HITECH FAQ: What is the impact of the HITECH Act on IT operations?

The HITECH Act is a component of ARRA and of healthcare reform in general, a major legislative focus for the federal government in 2009. HITECH builds on the 1996 Health Insurance Portability and Accountability Act to strengthen the rules designed to protect the privacy and security of health-related data.

Play n...

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT HIPAA and other healthcare compliance requirements IT compliance: FAQs about IT operations, regulations and standards Enterprise document management FAQ: IT operations and compliance Google adds Dashboard: Does transparency mean more online privacy? Compliance news quiz: Test your knowledge of FTC, SB 20, PCI and more HIPAA-covered entities' first step should be a quality assurance plan HITECH moves electronic health records forward; standards to come Discovery of data breach under HITECH raises big compliance questions Healthcare, cybersecurity policy and privacy on legislative agenda Record locator service a step to health information exchange FTC pursuing HIPAA violations as a matter of consumer protection Industry-specific requirements for compliance Poor application security creates supply chain risk, security threat Business Model for Information Security: Security right the first time Enterprise document management FAQ: IT operations and compliance Google adds Dashboard: Does transparency mean more online privacy? Compliance news quiz: Test your knowledge of FTC, SB 20, PCI and more NERC CSO warns of cybersecurity threats, risk to electric grid FTC compliance mandates new rules for social media marketing How to design an FTC compliance program for social media marketing McCain answers new FCC net neutrality rules with Internet Freedom Act SAP sees green in sustainability software for carbon compliance Managing governance and compliance A business continuity management standard would offer consistency Business Model for Information Security: Security right the first time Facing uncertainty, IT turns to governance, risk and compliance, ERM Google adds Dashboard: Does transparency mean more online privacy? NERC CSO warns of cybersecurity threats, risk to electric grid Priorities for your sound regulatory compliance management policy Threat management for information systems relies on categorization Survey shows privacy policy success lies in collaboration with IT Record locator service a step to health information exchange U.S. CIO Vivek Kundra on Data.gov, OpenID and government transparency

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Dossia  (SearchCompliance.com) personal health record (PHR)  (SearchCompliance.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

ow:

You must have Adobe Flash Player 7 or above to view this content. See http://www.adobe.com/products/flashplayer to download now. Download for later:

In this podcast, privacy expert Rebecca Herold talks about the HITECH Act and its implications for compliance and information security professionals.
• Internet Explorer: Right Click > Save Target As
• Firefox: Right Click > Save Link As

The HITECH Act is meant to encourage doctors, hospitals and others in the healthcare industry to make better use of health information technology, allotting some $19 billion in funding for HIT. The HITECH Act created a number of financial incentives for implementing IT infrastructure, including electronic health records (EHRs) technology and training.

The stated purpose behind boosting the use of IT in healthcare is to revamp the way care is delivered, making it more efficient and less prone to error. The initiative will also result in the compilation of vast amounts of data that could be used for research and performance measurement, among other things. The creation of millions of EHRs also makes cybersecurity a critical national priority.

The HITECH Act outlines two main goals:

1. Make electronic health records interoperable by establishing standards.
2. Develop a national network for providers to share electronic data.

The act relies on a combination of carrots and sticks to promote those efforts. Financial incentives include grant programs to help pay for IT infrastructure, electronic health records technology and training. A separate set of grants is available to states to give low-interest loans to healthcare providers. A Medicare incentive payment program encourages physicians to be early adopters of electronic health records if they can demonstrate "reasonable use."

At the same time, the act also establishes new privacy and security obligations for anyone covered under HIPAA and extends them to individuals and groups that were not previously covered. The healthcare industry's IT operations now face considerably higher compliance responsibilities as well as greater penalties for noncompliance.

HITECH strengthens the rules established under HIPAA for protecting the privacy and security of health information. Enhanced security provisions include a new data breach reporting requirement, which lowers the threshold at which victims must be notified. There are also new disclosure accounting rules, limits on how protected health information can be used for marketing and fundraising purposes and a ban on selling protected data.

HITECH also raises the penalties for noncompliance with HIPAA and provides greater resources for enforcing the rules. It significantly changes the landscape in terms of extending the reach of HIPAA to other entities (see "Who or what is affected by HITECH?").

One of the most significant amendments to HIPAA by the HITECH Act is the expansion of the categories of entities subject to the 1996 law's privacy and security rules. Plans and healthcare clearinghouses are also affected by HITECH, along with their business associates and certain vendors of HIT. All of the above are now subject to numerous security requirements, including technical, physical and policy-related rules.

The HITECH Act also affects federal healthcare contractors and federal agencies that use healthcare IT systems to exchange health data.

Every entity covered under the HITECH Act has to review its information systems and infrastructure to ensure compliance with the law. These requirements are both extensive and complex, but they can be summarized broadly under two main categories: security and privacy.

HITECH broadens the definition of protected health information. Each entity affected by the law must make sure that it has identified and secured all of the relevant data. Securing this information with technology that matches the U.S. Department of Health and Human Service's (HHS) definition of the "most effective and appropriate technical safeguards" may allow some entities to avoid HITECH's stringent notification requirements in the event of a breach.

