The HITECH Act: safeguarding patient privacy in the digital age
The HITECH Act - Health Information Technology for Economic and Clinical Health - is a federal US law specifically for the protection of health information.
It works with HIPAA (Health Insurance Portability and Accountability Act) for three key reasons.
To promote the use of health information technology (HIT) systems,
To protect the privacy and security of protected health information (PHI), and
To strengthen enforcement and compliance in the healthcare industry.
Enacted by US Congress in 2009, HITECH addresses 5 primary goals in the US healthcare system:
Improving quality, safety, and efficiency of healthcare data - including the use of EHRs (electronic health records),
Engaging patients in their care,
Increasing coordination of care,
Improving the health status of the population,
And ensuring privacy and security.
On the patient side, HITECH gives certain rights. They have the right to access their health information, request corrections to it, and receive an account of how their PHI has been used. They can also limit certain disclosures for marketing and fundraising purposes.
One of the major impacts of the HITECH Act has been the widespread adoption of electronic health records (EHRs) in the US healthcare system. These have allowed for the vital storage and exchange of patient information.
What are EHRs?
Electric health records (EHRs) are digital versions of a patient's medical records designed for easy access to accurate and up-to-date patient information.
The information stored could be any patient health information - including medical history, diagnoses, medications, lab results and other relevant health data.
EHRs are incredibly important for compliance with the HITECH Act - so much so that financial incentives for healthcare providers (such as hospitals, clinics and private practices) are available.
They can help streamline clinical workflows, reduce medical errors, enhance communication among healthcare providers, and facilitate coordination of care across different healthcare settings. This includes better data analysis for population health management, research and public health purposes.
Though EHRs are designed to help improve healthcare access in the US, privacy and security is still a risk where PHI is quickly transferable. In response, HITECH works closely with HIPAA to strengthen existing obligations and impose a more robust regulatory framework.
How does HITECH work with HIPAA?
HITECH amended certain provisions of HIPAA to reflect the increased use of electronic health records and other HIT systems:
It expanded the scope of covered entities and business associates.
“Covered entities” in both laws now include not only healthcare providers, health plans, and healthcare clearinghouses, but also their business associates. I.e. individuals or entities that perform certain functions or activities on behalf of covered entities and involve the use or disclosure of PHI.
It strengthened breach notification requirements.
Covered entities must now notify affected individuals, the Department of Health and Human Services (HHS), and, in some cases, the media, in the event of a breach of unsecured PHI.
It increased penalties for non-compliance.
This includes both civil and criminal penalties, based on the level of culpability.
It strengthened enforcement and audits.
This includes increased audit activities by the Department of Health and Human Services to ensure compliance with the regulations.
What is the penalty for breaking HIPAA/HITECH?
The Office for Civil Rights (OCR) in the Department of Health and Human Services is responsible for enforcing the HITECH Act and HIPAA. State attorneys general have the authority to bring civil actions on behalf of state residents for violations.
The penalties are applied based on the level of culpability, which is split into four categories:
Tier 1: violations due to ignorance, or after reasonable diligence, would not have known.
From $100 to $50,000 per violation, with an annual maximum of $1.5 million.
Tier 2: violations due to reasonable cause and not wilful neglect.
From $1,000 to $50,000 per violation, with an annual maximum of $1.5 million.
Tier 3: violations due to wilful neglect but corrected within 30 days of discovery.
From $10,000 to $50,000 per violation, with an annual maximum of $1.5 million.
Tier 4: violations due to willful neglect and not corrected within 30 days of discovery.
A minimum of $50,000 per violation, with an annual maximum of $1.5 million.
For businesses in the healthcare industry, HITECH compliance needs to be an important priority. Organisations that experience breaches of PHI may face other costs, such as legal fees, reputational damage, and loss of business. Staying on top of compliance and managing EHRs responsibly is vital.