The HITECH Act – or Health Information Technology for Economic and Clinical Health Act – forms a portion of an economic stimulus program introduced prior to President Trump taking office: The American Recovery and Reinvestment Act of 2009 (ARRA). The Act was signed into law by the then President Barack Obama on February 17, 2009.
Aims of the HITECH Act
The HITECH Act was put in place to encourage and grow the adoption of health information technology, specifically, the use of electronic health records (EHRs) by healthcare groups.
The Act also made redundant loopholes in the Health Information Portability and Accountability Act of 1996 (HIPAA) by cleaning up the language of HIPAA. This assisted in making sure that business associates of HIPAA covered entities were falling in line with HIPAA Rules and notifications were shared to affected individuals when health information was impacted.
More stringent penalties for HIPAA compliance failures were also brought in to add an extra incentive for healthcare organizations and their business associates to adhere with the HIPAA Privacy and Security legislation.
HITECH Act Relevance
Before the HITECH Act became enforceable in 2008, only 10% of hospitals had implemented EHRs. In order to expand healthcare, improve efficiency and care coordination, and make it more straightforward for health information to be sent between different covered entities, electronic health records needed to be put in place.
While many healthcare bodies aimed to transition to EHRs from paper records, the cost of doing so was prohibitively expensive. The HITECH Act brought in incentives to encourage hospitals and other healthcare providers to make the switch. Had the Act not been introduced, many healthcare providers would still be working with paper records. The Act grew the rate of adoption of EHRs from 3.2% in 2008 to 14.2% in 2015. By 2017, 86% of office-based physicians had achieved an EHR and 96% of non-federal acute care hospitals has implemented certified health IT.
The HITECH Act also made sure that healthcare organizations and their business associates were complying with the HIPAA Privacy and Security Rules, were implementing security measures to keep health information private and confidential, limiting uses and disclosures of health information and were ensuring their obligation to provide patients with copies of their medical records on request was being fulfilled.
The Act did not make compliance with HIPAA obligatory as that was already the case, but it did make sure that groups found not to be in compliance could be issued with a significant financial penalty.
HITECH Act Explained
The HITECH Act called on healthcare providers to introduce a system of electronic health records and improved privacy and security protections for healthcare data management. This target was met thanks to financial incentives for adopting EHRs and increased penalties for breaches of the HIPAA Privacy and Security Rules.
The HITECH Act has within it, four subtitles (A-D). Subtitle A covers the promotion of health information technology and is split into two parts. Part 1 covers improving healthcare quality, safety, and efficiency. Part 2 covers with the application and use of health information technology standards and reports.
Subtitle B relates to the testing of health information technology, Subtitle C covers grants and loans funding, and Subtitle D covers privacy and security of electronic health information. Subtitle D is also divided into two separate parts. Part 1 relates to improving privacy and security of health IT and PHI and part 2 covers the relationship between the HITECH Act and other legislation.
Compliance with the requirements of the HITECH Act became mandatory from November 30, 2009, one year after the Act being signed into law. The requirements of HITECH were incorporated into HIPAA in the Final Omnibus Rule, which combined HIPAA and HITECH in the same legislation. The HIPAA Omnibus Final Rule was made public on Jan. 25, 2013 and had a compliance date of September 23, 2013.
Explanation of the Meaningful Use Program
The Department of Health & Human Services (HHS) was allocated a budget of more than $25 billion to meet its goals. The HHS invested that budget to fund the Meaningful Use program – A program that encouraged care providers to put in place certified EHRs by providing monetary incentives. Certified EHRs are those that have been certified as meeting defined standards by an authorized testing and certification body.
Certified EHRs had to be used in an important way, such as for issuing electronic prescriptions and for the exchange of electronic health information to better the quality of care. The program sought to improve coordination of care, improve efficiency, reduce costs, ensure privacy and security, boost population and public health, and involve patients and their caregivers more in their own healthcare.
The financial incentives were massive and grew year on year with the program and new requirements were introduced at each of the three different stages of the Meaningful Use program. The failure to achieve the requirements of each stage lead to a financial penalty: A reduction of reimbursements for Medicare and Medicaid.
In order to receive federal monies, care providers not only had to adopt EHRs but also demonstrate meaningful use of certified EHRs. They had to display that they had achieved the minimum core objectives in each stage along with a set number of menu objectives. It was also required to prove compliance with the HIPAA Security and Privacy Rules by conducting risk assessments.
