The HITECH Act (Health Information Technology for Economic and Clinical Health Act) was passed by Congress in 2009 as a part of the American Recovery and Reinvestment Act – an economic stimulus package intended to help the country recover from the Great Depression of 2008.
The primary objective of the HITECH Act was to develop a nationwide health information technology infrastructure to improve the quality, safety, and efficiency of the healthcare industry. However, to achieve this objective, it would be necessary for healthcare organizations to invest more in health IT technology. Consequently, Title IV of the Act proposed a Meaningful Use program that would incentivize Medicare-eligible entities to adopt EHRs.
To address concerns that the increased adoption of EHRs might lead to an increased number of data breaches, Congress added Title XIII to the Act. This Title instructs the Secretary for Health & Human Services to establish an Office of the National Coordinator for Health IT, develop standards for the testing and certification of EHRs, and set up a grant program to attract more IT professionals into the healthcare industry and facilitate the adoption of certified EHR technology.
How the HITECH Act Updated HIPAA
Title XIII also includes a section (Subtitle D) updating the Privacy and Security standards of HIPAA. Although Subtitle D was entitled “Privacy”, this section of the HITECH Act updated more than just the privacy standards of HIPAA. Among the most significant changes:
- The definition of unsecured PHI was amended to “PHI that is not secured by a technology standard that renders PHI unusable, unreadable, or indecipherable.”
- The use of PHI for fundraising or marketing activities was removed from the permissible uses and disclosures of PHI in the Privacy Rule.
- The Act extended individuals´ rights inasmuch as individuals could now requests a copy of PHI maintained in a designated record set in an electronic format.
- A new Breach Notification Rule was introduced requiring Covered Entities to notify individuals and HHS´ Office for Civil Rights when a breach occurred.
- Under the Breach Notification Rule, Business Associates are required to report any security incident to the Covered Entity – not just breaches of unsecured PHI.
- Business Associates were required to comply with the Security Rule and any Privacy Rule standards “with respect to the PHI of a Covered Entity”.
- The scope of Business Associates was increased to include services that store or transmit PHI to, from, or on behalf of a Covered Entity.
- Business Associates became liable for violations of the Privacy, Security, and Breach Notification Rules and data breaches attributable to noncompliance.
- A new four-tier penalty structure enabled HHS´ Office for Civil Rights to extend the enforcement of HIPAA beyond violations attributable to willful neglect.
- State Attorneys General and the Federal Trade Commission were given the authority to pursue civil actions against non-compliant organizations.
One of the consequences of the updates to HIPAA was that Covered Entities and Business Associates had to make multiple “material changes” to HIPAA policies and procedures. This meant that most members of the workforce had to be provided with HIPAA training – especially the workforces of Business Associates, who all now had to be provided with mandatory security awareness training.
Updates Take Time to Become Effective
Fortunately for Covered Entities and Business Associates, the requirement to update policies and provide material change training did not happen overnight. While the majority of HITECH Act provisions were enacted in 2011, the privacy provisions of Title XIII Subtitle D were not enacted until 2013 when the Department of Health and Human Services published the HIPAA Omnibus Final Rule.
The HIPAA Omnibus Final Rule incorporated most – but not all – of the HITECH Act updates into the Privacy and Security Rules – although some were modified between 2009 and 2013 following public and stakeholder comments. The HIPAA Omnibus Final Rule also incorporated changes attributable to Executive Order 13563 and the Genetic Information Nondiscrimination Act (GINA).
The exception to the above was the Breach Notification Rule, which had an effective date of October 2009. The requirement to notify HHS´ Office for Civil Rights of breaches of unsecured PHI within sixty days led to a significant increase in enforcement action – not only in terms of the number of Civil Monetary Penalties issued, but also in the amounts of the penalties for violating HIPAA.
The Impact of the 2009 HITECH Act
The impact of the HITCH Act varies according to whether your organization is a healthcare provider or a Business Associate, or whether you are a patient or group plan member. From the perspective of healthcare providers, the HITECH Act improved the way healthcare data is used and shared. The widespread adoption of EHRs increased efficiency, improved patient safety, and resulted in better patient outcomes according to a 2016 report by the Office of the National Coordinator for Health IT.
For Business Associates, mandatory compliance with relevant sections of the Privacy, Security, and Breach Notification Rules created a lot of work for previously non-compliant organizations. However, the requirement to stipulate the conditions under which PHI is disclosed to a Business Associate (in a Business Associate Agreement) provides security against being falsely accused of a HIPAA violation the event of a data breach attributable to the negligence or non-compliance of a Covered Entity.
For patients and group plan members, not only did individuals benefit from faster and better informed clinical decisions, but the improved enforcement of HIPAA reduced the likelihood of individually identifiable health information being disclosed or accessed impermissibly to commit insurance fraud or identity theft. The HITECH Act also paved the way for innovation in the healthcare industry – resulting in more accurate diagnoses and treatments, and better patient outcomes.
