When the HITECH ACT and Meaningful Use incentive program was established in 2009, it was referred to as “the most important piece of healthcare legislation to be passed in the last 20 to 30 years.” Not only did the HITECH Act and Meaningful Use incentive program try to have every US citizen’s health data electronically accessible within five years, it also brought in new measures to protect the integrity of electronic Protected Health Information (ePHI).
One of the key measures brought in by the HITECH Act and Meaningful Use incentive program was to make Business Associates and subcontractors liable for any unauthorized disclosures of ePHI attributable to their own negligence. Prior to this, Business Associates and subcontractors could avoid liability for breaches of ePHI by claiming they were unaware of the requirement to be HIPAA compliant. HITECH shut that loophole.
Other Measures Brought in the HITECH Act and Meaningful Use Program
Many other measures were introduced in the HITECH ACT and Meaningful Use incentive program that apply to every company with access to PHI – whatever formats it is stored or sent in. These included a new Breach Notification Rule, increased fines for businesses responsible for breaches of PHI, and the introduction of HIPAA compliance audits. Businesses applying for Meaningful Use incentive payments also had to complete a HIPAA Security Rule risk assessment.
For Business Associates and subcontractors – who had historically made few attempts to ensure the integrity of PHI – the HITECH ACT and Meaningful Use incentive program not only meant they now had to adhere with HIPAA, they could be audited to check on their compliance efforts, and fined if they were deemed HIPAA compliant – irrespective of whether a breach of PHI had occurred or not. This was quite a change from the previous state of affairs.
There are implications for Covered Entities also. Before entering into a Business Associate Agreement with a third-party service supplier who will have access to PHI, Covered Entities are required to complete due diligence on the Business Associate. If Covered Entities fail to carry out appropriate checks that the Business Associate is HIPAA compliant, the Covered Entity can be considered liable if a breach of PHI subsequently takes place.
Non-compliance with HIPAA must be avoided for Covered Entities and Business Associates that have access to PHI. When the HITECH Act and Meaningful Use incentive program increased the fines that could be sanctioned by the HHS Office for Civil Rights (OCR), it also gave the OCR more resources to police HIPAA, conduct more audits and impose more fines.