On Feb. 18, 2009, President Barack Obama signed into the law the American Recovery and Reinvestment Act (ARRA) of 2009, commonly known as the "stimulus package." In doing so, President Obama also made the Health Information Technology for Economic and Clinical Health (HITECH) Act the law of the land, in the process significantly expanding the reach of the Health Insurance Portability and Accountability Act (HIPAA) and its corresponding penalties.
More compliance FAQs?
Get caught up on regulations and more with our IT compliance FAQs.
This resource provides answers and resources to frequently asked questions regarding the HITECH Act. As you read the FAQ, you'll learn more about what the act is, where it came from, what it requires and what the role of IT is in achieving and maintaining HITECH compliance.
- What is the HITECH Act?
- How does HITECH extend or augment HIPAA?
- Who or what is affected by HITECH?
- What is generally required by HITECH?
- What is the role of IT in HITECH compliance?
- What are the penalties for compliance?
The HITECH Act is a component of ARRA and of healthcare reform in general, a major legislative focus for the federal government in 2009. HITECH builds on the 1996 Health Insurance Portability and Accountability Act to strengthen the rules designed to protect the privacy and security of health-related data.
The HITECH Act is meant to encourage doctors, hospitals and others in the healthcare industry to make better use of health information technology, allotting some $19 billion in funding for HIT. The HITECH Act created a number of financial incentives for implementing IT infrastructure, including electronic health records (EHRs) technology and training.
The stated purpose behind boosting the use of IT in healthcare is to revamp the way care is delivered, making it more efficient and less prone to error. The initiative will also result in the compilation of vast amounts of data that could be used for research and performance measurement, among other things. The creation of millions of EHRs also makes cybersecurity a critical national priority.
The HITECH Act outlines two main goals:
- Make electronic health records interoperable by establishing standards.
- Develop a national network for providers to share electronic data.
The act relies on a combination of carrots and sticks to promote those efforts. Financial incentives include grant programs to help pay for IT infrastructure, electronic health records technology and training. A separate set of grants is available to states to give low-interest loans to healthcare providers. A Medicare incentive payment program encourages physicians to be early adopters of electronic health records if they can demonstrate "reasonable use."
At the same time, the act also establishes new privacy and security obligations for anyone covered under HIPAA and extends them to individuals and groups that were not previously covered. The healthcare industry's IT operations now face considerably higher compliance responsibilities as well as greater penalties for noncompliance.
HITECH strengthens the rules established under HIPAA for protecting the privacy and security of health information. Enhanced security provisions include a new data breach reporting requirement, which lowers the threshold at which victims must be notified. There are also new disclosure accounting rules, limits on how protected health information can be used for marketing and fundraising purposes and a ban on selling protected data.
HITECH also raises the penalties for noncompliance with HIPAA and provides greater resources for enforcing the rules. It significantly changes the landscape in terms of extending the reach of HIPAA to other entities (see "Who or what is affected by HITECH?").
One of the most significant amendments to HIPAA by the HITECH Act is the expansion of the categories of entities subject to the 1996 law's privacy and security rules. Plans and health care clearinghouses are also affected by HITECH, along with their business associates and certain vendors of HIT. All of the above are now subject to numerous security requirements, including technical, physical and policy-related rules.
The HITECH Act also affects federal healthcare contractors and federal agencies that use healthcare IT systems to exchange health data.
Every entity covered under the HITECH Act has to review its information systems and infrastructure to ensure compliance with the law. These requirements are both extensive and complex, but they can be summarized broadly under two main categories: security and privacy.
HITECH broadens the definition of protected health information. Each entity affected by the law must make sure that it has identified and secured all of the relevant data. Securing this information with technology that matches the U.S. Department of Health and Human Service's (HHS) definition of the "most effective and appropriate technical safeguards" may allow some entities to avoid HITECH's stringent notification requirements in the event of a breach.
On Aug. 24, a Final Rule was published in the Federal Register. This guidance further clarified the liabilities for breaches of patients' unsecured personal health information (PHI) incurred by covered entities and business associates liabilities.
Specifically, covered entities must notify each individual whose unsecured PHI has been, or is reasonably believed by the covered entity to have been, accessed, acquired, used or disclosed as a result of such breach. Furthermore:
- If a breach occurs and the data was unsecured, victims must be specifically notified by first-class mail within 60 days of discovery of the breach.
