How Does HITECH and HIPAA Affect Your Healthcare Business?

Back in February of 2009, the Obama Administration put the HITECH act into law, primarily as a means to update HIPAA which was started in 1996, and needed to be updated. But what is HITECH and how does it affect HIPAA?

What is HITECH?

HITECH stands for the Health Information Technology for Economic and Clinical Health Act.

It is a part of The American Recovery and Reinvestment Act of 2009 (ARRA) and was created to define and promote the use of electronic health records (EHRs) and Protected Health Information (PHI) by healthcare providers.

It was also created to help clarify (and improve!) the Health Information Portability and Accountability Act (HIPAA).

What is HIPAA?

In 1996, Congress introduced the Health Insurance Portability and Accountability Act (HIPAA). This legislation was created to address two factors:

• Provide health insurance coverage for workers who were between jobs.
• Implement controls to safeguard private health information and prevent fraud.  

How Does HITECH Affect HIPAA?

Although the The American Recovery and Reinvestment Act was primarily a stimulus bill meant to jumpstart the post-recession American economy, a portion of the bill was meant to address the failures of HIPAA.

This subsection was known as the Health Information Technology for Economic and Clinical Health (HITECH) Act.

The goals of HITECH include:

• Remove HIPAA loopholes by tightening up and clarifying the previous language.
• Ensure compliance and accountability for healthcare providers.  
• Increase the enforcement mechanism for violations.
• Promote and expand the adoption of EHRs by healthcare providers. 

It's mainly the healthcare industry that are affected by these new regulations, but many related organizations are affected as well. In general, there are many organizations in various industries that need help with regulatory compliance, as data privacy laws keep changing and expanding.

But let's take a look at all of the pieces that make up the HIPAA and HITECH puzzle, starting with a definition of some of the related acronyms!

What's Included in an EHR?

What’s included in an Electronic Health Record (EHR)? 

An EHR typically includes: 

• Contact information 
• Information about visits to healthcare professionals 
• Allergies 
• Insurance information 
• Family history 
• Immunization status 
• Information about any conditions or diseases 
• A list of medications 
• Records of hospitalization 
• Information about any surgeries or procedures performed 
• X-Rays and other types of medical images 

What is PHI?

PHI includes, but is not limited to: 

• a patient's name, address, birth date, Social Security number, biometric identifiers or other individually identifiable health information
• an individual's past, present or future physical or mental health condition and diagnosis 
• any care provided to an individual and anecdotal information related to care 
• information concerning the past, present, or future payment for the care provided to the individual that identifies the patient or information for which there is a reasonable basis to believe could be used to identify the patient
  

Examples of PHI might include a medical record, a lab report, or a hospital bill because these documents contain enough information to connect a patient's name with protected health data. 

PHI does not include: 

• employment records, including information about education, as well as other records subject to or defined in the Family Educational Rights and Privacy Act (FERPA) 
• deidentified data, meaning data that does not identify or provide information that could identify an individual -- there are no restrictions to its use or disclosure. 

An example of information that might seem like but is not technically PHI would be information collected by a consumer IoT/smartwatch device, such as blood pressure or heart rate data because that info isn’t shared with a covered entity. 

So many acronyms, right?

That’s the downside, but the upside is HITECH helps ensure that notifications are sent to affected individuals when health information gets compromised and enforces tougher penalties for HIPAA compliance by incentivizing EHR handlers to comply with HIPAA.

HITECH also created the HIPAA WALL OF SHAME (you don’t want to be on this), and greater clarity for HIPAA compliance (spoiler alert: it’s still on the ambiguous side but more clear than before). 

How Does HITECH Affect HIPAA?

In a nutshell, HITECH establishes a concrete framework for the compliance goals of HIPAA by promoting the use of secure, portable EHRs (which contain PHI) using three stages of meaningful use and security. 

Stage 1  

These rules have some nuance depending on the organization and type of healthcare business.

For example, covered professionals and hospitals must meet 15 core objectives, 5 out of 10 “menu” objectives and 6 Clinical Quality Measures (called CQMs for short).

Providers are excused from meeting inapplicable standards. For example, physical therapists don’t write prescriptions so they’re excluded from compliance to e-prescriptions. 

The core objectives of Stage 1 are focused on generally deploying and securing EHRs. 

Stage 2  

This stage is focused on using EHRs in more meaningful, sophisticated ways, such as being able to: 

• Support at least five clinical decisions 
• Record over 60% of prescriptions, and 30% of both lab and radiology orders 
• Transmit over 50% of prescriptions 
• Transmit care records when patients are transferred 
• Provide patient-specific education to over 10% of patients 
• Compile and verify an accurate list of medications when patients are transferred 
• Give patients online access to their health records 
• Provide patients a way to communicate securely online 
• Track immunization and other public health data 

Electronic security is the first goal for Stage 2 HITECH compliance, such as encryption, regular risk analysis, and automated security updates. 

Stage 3

HITECH’s Stage 3 is still under development and continues to evolve, but HITECH, as a whole, requires providers be HIPAA certified under the standards of the Omnibus Rule, which provides: 

• strengthening the privacy and security protection for individuals' PHI; 
• modifying the Breach Notification Rule for unsecured PHI and putting in place more objective standards for assessing a healthcare provider's liability following a data breach; 
• modifying the HIPAA Privacy Rule to strengthen the privacy protections for genetic information; 
• outlining OCR's data privacy and security enforcement strategies, as updated for the electronic health record (EHR) era and as mandated by the HITECH Act; 
• extending the Breach Notification Rule to vendors of EHRs and EHR-related systems; 
• holding HIPAA BAs to the same standards for protecting PHI as covered entities, including subcontractors of BAs, in the compliance sense; 
• stipulating that, when patients pay by cash, they can instruct their provider not to share information about their treatment with their health plan; 
• setting new limits on how information is used and disclosed for marketing and fundraising purposes; 
• prohibiting the sale of an individual's health information without their permission; 
• making it easier for parents and others to give permission to share proof of a child's immunization with a school; 
• streamlining an individual's ability to authorize the use of their health information for research purposes; 
• increasing penalties for noncompliance based on the level of negligence, with a maximum penalty of $1.5 million per violation; and 
• guaranteeing that organizations can operate with certainty that their privacy and security policies comply with all the applicable regulations 

HITECH has also strengthened the HIPAA breach notification rule and expanded HIPAA compliance requirements to cover any business partners who use, store or process PHI.

That means billing companies, consultants, and IT technicians working on computers that store EHR are all responsible for the same security and privacy standards. 

How IT Service Providers Can Help With Regulatory Compliance

We know this is a lot of information!

Couple these requirement to PCI-DSS (for payment processing compliance) and it’s not hard to understand why a compliance and security program doesn’t work a la carte.

A good program requires a unified strategy that addresses your organization’s compliance requirements all together.

Which is appropriate because it’s everyone’s job and not just a few of us!

Check out our case study page to see how we've helped organizations of all sizes across many industries achieve and maintain regulatory compliance, including HITECH, HIPAA and more.