The HITECH ACT & HIPAA Compliance Regulations

The American Recovery and Reinvestment Act of 2009 or the ARRA contains specific incentives that are provided to healthcare professionals/facilities that adopt any of the healthcare information technology formats. These incentives listed by the ARRA have been a major boost towards speeding-up the adoption of electronic health information processes like the Electronic Health Records (EHRs) among healthcare facilities. The Health Information Technology for Economic and Clinical Health Act, also called the HITECH, or just "The Act" is a critical part of the ARRA.

HITECH recognizes that due to the initiative taken up by ARRA there will be a substantial expansion in the number of healthcare facilities endorsing Electronic Health Records. Based upon this consideration, HITECH stresses upon the privacy rulings of the HIPAA that are aimed at restricting and regulating the use/disclosure of PHI (Patient Health Information). From an overall perspective, it can be summed-up that HITECH plays the critical role of expanding upon the stringency of the privacy regulations of HIPAA, acknowledging the spurt in the volume of the ePHI, i.e. Electronic Protected Health Information.

The HITECH Act also increases the scope of legal liability being enforced upon those who are non-compliant with HIPAA’s Privacy Rule. Therefore, the HITECH Act can also be understood as an enforcer of HIPAA’s compliancy benchmarks. There are many perspectives within HITECH Act's various provisions but the most crucial ones are those that are HIPAA-centric.

1. Enforcement Issues — penalties are imposed upon healthcare professionals who are guilty of willful neglect. Civil penalties covered under willful neglect can attract a financial penalty of up to $250,000 and those who are held guilty of repeated violations may be fined to the tune of $1.5 million. It should be noted that the penalty of $250,000 is charged for even a single account of a Privacy Rule violation. However, HITECH does not entertain individuals who want to bring a cause of action against a healthcare provider but this privilege is extended to state attorney generals who can do this on behalf of their residents. Even the HHS has been asked by HITECH to conduct periodic reviews of business associates and covered entities.

2. Access to Electronic Health Records — all healthcare providers who are using an EHR system should provide their patient’s PHI as ePHI, i.e. in the electronic format. The fee charged for providing PHI demanded by an individual should equal the cost incurred in the form of labor services employed for processing the electronic request.

Though it is not clear how the Act defines, 'meaningful use', the fact is that healthcare professionals who don’t process PHI requests from their patients or appointed representatives for meaningful use, are vulnerable to being barred from receiving the ARRA incentives.

3. Accountability of Business Associates — HIPAA's civil and criminal penalties now extend to business associates as well. Business associates are required to report any suspected security breaches to the respective covered entities. Thus, business associates and providers have been made collectively responsible for handling patient data under the HITECH Act. This development is more relevant for small providers who are not yet conversant with the concept of a business associate. In conventional medical practices, privacy/security requirements concerning the PHI were mentioned in contractual agreements between the business associates and covered entities but were not actually followed.

The enforcement of such clauses has been largely lax and HITECH plans to rectify this. Now, business associates are covered under the compliance compatibility regulations that are mentioned in Security Rule (SR). This is bound to make a significant impact on software vendors of EHR systems who had been posing as business associates but never owned-up to the PHI-related responsibility.

4. Notification of Data Breach — a data breach notification has been made mandatory for any kind of unauthorized use/disclosure of PHI. Most of the clauses in this notification are similar to the data breach laws that the state governments have endorsed for personally identifiable financial information. The notification is required for unsecured PHI, wherein the HHS is asked to establish the nature of PHI within 60 days of the enactment. If the HHS is unable to do then the definition of unsecured PHI approved by HITECH supersedes any authority.

For HITECH, unsecured PHI fundamentally refers to any kind of unencrypted PHI. HITECH clarifies that patients should be notified about any data breach and if the breach compromises the personal/health information of 500 patients or more, the HHS has to be notified. This leads to a Notification which in turn could lead to the breaching entity being posted on the HHS website or its identity being circulated in the local media.

5. Additional Requirements — HITECH contains some additional requirements that can be understood as modifications to the conventional HIPAA privacy standards, applicable under special circumstances. Common examples of these provisions include marketing-based communication and accounting procedures.

It should be understood that the HITECH Act performs the critical role of overseeing that HIPAA standards are being maintained by healthcare facilities/professionals who present themselves eligible for receiving incentives defined by the ARRA. The incentive funding is sourced from government resources and hence, HITECH is indirectly performing the function of making government spending more transparent, i.e. when related to the healthcare industry. With HITECH coming to the fore, healthcare professionals who want to adopt electronic health records and avail ARRA-sourced incentives have to educate themselves about HIPAA's Privacy & Security standards in a comprehensive manner to avoid compliance-related issues.