- Covered entities must also notify the media in the event of any data breach of unsecured PHI that involves more than 500 residents of a given state or jurisdiction.
- If more than 500 individuals living in the state are involved, there are additional notification requirements.
A business associate must notify the covered entity of any breach of unsecured PHI, as well as:
- If the PHI has been irreversibly destroyed prior to unauthorized access.
- If the breached entity is using National Institute of Standards and Technology standard encryption.
- If, based on a risk of harm analysis by HHS, it is determined that the unauthorized access will not result in harm.
That last standard from HHS has proven controversial because of the amount of subjectivity involved on the part of the breached entity. The Federal Trade Commission, however, has adopted a more conservative standard for healthcare privacy when it comes to data breach notifications.
Individuals or groups covered under the HITECH Act need to have systems in place for detecting data breaches, recording security incidents and notifying victims as required. All business associate contracts must be amended to include the new requirements to address HITECH compliance.
Privacy officers, chief information security officers, chief information officers, human resources, customer service departments and operations departments are likely included in any effective compliance program. In fact, part of HITECH compliance is to provide training and ongoing awareness about breach notice procedures to key stakeholders who are outside of IT.
That said, operationally ensuring compliance with HITECH's security and privacy provisions is, to a large degree, an IT function. The security rules established under HIPAA do not require any particular IT system or set of safeguards. HITECH does not impose specific mandates on private entities, either. The HITECH Act does, however, direct HHS to issue guidelines every year on the "most effective and appropriate technical safeguards" for carrying out HIPAA security standards.
Although determination by HHS of what is most effective and appropriate is not a mandate, implementing it can prove beneficial in the event of a breach of protected health information. The HHS guidelines regarding encryption demonstrate one example why: The HITECH Act does not require encryption.
HITECH also broadens the category of health information that must be protected. The act directs HHS to define the "minimum necessary" information that data holders must limit themselves to when using, disclosing or requesting protected health information. Until HHS finalizes this definition, information has to be restricted to the limited data set defined in HIPAA privacy regulations. A "limited data set" omits names, street addresses, phone numbers, fax numbers, email addresses, Social Security numbers, medical record numbers and nine other data fields. IT systems involved in the use, disclosure or request of protected data must take into account these restrictions.
HITECH's privacy requirements also include restrictions on the use of protected health information for marketing and fundraising purposes, a prohibition on selling information, a mandate to agree to requests for restricting the use and disclosure of data, and rules on accounting for the disclosure of data. HITECH compliance, given these requirements, will likely have an impact on the kinds of IT systems and infrastructure deployed.
The HITECH Act increases the civil monetary penalties for HIPAA noncompliance to as much as $50,000 per violation. The violator's level of intent is taken into account, however -- if he can prove he did not know about a violation, the penalty could be as little as $100 per violation. Violations resulting from "reasonable cause" but not "willful neglect" start at $1,000. Violations of "willful neglect" can result in penalties of $10,000 per violation. Under each of these tiers, there is a cap on the total penalty that can be imposed for the same type of violation in a given year.
In addition to heightened monetary penalties, HITECH authorizes state attorneys general to enforce HIPAA privacy and security requirements under certain circumstances. The act also authorizes HHS to conduct audits to ensure compliance with both HITECH's provisions and HIPAA's privacy and security requirements.
There are criminal penalty provisions under HIPAA as well. According to Rebecca Herold's SearchCompliance.com article on HIPAA enforcement, the regulation originally "provided for criminal penalties of fines of up to $250,000 and up to 10 years in prison for disclosing or obtaining PHI with the intent to sell, transfer or use PHI for commercial advantage, personal gain or malicious harm." HITECH extends these provisions to the business associates of anyone covered under HIPAA.
As Herold points out, more government audits are also leading to more convictions. "The HITECH Act also permits the Office for Civil Rights (OCR) to pursue an investigation and apply civil monetary penalties against individuals for criminal violations of the HIPAA Privacy Rule and Security Rule if the Justice Department did not prosecute the individuals," she writes. "Additionally, the HITECH Act changes HIPAA to require formal investigations of complaints and to impose civil monetary penalties for violations resulting from willful neglect. Any civil monetary penalties collected must then be transferred to OCR to use for HIPAA enforcement activities, and the HHS must establish a process to distribute a percentage of the collected HIPAA penalties to harmed individuals."
Let us know what you think about the FAQ; email firstname.lastname@example.org.
This was first published in September 2009