Legislative Requirements for Business Associates to be HIPAA Compliant
When HIPAA was first passed in 1996, business associates of HIPAA covered entities had a “contractual obligation” to comply with HIPAA. As there was no enforcement of that requirement, and covered entities could avoid penalties (in the event of a breach of PHI by a business associate) by stating that they did not know their business associate was not HIPAA-compliant. Since business associates could not be fined directly for HIPAA breaches, many failed to meet the standards required by HIPAA and were putting millions of health records at risk.
The HITECH Act applied the HIPAA Security and Privacy Rules to business associates and put on them the same legal requirements to protect PHI, detect breaches, and report violations of HIPAA to their covered entities. Business associates were also subject to obligatory HIPAA audits and civil and criminal fines could be issued directly to business associates for the failure to adhere with HIPAA Rules.
Stricter Penalties for HIPAA Breaches
Before the HITECH Act was enforceable, as well as covered entities escaping sanctions by claiming their business associates were unaware that they were breaking HIPAA rules, the sanctions HHS could impose were little more than a slap on the back of the hand ($100 for each violation up to a maximum fine of $25,000). Tougher fines were introduced for HIPAA violations and penalties were split into separate tiers based on different levels of culpability. The maximum fine for a HIPAA breach was grown to $1.5 million per violation category, per annum.
The HITECH Act called for mandatory financial fines for HIPAA-covered entities and business associates on all occasions that there was willful neglect of HIPAA Rules. The HHS was given the power to determine the level of knowledge that HIPAA Rules were being breached and whether the violations represented willful neglect of HIPAA Rules.
The direct result of the new $1.5 million maximum fine was covered entities and business associates began to pay more attention of HIPAA regulations. With such high potential fines, HIPAA compliance could no longer be thought of as ‘optional’. The penalties could be more than the cost of actually complying with HIPAA.
The HSS can keep a proportion of the HIPAA penalties paid to fund its enforcement efforts. With a higher source of income, HHS was able to focus more resources to looking into the cause of data breaches and, in 2011, the HHS kicked off the first phase of its HIPAA compliance audit program. The next phase of ‘desk audits’ – paperwork checks – on covered entities came to an end in 2016, paving the way for a permanent audit program.
Major Amendment: HIPAA Breach Notification Rule
A significant change that arose due to the introduction of the HITECH Act was the development of a new HIPAA Breach Notification Rule. Under the new Breach Notification Rule, covered entities are required to send out official notifications to those impacted by a breach within sixty days of the identification of a breach of unsecured protected health information.
These breach notification letters to patients must be mailed using first class mail and must describe, in detail, the nature of the breach, the types of protected health information that were exposed or compromised, the measures that are being taken to remedy the breach, and the actions affected individuals can take to tackle the potential for harm.
Breaches of 500 or greated health records also need to be reported to the HHS within 60 days of the discovery of a breach, and smaller breaches within 60 days of the end of the current calendar year in which the breach took place. Along with reporting the breach to the HHS, a notice of a breach of 500 or greater health records must be shared with a prominent media outlet serving the state or jurisdiction where those affected by the breach mainly reside. The Breach Notification Rule also states that business associates must alert their covered entities of a breach or HIPAA violation to allow the covered entity to submit a report of the incident to the HHS and arrange for individual notices to be broadcast.
HIPAA Wall of Shame
The HITECH Act also included a provision that the HHS’ Office for Civil Rights would begin publishing a summary of healthcare data breaches that had been submitted by HIPAA covered entities and their business associates. Kicking off in October 2009, OCR published breach summaries on its website, which includes the name of the covered entity or business associate that suffered the breach, the category of breach, where the breached PHI was geographically located, and the number of people affected.
The OCR breach portal has been referred to as ‘The HIPAA Wall of Shame’.
Electronic Health Records Access
The HIPAA Privacy Rule allowed patients and health plan subscribers a right of access and permitted them to obtain copies of their health information by sending in a formal request. Healthcare providers that implemented EHRs were storing health information electronically. HITECH altered the HIPAA right of access to allow individuals to obtain a copy of their health data in electronic format if they needed it. This change made it more straightforward for people to share their health data with other bodies.
While it should be quite a quick and easy process to provide electronic health records in electronic format, the reality was that this was not the case. Some electronic health record systems make it complicated for health data to be supplied in electronic format. To counter the costs of providing copies of electronic health records, healthcare groups were allowed to charge a reasonable fee to include the cost of labor for completed the request for healthcare data.
Protected Health Information – Uses and Disclosures
The HITECH Act also introduced changes to permitted uses and disclosures of PHI and tightened up the wording of the HIPAA Privacy Rule. Business associates were stopped from using ePHI for marketing campaigns without adequate authorization, patients were given the right to take back any authorizations they had previously handed over, and new requirements for accounting for disclosures of PHI and keeping records of disclosures were introduced, including to whom PHI had been disclosed and for what aim.