On Aug. 24, a Final Rule was published in the Federal Register. This guidance further clarified the liabilities for breaches of patients' unsecured personal health information (PHI) incurred by covered entities and business associates liabilities.

Specifically, covered entities must notify each individual whose unsecured PHI has been, or is reasonably believed by the covered entity to have been, accessed, acquired, used or disclosed as a result of such breach. Furthermore:

• If a breach occurs and the data was unsecured, victims must be specifically notified by first-class mail within 60 days of discovery of the breach.
• Covered entities must also notify the media in the event of any data breach of unsecured PHI that involves more than 500 residents of a given state or jurisdiction.
• If more than 500 individuals living in the state are involved, there are additional notification requirements.

A business associate must notify the covered entity of any breach of unsecured PHI, as well as:

1. If the PHI has been irreversibly destroyed prior to unauthorized access.
2. If the breached entity is using National Institute of Standards and Technology standard encryption.
3. If, based on a risk of harm analysis by HHS, it is determined that the unauthorized access will not result in harm.

That last standard from HHS has proven controversial because of the amount of subjectivity involved on the part of the breached entity. The Federal Trade Commission, however, has adopted a more conservative standard for healthcare privacy when it comes to data breach notifications.

Individuals or groups covered under the HITECH Act need to have systems in place for detecting data breaches, recording security incidents and notifying victims as required. All business associate contracts must be amended to include the new requirements to address HITECH compliance.

Privacy officers, chief information security officers, chief information officers, human resources, customer service departments and operations departments are likely included in any effective compliance program. In fact, part of HITECH compliance is to provide training and ongoing awareness about breach notice procedures to key stakeholders who are outside of IT.

That said, operationally ensuring compliance with HITECH's security and privacy provisions is, to a large degree, an IT function. The security rules established under HIPAA do not require any particular IT system or set of safeguards. HITECH does not impose specific mandates on private entities, either. The HITECH Act does, however, direct HHS to issue guidelines every year on the "most effective and appropriate technical safeguards" for carrying out HIPAA security standards.

Although determination by HHS of what is most effective and appropriate is not a mandate, implementing it can prove beneficial in the event of a breach of protected health information. The HHS guidelines regarding encryption demonstrate one example why: The HITECH Act does not require encryption.

HITECH also broadens the category of health information that must be protected. The act directs HHS to define the "minimum necessary" information that data holders must limit themselves to when using, disclosing or requesting protected health information. Until HHS finalizes this definition, information has to be restricted to the limited data set defined in HIPAA privacy regulations. A "limited data set" omits names, street addresses, phone numbers, fax numbers, email addresses, Social Security numbers, medical record numbers and nine other data fields. IT systems involved in the use, disclosure or request of protected data must take into account these restrictions.

HITECH's privacy requirements also include restrictions on the use of protected health information for marketing and fundraising purposes, a prohibition on selling information, a mandate to agree to requests for restricting the use and disclosure of data, and rules on accounting for the disclosure of data. HITECH compliance, given these requirements, will likely have an impact on the kinds of IT systems and infrastructure deployed.

The HITECH Act increases the civil monetary penalties for HIPAA noncompliance to as much as $50,000 per violation. The violator's level of intent is taken into account, however -- if he can prove he did not know about a violation, the penalty could be as little as $100 per violation. Violations resulting from "reasonable cause" but not "willful neglect" start at $1,000. Violations of "willful neglect" can result in penalties of $10,000 per violation. Under each of these tiers, there is a cap on the total penalty that can be imposed for the same type of violation in a given year.

In addition to heightened monetary penalties, HITECH authorizes state attorneys general to enforce HIPAA privacy and security requirements under certain circumstances. The act also authorizes HHS to conduct audits to ensure compliance with both HITECH's provisions and HIPAA's privacy and security requirements.

There are criminal penalty provisions under HIPAA as well. According to Rebecca Herold's SearchCompliance.com article on HIPAA enforcement, the regulation originally "provided for criminal penalties of fines of up to $250,000 and up to 10 years in prison for disclosing or obtaining PHI with the intent to sell, transfer or use PHI for commercial advantage, personal gain or malicious harm." HITECH extends these provisions to the business associates of anyone covered under HIPAA.

As Herold points out, more government audits are also leading to more convictions. "The HITECH Act also permits the Office for Civil Rights (OCR) to pursue an investigation and apply civil monetary penalties against individuals for criminal violations of the HIPAA Privacy Rule and Security Rule if the Justice Department did not prosecute the individuals," she writes. "Additionally, the HITECH Act changes HIPAA to require formal investigations of complaints and to impose civil monetary penalties for violations resulting from willful neglect. Any civil monetary penalties collected must then be transferred to OCR to use for HIPAA enforcement activities, and the HHS must establish a process to distribute a percentage of the collected HIPAA penalties to harmed individuals."

Let us know what you think about the FAQ; email editor@searchcompliance.com.