Not sure what the HITECH Act is all about? If you’re new to HIPAA compliance and related concerns, here’s a quick overview.
Summary of HITECH Act
HITECH stands for the Health Information Technology for Economic and Clinical Health. The HITECH Act was created in 2009 to encourage the adoption and “meaningful use” of electronic health records (EHR) and supporting technology in the U.S. This act was part of the American Recovery and Reinvestment Act (ARRA) economic stimulus bill. The HITECH Act initially offered financial incentives to providers who demonstrated “meaningful use” of EHRs. Later stages of the implementation of the act included penalties for providers who did not meet these requirements.
The HITECH Act also modified HIPAA. One of the ways it did so was by requiring covered entities to notify individuals whose protected health information (PHI) has been compromised. Additionally, it increased the fines that could be applied for noncompliance (up to $1,500,000); it authorized state Attorney Generals to bring actions to enforce violations of HIPAA; and it expanded portions of HIPAA to apply to business associates of covered entities and required the federal Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) to audit both covered entities and their business associates.
Present and Future of HITECH Act
Many features affected by the HITECH Act are currently under debate, including changes to the definition of “meaningful use” of EHRs, cybersecurity issues, and interoperability issues.
As of April of this year, proposed new federal regulations may bring an end to the electronic health records “meaningful use” incentive program portion of the HITECH Act. This portion would be replaced with a simplified program. Concerns raised about these proposed changes state that they fail to address threats to cyber security from hackers and ransomware, a topic of real concern as healthcare providers have been under increased attack this year.
The proposed changes would also affect payment mechanisms for physicians, attempt to fight both information blocking, and would replace the current “meaningful use” program with the “advancing care information” category. As the HHS explains, this category would focus on interoperability and information exchange, and in contrast to the existing program, would not require and all-or-nothing approach to measuring the quality of EHR use. (For more on the proposed changes, see Healthcare Info Security’s in-depth article on the impact on security of Medicare’s new physician payment plan.)
Need to Learn More about HIPAA/HITECH Compliance?
If you’d like to learn more about HIPAA/HITECH compliance and how it affects your business, Aperio-IT will be holding a free Lunch and Learn Event on Wednesday, June 8. Brian Olsen, HIPAA Security Advisor, will be joining us to help answer your concerns about HIPAA regulations. You can find out details and register here to attend.
Have any HIPAA or HITECH Security questions? Come to our lunch and learn event and feel free to ask us any questions before, during our Q&A session or after our event. We are here to answer any questions you may have.
Additional links:
Not every HIPAA security requirement is related to technology. Just two of the requirements to keep in mind when you work to make your company HIPAA compliant include Business Associate Agreements and Risk Assessment.
HIPAA Requirement for Business Associate Agreement
In addition to your IT department’s need to keep Protected Health Information (PHI) in electronic form secure, you need to consider issues not related to technology. For example, if a company you work with is considered a business associate under HIPAA, this means you must have a business associate agreement (BAA) in place with them before transmitting PHI to them. This BAA is a contract to uphold PHI security according to HIPAA guidelines. Failure to have the (BAA) in place at the proper time can result in fines and other penalties.
In a recent case, a surgical practice ended up having to settle with the Office of Civil Rights of the U.S. Department of Health and Human Services (OCR) for $750,000 after it improperly disclosed several thousand patients’ PHI to a service provider without first entering into a BAA with the service provider. This service provider had agreed to digitize x-rays containing PHI, in exchange for extracting and keeping the silver from the x-ray film. While this provider’s service might not appear at first glance to be related to health care, the fact that the x-rays contained PHI and the provider “created, received, maintained, or transmitted” the PHI without a BAA in place made all the difference in this case.
HIPAA Requirement for Risk Assessment
HIPAA requires all covered entities, their business associates, and subcontractors of business associates to conduct a risk assessment. As stated in HIPAA these entities must, “…implement policies and procedures to prevent, detect, contain, and correct security violations.” Further, a risk assessment is defined as a, “…thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information.”
In another case, a Minnesota–based health care company paid a $1.5 million settlement after one of its business associates was investigated. A laptop containing PHI for the health care company’s patients had been stolen from the car of one of the business associate’s employees. The health care company was penalized both because there was no BAA in place between it and its business associate, and because it had not conducted an adequate analysis to the security threats to the PHI.
HIPAA Audits, Phase 2 – Business Associates May Also Be Audited
As we mentioned in our recent post, “Is Your Business Affected by HIPAA Regulations,” the OCR launched Phase 2 of its HIPAA Audit Program on March 21, 2016. In this phase, any covered entity or business associate may be audited. Per the OCR, these audits can involve onsite assessments or desk audits.
Need to Learn More about HIPAA Compliance?
If you’d like to learn more about how HIPAA compliance may affect your business, Aperio-IT will be holding a free Lunch and Learn Event on Wednesday, June 8. Brian Olsen, HIPAA Security Advisor, will be joining us to help answer your concerns about HIPAA regulations. You can find out details and register here to attend.
