The healthcare industry is moving to an electronic world—phasing out paper medical records and replacing them with online systems to transmit and store electronic files. The increased availability of health information enables you to more easily access and transmit information, but also requires increased privacy and security controls to safeguard information.
The Health Information Technology for Economic and Clinical Health (HITECH) Act—passed by Congress in 2009—outlines the privacy and security actions necessary to protect electronic health records (EHRs). More specifically, HITECH describes 1) new requirements for the disclosure, use, and notification of health information; 2) accountability requirements for business associates (i.e., those who work with an organization that handles health information) to safeguard patient information; and 3) enforcement and penalties for those violating Health Insurance Portability and Accountability Act (HIPAA) regulations.
Disclosure, Use, and Notification
A number of changes have been made regarding how you can disclose and use health information, including granting individuals the right to restrict disclosures and uses for marketing purposes. In the event of a privacy or security breach, our organization must notify each individual whose unsecured protected health information has been accessed, acquired, used, or disclosed.
Before HITECH, business associates were obligated to follow the HIPAA provisions outlined in their Business Associate Agreements. With the implementation of HITECH, business associates are now legally required to follow ALL HIPAA security provisions rather than just the requirements included in their agreements.
Enforcement and Penalties
HITECH requires periodic audits of organizations to ensure HIPAA compliance and also permits civil action against individual employees who violate HIPAA regulations. Penalties for violations have increased substantially and range from $100 to $50,000 per violation, up to an annual maximum of $1.5 million, depending on the type of violation.
What Do You Need to Do?
Our organization has created privacy and security policies to comply with HIPAA and the new HITECH requirements. You have a responsibility to know and follow these policies and procedures. If you neglect to comply—whether intentionally or not—you are violating the law and may face severe consequences. So, if you don’t know, always ask!
What about ARRA? Recovery and Reinvestment Act (ARRA) of 2009—also known as the Stimulus ACT—provides financial incentives for healthcare industries to use EHRs. The HITECH Act is included in ARRA.