The answer to the question why is the HITECH Act important can differ depending on whether an organization is a HIPAA Covered Entity or a Business Associate. It is also the case that the HITECH Act is important to patients, as patients now benefit from more efficient healthcare services, improved patients´ right, and fewer unauthorized disclosures of personal identifiable information.
In 2009, Congress passed the American Recovery and Reinvestment Act, The Act contained two titles which, together, created the HITECH Act – Title XIII of Division A (“Health Information Technology”) and Title IV of Division B (“Medicare and Medicaid Health Information Technology; Miscellaneous Medicare Provisions”).
The first of the two Titles mostly focused on a plan for the development of a nationwide health information technology infrastructure which included the adoption standards, implementation specifications, and certification criteria for EHRs. The second of the two titles related to the Meaningful Use incentive program to encourage the adoption of EHRs.
Because the Meaningful Use incentives were time-limited, the HITECH Act was successful in modernizing the healthcare system. Prior to the HITECH Act, only 10% of healthcare organizations used EHR systems. Within eight years more than 90% of healthcare organizations had adopted EHRs and were putting them to meaningful use.
The HITECH Act Privacy Provisions
The increased adoption of EHRs is not the only answer to the question why is the HITECH Act important. Subtitle D of Title XIII introduced multiple privacy provisions that were subsequently integrated into HIPAA via the Final Omnibus Rule. These included:
- Expanding patients´ rights to receive copies of and amend PHI.
- Modifying the requirements for Notices of Privacy Practices.
- Enabling access to PHI by families and authorized parties.
- Adding further limitations on permitted disclosures of PHI.
- Restricting disclosures for the private payment of treatment.
- Extending the list of disclosures for which consent was required.
Additionally, Business Associates were required to comply with the Security Rule, were liable for violations of HIPAA for which they were responsible, and had to report breaches of unsecured ePHI to the Covered Entities for whom they provided a service. Time limits were introduced for breach notifications, and the fines for non-compliance with HIPAA were increased.
With regards to breach notifications, Covered Entities and Business Associates could only refrain from reporting a breach of unsecured PHI if it could be demonstrated there was a low probability of harm. Previously, the burden of proof had been on the HHS´ Office for Civil Rights to prove a breach had resulted in harm to an individual, but this burden was reversed by the HITCH Act.
HITECH and the HIPAA Final Omnibus Rule
The provisions of the HITECH Act relating to the development of a nationwide health information technology infrastructure and the Meaningful Use program were enacted in 2011; but it was not until two years later that the HITECH Act privacy provisions were enacted in the HIPAA Final Omnibus Rule and integrated into the Privacy, Security, and Breach Notification Rules.
However, not every HITECH Act privacy provision was enacted. One of the provisions omitted from the HIPAA Final Omnibus Rule related to compensating victims for data breaches from fines issued for HIPAA violations. Due to the difficulty of identifying every victim of a data breach and distributing compensation fairly, this provision has still to be enacted.
In addition to the HITECH Act privacy provisions, the HIPAA Final Omnibus Rule also enacted provisions from the Genetic Information Nondiscrimination Act (GINA) and changes attributable to Executive Order 13563. The most relevant regulatory change attributable to Executive Order 13563 was that the cost of a regulation (and complying with it) should not outweigh the benefits.
Why is the HITECH Act Important to Covered Entities?
The HITECH Act is important to Covered Entities on two counts. Firstly, it incentivized healthcare organizations to adopt EHRs and streamline healthcare operations to improve efficiency and reduce costs. Prior to the HITECH Act, the majority of healthcare organization relied on paper records for treatment and payment records. Many patient records were also maintained on paper.
Secondly, it forced Covered Entities to invest in HIPAA compliance to avoid potentially substantial financial penalties. Prior to the updates to the Privacy, Security, and Breach Notification Rules, it was often cheaper to pay a financial penalty than it was to invest in compliance due to there being only a small risk of enforcement action if a violation of HIPAA or data breach occurred.
Why is the HITECH Act Important to Business Associates?
The HITECH Act mandated Business Associates were subject to the same compliance requirements as Covered Entities in relation to the Security and Breach Notification Rules and certain areas of the Privacy Rule (for example the policy, procedure, and documentation requirements). Subcontractors of Business Associates are also subject to the same compliance requirements.
The requirement to comply with HIPAA is generally fair; but in some areas it places an excessive burden on Covered Entities. For example, under the Security Rule, Business Associates are required to implement a security training and awareness program for all members of the workforce. This means Business Entities may have to provide HIPAA training to employees with no access to PHI.
The Importance of HITECH for Patients
It was mentioned in the introduction to this article that the HITECH Act is important to patients because it improves the efficiency of healthcare services. This was confirmed in a 2016 report to Congress which stated: “84 percent of academic studies examining health IT functionalities required under the Medicare and Medicaid EHR Incentive Programs had a positive or mixed positive effect on quality, safety, and efficiency of care”.
In addition to benefitting from more efficient healthcare services, patients now have more input into their care and can make informed decisions about treatments and where they obtain them. Finally, the increased enforcement of HIPAA reduces the frequency of data breaches and the likelihood of patients becoming victims of insurance fraud or identity theft. Therefore, it is fair to say the HITECH Act probably had a bigger impact on patients than on Covered Entities and Business Associates.