The HITECH Act
HITECH is an acronym for Health Information Technology for Economic & Clinical Health.
How is HITECH Act related to HIPAA?
The HITECH Act is a part of an economic stimulus package introduced in 2009 during the Obama administration, the American Recovery and Reinvestment (ARRA) Act of 2009. The purpose of the HITECH Act is to incentivize the use of Healthcare IT in order to make healthcare systems more efficient. Under the act, hospitals and physicians who make meaningful use of interoperable EHR qualify for additional payments qualify for medicare and medicaid programs.
The HITECH Act also expanded the scope of Privacy and Security protection available under HIPAA compliance by increasing the potential legal liability for non-compliance and providing more stringent enforcements. The introduction of the HITECH Act brought with it a number of important changes to HIPAA. Many of these updates are related to HIPAA enforcement. For e.g. HITECH allows HIPAA enforcement organizations to levy higher fines against organizations that are found to be non-compliant. HITECH states that all violations caused by “willful neglect” must be inspected and fines are mandatory for organizations found guilty of these violations.
The HITECH Act:
- expands HIPAA to apply to Electronic Health Records (EHRs),
- mandates that patients are notified if their health data has been exposed in a data breach (this wasn’t mandatory before the HITECH Act)
- requires 3rd parties providing services to covered entities (CEs) to comply with certain elements of HIPAA.
HIPAA Regulatory Rules
HIPAA regulations are divided into several major standards or rules. HIPAA main regulatory rules to consider are the following:
- Omnibus Rule – activated the HIPAA related changes that had been part of the HITECH Act
- Privacy Rule – sets limits regarding the use of patient information when no prior authorization has been given by the patient
- Security Rule – defines the minimum standards to safeguard ePHI
- Breach Notification Rule – specifies how the department of HHS should be notified if a data breach is discovered
- Enforcement Rule – details how an investigation should be carried out when a PHI data breach has occurred
- Administrative Simplification Rules – In addition to ensuring the Privacy & Security of healthcare data, one of HIPAA’s other major functions is to improve efficiency in the healthcare industry. To achieve this, HIPAA introduced a number of standard practices for CEs to use when completing electronic transactions including:
- adoption of electronic transaction standards for admin and financial activities
- use of standard code sets for diagnoses, procedures, treatments, diagnostic tests, and equipment and supplies
- use of standard unique identifiers for all plan members, employers, and healthcare providers
HIPAA Omnibus Final Rule
The last major HIPAA legislative update, the Omnibus Final Rule completed the regulation changes included in the HITECH Act. The rule was finalized by OCR and came into effect in Mar 2013. It contained the final modifications in HIPAA Privacy & Security Rule. It includes changes for enforcement, breach notification rules, and the Genetic Information Nondiscrimination Act (GINA).
The Omnibus Rule includes a range of updates to HIPAA including:
- updated breach notification rules,
- new patient protection and rights,
- expanding the rules for HIPAA electronic health records (EHRs)
- tougher penalties for HIPAA violations
- new rules for Business Associates (BAs)
The Omnibus Final rule effectively merges 4 separate rules:
- amendments to HIPAA Privacy & Security rule requirements
- HIPAA and HITECH Act are now under one rule
- Further requirements for data breach notifications and penalty enforcements
- approving the regulations regarding the HITECH’s Breach Notification rule
HIPAA Privacy Rule
The main function of the HIPAA Privacy Rule is to outline how and when covered entities and business associates can use and disclose protected health information. It created standards that prevented the misuse of sensitive patient data.
The Privacy Rule has provisions in place for allowing the efficient disclosure of PHI to parties with permission to use it, thereby improving workflows in the healthcare industry. The Privacy Rule states that healthcare organizations must receive the patient’s permission (authorization) to disclose information to third parties. Some exceptions to this rule include when the disclosure to a 3rd party is related to a healthcare operation, treatment, or payment for a service.
The Minimum Necessary Rule is a part of the HIPAA Privacy Rule. It requires healthcare workers to use, disclose, and request only the minimum amount of PHI necessary to complete a task. This is an important rule to follow for all employees in the healthcare industry as it is particularly pertinent to the day-to-day workflows of healthcare staff.
The Minimum Necessary Rule doesn’t apply in the following circumstances:
- disclosures to or requests by a healthcare provider for treatment purposes
- disclosures to the individual who is the subject of the information
- uses or disclosures made pursuant to an individuals authorization
- use or disclosures that are required by other law
HIPAA Security Rule
The Security Rule established a set of minimum security standards for protecting all ePHI that a CE and BA create, receive, maintain or transmit.
This rule addresses security concerns surrounding ePHI but the standard also applies to physical PHI. The Security Rule maintains that the CE should employ appropriate safeguards to ensure the confidentiality, integrity, and availability of ePHI. The ePHI may be stored on computers, mobile devices, networks, or in the cloud.
The Security Rule divides the safeguards into 3 categories:
- Administrative safeguards – policies and procedures explaining how the entity will remain HIPAA compliant.
- Physical safeguards – requires the implementation of physical controls to protect data and prevent it from being stolen or accessed by unauthorized individuals
- Technical safeguards – controlling access to computer systems and protection of communications containing PHI transmitted electronically over open networks in order to prevent ePHI from being intercepted and accessed by anyone other than the intended recipient
P.S. – Part 4 will cover the Patient Rights, Disclosure Rules, & HIPAA violation consequences.