What is the HITECH Act?
In the first decade of HIPAA, compliance was easy. The threat of an audit was low, penalties for PHI breaches were relatively mild, and the enforcement was practically nonexistent. However, all of that changed thanks to the passage of the HITECH Act in 2009.
The “Health Information Technology for Economic and Clinical Health” (HITECH) Act was signed into law in February 2009 as part of the American Recovery and Reinvestment Act by President Obama with the primary purpose of encouraging healthcare providers to adopt Electronic Healthcare Records and supporting technology. It foresaw the potential impact, both good and bad, of the growth in the exchange of electronic protected health information (ePHI) between doctors, hospitals, and vendors that store ePHI.
To help encourage healthcare providers to adopt EHR technologies, the act included financial incentives for early adoption of those technologies until 2015. After 2015, it began to levy financial penalties in the form of reductions of Medicare and Medicaid reimbursement for physicians who had not adopted EHR technologies.
Electronic Medical Record Access
For patients, one of the greatest features of the HITECH Act is that it gives patients of those practices that have implemented an EHR system, the right to obtain the PHI in an electronic format, bringing the official HIPAA guidelines into alignment with the state laws that mandate patient access their own medical records. Additionally, the act specifies that practices may only charge for the labor costs of fulfilling the request.
The HIPAA HITECH Act & Business Associates
Prior to the HITECH Act, Business Associates who did work that necessitated access to PHI on behalf of covered entities were not directly regulated but were still required to comply with HIPAA. All of that changed with the release of the HITECH Act, which provided for direct regulation of business associates by stating that they must abide by the standards set by the Security and Privacy Rules to them, though they were not held accountable for breaches until the passage of the Omnibus rule in 2013.
Now business associates must report security breaches to covered entities as per the breach notification rule, and they are subject to civil and criminal penalties for noncompliance with the HIPAA rules and regulations. The end result of the HITECH rule is that Business Associates and Providers now share joint responsibility for compliance.
Expanding HIPAA Enforcement
In the past, HIPAA was not rigorously enforced, but the passage of the HITECH act clarified and strengthened the enforcement of the law by increasing penalties for noncompliance, and as mentioned above, mandated the same rules applied to business associates as covered entities.
Armed with the new stronger enforcement measures, the HHS is now more frequently performing audits on covered entities or business associates that have breached ePHI or have been reported to be in willful neglect of HIPAA.
One of the challenges of compliance is that “Willful Neglect” is often at the discretion of the auditor, but as a general rule if your organization does not have the required privacy and security documentation you’ll be found in willful neglect.
Additionally, organizations can also now be audited by the state attorney general as well as the department of health and human services, which raises fears of motivated investigations of PHI by an attorney general driven by political ambition.
Prior to the HITECH Act, penalties for HIPAA violations were relatively mild and enforcement was so rare as to be nonexistent. It’s easy to see why some people have called the HITECH act HIPAA on steroids, as it laid out far tougher security requirements for covered entities to secure PHI and expanded those same rules to their business associates, backed up with increased fines and penalties for noncompliance. The key to avoiding those penalties is compliance, and HITECH provided both a stick and a carrot to achieve its desired goals.