The Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part of the American Recovery and Reinvestment Act of 2009, builds upon the HIPAA framework by specifically promoting the adoption and meaningful use of electronic health records (EHRs) and enhancing HIPAA’s privacy and security protections for electronic storage and transmission of Protected Health Information (PHI), thereby creating a more integrated, secure, and efficient healthcare information system.The HITECH Act was introduced by the administration of President Barack Obama as part of an economic stimulus package. One of the main goals of the HITECH Act was to support and encourage the uptake of technology in the healthcare industry and this effort was assisted by the Department of Health and Human Services (HHS), who were provided with a budget of over $25 billion to ensure the success of the project.
Part of this money was put toward an aspect known as the Meaningful Use program. The goal of Meaningful Use was to give health care providers incentives to switch to using electronic health records (EHRs). In order to be eligible to receive some of the financial incentives from the program from the HHS, organizations had to show that their new systems used EHRs and also complied with all aspects of the Health Insurance Portability and Accountability Act (HIPAA), notably the HIPAA Security Rule and the HIPAA Privacy Rule. Compliance was partly demonstrated through performing risk assessments. In evaluating this, the failure rate seemed to imply that HIPAA rules needed to be enforced more strictly.
HITECH leads to stronger HIPAA
Before the HITECH Act came into force, many HIPAA-covered entities and their Business Associates (BAs) escaped the penalties associated with violating HIPAA by pleading ignorance of the law. Even those that were punished were only subject to very minor sanctions – fines of $100 for every violation with a maximum cumulative fine of $25,000. HITECH changed that by giving the HHS more power and, perhaps crucially, more severe penalties. A tiered sanction system was put in place that increased the maximum fine per violation to $1.5 million.
Faced with the prospect of a much higher potential penalty, HIPAA-covered entities and their BAs began to bring their practices into line with their obligations under HIPAA. In addition, through penalties, HHS had been endowed with a greater revenue source to finance investigations into disclosures of protected health information (PHI). With this, it began a program of auditing covered entities. Several phases of audits have already taken place.
Further impacts on HIPAA
The HITECH Act added further elements to HIPAA. One of these was the Breach Notification Rule, requiring HIPAA-covered entities to inform HHS, and, in some cases, the public at large, of unauthorized disclosures of PHI. This notification must be completed within a certain time period following the breach. A provision of the law also requires BAs to inform the cover entities of any breaches that may occur due to their actions, which the covered entities must in turn report to the HHS. This means that HIPAA-covered entities must take greater precaution when choosing BAs.
Changes made to the HIPAA Privacy Rule dealt with how PHI could be used, notably in relation to marketing activities and patient consent. Importantly, these modifications introduced the possibility that covered entities or BAs could face criminal charges brought by the HHS in the case of PHI being improperly used or disclosed.