HIPAA was passed into law in 1996–not exactly the heyday of digital technology. It wasn’t until over a decade later that Congress decided to implement updates to the law to address the rise of digital technology. Their goal? To push providers to update their record-keeping to Electronic Health Record (EHR) systems, secure those systems effectively, and eliminate the loopholes that would prevent adherence to the law.
Thus, the Health Information Technology for Economic and Clinical Health, or HITECH, was born. Here, we’ll discuss some of the changes that HITECH made to HIPAA law and how that informs the compliance obligations of businesses in the healthcare industry.
What is HITECH?
The HITECH Act was passed by Congress and signed into law in 2009 as part of the American Recovery and Reinvestment Act to incentivize and promote digital technology and record-keeping in the healthcare industry. Before this law, healthcare providers and other related organizations did not have a standard requirement for data storage and record-keeping, even to the point where hospitals would have various digital and paper records collections.
However, HITECH isn’t a law to promote efficiency in healthcare (although it does accomplish this). Having a standard, efficient and secure digital form of record-keeping helps these institutions protect Personal Health Information (PHI) and maintain its integrity.
Alongside promoting the adoption of digital record-keeping solutions, HITECH adjusted several provisions of other laws, including HIPAA. These changes included the following:
- Business Associates and Culpability: Under the original language of HIPAA, business associates were required to comply with security laws if they handled PHI but were not directly regulated by HIPAA. HITECH changed this so that business associates were equally governed by HIPAA law in their management of PHI, including civil and criminal penalties and required notifications.
- Increased Penalties for Noncompliance: HITECH increased enforcement measures related to noncompliance and expanded audit capabilities to local jurisdictions and the Department of Health and Human Services (HHS).
- Patient Rights for Information Disclosure: Under HITECH, once organizations shifted to Electronic Health Record (EHR) systems, patients or designated third parties had the right to obtain their records for review.
HITECH and Meaningful Use
A significant part of HITECH legislation was to incentivize the adoption of EHR systems. This plan worked well, considering that, by 2017, over 90% of all healthcare providers switched to digital record keeping.
Part of this program was a series of incentivized payments that broke down as follows:
- $15,000 for organizations in their first year of investment and development (initially $18,000 in 2011 and 2012)
- $12,000 in their second year
- $8,000 in their third year
- $4,000 in their fourth year
- $2,000 in their fifth and final year
However, to qualify for this money and continue to maintain compliance, the organization has to demonstrate that its EHR systems and investments fall under a concept called “meaningful use.” While this is a vague term (even for seasoned compliance officers), HHS defined it as the “five pillars of health outcomes.”
These pillars require that certified technology accomplish the following:
- Improve the quality, safety and efficiency of healthcare overall and reduce health disparities.
- Engage patients and families about healthcare provision, patient concerns, etc.
- Improve coordination of care between organizations, departments and doctors.
- Improve public health through the improvement of general healthcare.
- Ensure the privacy and confidentiality of patient PHI as dictated by HIPAA.
Meaningful use, security and electronic record keeping all fall under the compliance standards for HITECH.
How Do I Become or Stay HITECH Compliant?
Several criteria, across several areas of focus, come into play with HITECH compliance. The general approach, however, is to deploy and use secure EHRs. This process is accomplished through three phases of meaningful use:
- Stage 1 covers several core objectives that ensure that an EHR can code and organize data for patient tracking and care coordination. This can differ depending on the organization in question and the types of information and practices they engage with but will generally cover minimal security and integrity requirements.
- Stage 2 involves advanced EHR implementation and security. At this stage, organizations must show that at least 60% of prescriptions and 30% of labs and radiology orders are done through electronic patient records, with 50% of all prescription orders transmitted electronically.
- Stage 3 requires that the provider have everything from Stages 1 and 2 implemented and tested security measures in place, with a secure network for patients to access their information. Additionally, all compliance protocols must be implemented, all business associates must be HIPAA compliant, and PHI must be accessible to authorized employees.
Ultimately, your organization should reach Stage 3 compliance for EHR systems for compliance. On top of that, you must meet the additional HIPAA requirements added by HITECH, including:
- Breach Notification: If your systems are breached and unsecured PHI is exposed, you must have mechanisms and policies to notify the appropriate authorities and stakeholders.
- Business Associates: If you have any business associates that touch PHI as part of their work with you, they must be compliant and attest to such compliance in accordance with a standardized Business Associate Agreement that you can produce during audits.
- Maintain Technical and Physical Safeguards: As technology changes, your obligations under HITECH change. This includes updating to adequate encryption and system security measures, implementing sufficient physical controls (keypads, cameras, biometric protections, etc.) and updating these systems as needed.
- Perform Regular Testing: EHR systems must undergo regular scanning and testing. While specific tests or scans aren’t spelled out in HIPAA or HITECH, the Security Rule calls for organizations to perform security risk assessments regularly. This should always include penetration testing, vulnerability scanning, and the like with IT systems.
- Always Remediate Issues: Under HITECH, noncompliance became much more costly, especially in cases of willful neglect. “Willful neglect,” under HITECH, is when an organization is deemed to have known about a security problem or noncompliance and willfully ignored it and refuses to address it. By running tests, addressing issues and mitigating problems (including noncompliance) you can avoid this problem.
Power HIPAA and HITECH Compliance with Lazarus Alliance
Compliance with HIPAA and HITECH regulations are difficult and ongoing. Businesses have significant rules to consider, including implementing and managing effective IT systems and privacy controls. While HITECH has been standing law for over a decade, its impact has shaped how rigorous HIPAA requirements can be.
Are You Ready to Streamline HIPAA and HITECH Compliance?
Call Lazarus Alliance at 1-888-896-7580 or fill out this form.