Companies in the healthcare sector (“Covered Entities”) should already be aware of their HITECH compliance obligations, as they are closely linked to HIPAA compliance and often referred to as HIPAA HITECH compliance obligations. However, following the passing of HITECH, third-party service suppliers (“Business Associates”) now have a legal obligation to comply with HIPAA.
Although only a single section (Subtitle 4) of the Health Information Technology for Economic and Clinical Health Act (HITECH) applies to Covered Entities and Business Associates, it is a vital section. It allocates the Office for Civil Rights (OCR) the resources to pursue breaches of HIPAA HITECH compliance by bringing in a four-tier penalty structure with much higher financial penalties than previously.
Now any company violating HIPAA or HITECH compliance can be fined up to $1.5 million – even if there has not been an unauthorized disclosure of Protected Health Information (PHI). The fines can be applied by OCR if a business is found to be lacking in any part of its compliance efforts during an OCR audit or during an investigation into a complaint filed by a member of the public.
What does HITECH Compliance refer to?
In order to address the question “What is HITECH compliance” you need to take a step back and look at the aims of HITECH. HITECH was enacted as part of the American Recovery and Reinvestment Act in 2009 with the target of encouraging the use of technology in the healthcare industry. Its main goal was an electronic health record for each person in the United States by 2014.
In order to get the healthcare industry to implement technology, the Meaningful Use program was created. This program incentivizes healthcare suppliers to implement EHRs and similar tools, but concerns were raised about the integrity of electronically-stored PHI while it was stationary and while in transit. Consequently, three new measures were created:
- The legal requirement for Business Associates to adhere with the HIPAA. Subsequently it became necessary for Covered Entities to carry out due diligence on Business Associates.
- The legal requirement for healthcare suppliers to complete HIPAA Security Rule risk assessments in order to be eligible for Meaningful Use incentive payments.
- The legal requirement for all parties to adhere with the Breach Notification Rule. Fines were also established for the failure to report a breach of PHI.
Checklist for HITECH Compliance
In order to achieve HITECH compliance, Covered Entities and Business Associates should put together a HITECH compliance checklist. The HITECH compliance checklist should be based on a range of risk assessments to determine the entities´ flaws and the threats to electronically-stored PHI, regardless of whether the grows are eligible for Meaningful Use incentive payments.
It is also a requirement for Covered Entities and Business Associates to integrate the relevant areas of HITECH into their mandatory HIPAA training. This should include a description of the Breach Notification Rule, the exclusions to the Rule (i.e. when it is not necessary to report an unauthorized disclosure of PHI), and the fines for failing to report a breach.
One crucial change to how breaches are handled is that OCR no longer has the burden of proof that a breach of PHI has happened following an unauthorized disclosure. A breach is assumed to have taken place unless it can be proven by the Covered Entity or Business Associate there is a low probability that the integrity of the disclosed PHI has been impacted.
Other Facets of the HITECH Act
Even though subtitle 4 of the Health Information Technology for Economic and Clinical Health Act was the only element of the Act to refer directly to HIPAA, other elements of the HITECH Act were important in later amendments to HIPAA – the first three Subtitles in particular that related to the creation of the Office of the National Coordinator for Health Information Technology (ONCHIT).
ONCHIT was charged with implementing an information security program to ensure the privacy, safety and integrity of PHI. The program created the Physical, Technical and Administrative Safeguards that “proactively classify and protect data from unauthorized access, transfer and use” and that were added to the HIPAA Security Rule in the Final Omnibus Rule 2013.
The other elements of the HITECH ACT referred to the establishment of the Meaningful Use program, Medicare incentives and Medicaid incentives. As mentioned previously, these included the necessity for healthcare suppliers to complete HIPAA Security Rule risk assessments, and also led to further research on the benefits and risks of information technology in the healthcare sector.