You can also take a look at our previous HIPAA-related posts:
Not sure if you should be concerned about HIPAA regulations? It’s time to start thinking about it if you haven’t already: on March 21, 2016, the Department of Health and Human Services, Office for Civil Rights (OCR) launched Phase 2 of its HIPAA Audit Program. This phase of the audit program, “…will review the policies and procedures adopted and employed by covered entities and their business associates to meet selected standards and implementation specifications of the Privacy, Security, and Breach Notification Rules.”
How does this affect your business? Well, if you’re a covered entity or a covered entity’s business associate you could, of course, be selected for auditing. But even if you don’t draw the short straw when it comes to being audited, you can still face liability costs if you’re found to be out of compliance. According to an April Bloomberg BNA article, New York-Presbyterian Hospital reached a $2.2 million settlement with the OCR after the agency alleged that the facility had violated HIPAA when they allowed filming of patients without those patients’ consent.
While hospitals are a fairly obvious example of covered entities, you should be aware that hospice care providers, palliative care providers, and respite care providers are also considered covered entities under HIPAA. This means that if one of your company’s clients provides any of these kinds of care, you may be considered a business associate under HIPAA.
Generally speaking, a business associate is any individual or organization that creates, receives, transmits, stores, or otherwise maintains Protected Health Information (PHI) on behalf of a covered entity for a function regulated under HIPAA. Further, the obligation to comply with HIPAA applies to business associates even if they have no formal agreement with the covered entity stating that they are considered business associates.
If you’d like to learn more about how HIPAA compliance affects your business, Aperio will be holding a Lunch & Learn Event on Wednesday, June 8. Brian Olsen, HIPAA Security Advisor, will be joining us to help answer your concerns about HIPAA regulations. Please contact us to register if you’d like to attend.
Additional information on HIPAA:
REGISTER HERE: http://events.r20.constantcontact.com/register/event?oeidk=a07ecnjnfc31de5b02d&llr=hxcf8qcab
APERIO IT, ALONG WITH LENOVO AND HIPAA PLUS, WILL BE HOSTING A FREE LUNCH AND LEARN EVENT THAT WILL START AT 11:30AM AND GOES UNTIL 1:30PM ON JUNE 8TH. WE WILL GO OVER SOME NEW HIPAA LAWS THAT WENT INTO EFFECT AND THEN HOLDING A ‘Q & A’ SESSION TO ANSWER ANY HIPAA RELATED QUESTIONS YOU MAY HAVE
The HIPAA Audit Program
On March 21, 2016, the Department of Health and Human Services, Office for Civil Rights (OCR) launched Phase 2 of its HIPAA Audit Program. This phase of the audit program, “…will review the policies and procedures adopted and employed by covered entities and their business associates to meet selected standards and implementation specifications of the Privacy, Security, and Breach Notification Rules.”
According to the OCR, the number of audits done in this phase will be relatively small. This smaller number of audits reflects the OCR’s primary goal of better understanding the compliance efforts of covered entities and their business associates. The audit results will hopefully provide information to help them to determine what support is necessary for successful compliance.
This could be good news for companies that experience an audit; while the OCR maintains the option to initiate a compliance review in the case of egregious compliance issues, it will probably not be focusing primarily on enforcement actions.
HIPAA’s Privacy Requirements vs. the Spread of Social Media
How to maintain patients’ privacy in the face of widespread social media use is an ongoing challenge. With privacy rules that were originally written in 2000, then updated only once in 2009, it’s no wonder that HIPAA is lagging behind the rapid pace of technological change.
Although current regulations don’t completely cover the changing technological landscape, there are some common sense steps businesses can take to protect themselves. A good practice is to carefully remove all identifiers from PHI if it must be shared without the patient’s prior consent.
But be warned: modern search engines mean that surprisingly small amounts of information can unexpectedly be enough to identify patients. This means even a seemingly vague post on a site like Facebook could contain enough information to identify a patient, leading to liability concerns for the poster and their employer. Examples in the past few years include a Rhode Island physician who lost her privileges to work in the Emergency Room and faced a monetary fine for posting information online about a trauma patient. According to a Boston Globe article, “… [the] posting did not include the patient’s name, but… enough that others in the community could identify the patient.”
Your company will need to have clear, well-planned policies regarding social media use and will need to be certain that all employees have been made aware of these policies.
[action full_width=’no’ content_in_grid=’yes’ type=’normal’ icon=’fa-ticket’ icon_size=” icon_color=” custom_icon=” background_color=” border_color=” show_button=’yes’ button_text=’REGISTER HERE’ button_link=’http://events.constantcontact.com/register/event?llr=hxcf8qcab&oeidk=a07ecnjnfc31de5b02d’ button_target=’_blank’ button_text_color=” button_hover_text_color=” button_background_color=’blue’ button_hover_background_color=” button_border_color=” button_hover_border_color=”]
PLEASE REGISTER FOR OUR EVENT HERE (YOU MAY BRING 2 GUESTS)
[/action]
Sign up today for free & stay current with local IT news.
