The HITECH Act and the Implementation of EHR, Privacy
The Health Information Technology for Economic and Clinical Health Act or HITECH Act for short is a federal law that was passed to promote the adoption of health information technology, particularly the use of EHRs or electronic health records by healthcare providers. Introduced as part of the American Recovery and Reinvestment Act, an economic stimulus package passed by the Obama administration in 2009, the HITECH Act also removed certain loopholes contained within the Health Information Portability and Accountability Act of 1996 (HIPAA). The HITECH Act was passed to help advance the healthcare industry by improving efficiency and care coordination by making it easier for health information to be shared between patients and their respective healthcare providers.
What is health information technology?
Health information technology is defined as the storage, retrieval, use, and sharing of all data that is related to a patient’s healthcare. Common examples of information health technology include electronic medical record systems, telehealth, clinical decision support, and computerized provider order entry, among a host of others. While this information has historically been written down by hand manually, technological advancements have allowed this data to be stored electronically in recent years. Through the use of electronic processing and storage for healthcare information, healthcare professionals can reduce their medical errors, cut down on repetitive paperwork, provide higher quality and more affordable healthcare, and provide an increased level of individual focus to their patients.
Why was the HITECH Act important?
Prior to the passing of the HITECH Act in 2008 by the Obama administration, only 10% of doctors and medical professionals within the U.S. had utilized electronic health records in their day-to-day operations. While there were many healthcare providers who had a desire to update their medical records to electronic records, the cost of doing so could prove to be extremely expensive in practice. As such, the HITECH Act introduced both financial incentives and deterrents that were designed to help mitigate the costs associated with transitioning from handwritten health records to electronic health records.
To provide an example of these financial incentives, eligible healthcare professionals who demonstrated the “meaningful use of electronic health records” were entitled to incentive payments of $18,000 for the first year of implementation ($15,000 after the year 2012), $12,000 for the second year, $8,000 for the third year, $4000 for the fourth year, and $2000 for the fifth year. Alternatively, starting in the year 2015, physicians who failed to make “meaningful use of electronic health records” were also subject to significant reductions in both Medicaid and Medicare funding.
As a result of these financial incentives and deterrents, the adoption of electronic health records in healthcare facilities across the country increased from 3.2% in 2008 to 14.2% in 2015. To illustrate the point even further, 86% of office-based physicians had adopted some form of electronic health records by 2017, while 96% of non-federal acute care hospitals had also implemented some form of certified health information technology practices as well.
In addition to incentivizing healthcare professionals to adopt the use of electronic health records, the HITECH Act also expanded upon the patient privacy rights that had previously been established by HIPAA in 1996. Under HIPAA, “business associates” who handled and performed tasks necessary to the accessibility of patient health information on behalf of healthcare providers were only regulated by written agreements between themselves and the healthcare providers in question. Conversely, the HITECH Act mandates that these business associates also adhere to the same privacy and security rules that healthcare providers must abide by in accordance with HIPAA.
Notifications of data breaches
The HITECH Act also requires healthcare professionals to provide public notifications of security breaches when such breaches lead to insecure patient health information being disclosed for unauthorized purposes. These notification requirements are similar in nature to state and federal data breach laws relating to unauthorized disclosure of financial information. Generally, the HITECH Act requires that patients whose patient health information has been leaked in a data breach be notified, irrespective of whether a breach has occurred internally or externally.
In cases where such breaches affect more than 500 patients, healthcare providers are also obliged to notify the HHS or United States Department of Health and Human Services. In these cases, information related to the breach will also be posted on the HHS website. In certain cases, local media outlets will also need to be notified of the data breach that occurred. These provisions provide yet another example of the HITECH Act’s emphasis on increased privacy and data protection concerns.
What are the penalties for violating the HITECH Act?
Prior to the passing of the HITECH Act in 2008, many healthcare providers would circumvent HIPAA violations through a loophole that allowed them to shift the blame on “business associates” who handled patient health information, as these business associates were not directly regulated by HIPAA. As such, HIPAA violations could often be as little as $100 for each violation, while the maximum penalty that could be dealt out was $25,00. As such, the HITECH Act introduced the following tier system for violations:
- Tier 1- “Unaware of the HIPAA violation and by exercising reasonable due diligence would not have known HIPAA rules were violated. $100-$50,000 fine for each violation, with a maximum penalty of $1.5 million in a yearly period.”
- Tier 2- “Reasonable cause that the covered entity knew about or should have known about the violation by exercising reasonable due diligence. $1000-$50,000 per violation, with a maximum penalty of $1.5 million in a yearly period.”
- Tier 3- “Willful neglect of HIPAA rules, with the violation corrected within 30 days of discovery. $10,000- $50,000 period violation, with a maximum penalty of $1.5 million in a yearly period.”
- Tier 4- Willful neglect of HIPAA rules and no effort made to correct the violation within 3 days of discovery. $50,000 per violation, with a maximum penalty of $1.5 million within a yearly period.”
The HITECH Act is enforced by the State Attorney who presides over the state in which said violations took place. To this end, the HITECH Act does not allow for an individual patient to bring a private cause of action against a healthcare provider. The United States Department of Health and Human Services also conducts periodic audits on healthcare facilities and their business associates to ensure that they are maintaining HITECH compliance at all times.
The HITECH Act was passed to address an antiquated American healthcare system that had failed to include the evolution of technology in their day to day functions. Furthermore, the HITECH Act also addressed loopholes that had allowed for healthcare providers to avoid having to pay heavy and costly fines for violations by offsetting the blame onto their business associates who were not directly regulated by HIPAA. Through financial incentives and deterrents, as well as the risk of large fines from Attorney State generals, many healthcare providers and facilities have gradually come to adopt the use of electronic health records in the past decade. As such, patients can rest assured that healthcare professionals are doing everything in their power to provide the highest quality of care possible.