Department can levy more substantial fines per violation or add imprisonment (up to 10 years) into the mix.
Now that you know the possible penalties, it makes sense to protect patients’ data, doesn’t it?
Regardless of the penalties, the victims of the data breaches (the patients themselves) never see any of this cash, but that’s a topic for another article. All fines levied are used to ‘manage enforcement.’ This seems true of all government enforced privacy regulations. For example, Facebook’s record-breaking $5 billion fine from the Federal Trade Commission (FTC) went to the U.S. Treasury.