The Health Information Technology for Economic and Clinical Health Act
The Health Information Technology for Economic and Clinical Health Act of 2009 is an important legislative act which was introduced as part of the American Recovery and Reinvestment Act of 2009 (ARRA).
ARRA was an economic stimulus bill that was introduced to help safeguard existing jobs, create new jobs, and help the United States recover from the great depression of the late 2000s.
ARRA introduced tax incentives for individuals and companies, expanded unemployment benefits and other social welfare provisions, and provided funds to cover the cost of improvements to infrastructure.
Investments were also made to improve economic efficiency and drive technological advances in science and health. The Health Information Technology for Economic and Clinical Health Act is detailed in Title XIII of ARRA.
Goals of The Health Information Technology for Economic and Clinical Health Act
The Health Information Technology for Economic and Clinical Health Act, often referred to as the HITECH Act, had several goals:
- To encourage the adoption of health information technology to improve quality, safety, and efficiency in healthcare.
- To improve human and organizational infrastructure to achieve effective health information exchange and increase the meaningful use of health IT.
- To improve privacy protections and enhance security to safeguard electronic health information.
- To encourage compliance with the Health Insurance Portability and Accountability Act (HIPAA) by increasing the financial penalties for HIPAA violations.
- Make business associates of HIPAA-covered entities legally responsible for protecting health information and improve compliance with HIPAA Rules.
Encouraging the Meaningful Use of Electronic Health Records
$25.9 billion was committed to encourage the adoption of health information technology to improve efficiency and reduce the cost of healthcare.
Prior to the introduction of the Health Information Technology for Economic and Clinical Health Act, the majority of healthcare providers were still heavily reliant on paper records and had not made the transition to electronic health records (EHRs).
One of the main goals was to create a network of electronic health records. Without electronic health records, population health management is difficult. Paper records are fine for keeping a record of the health of an individual but in order to improve the health of the nation as a whole, a network of EHRs is required. EHRs allow health trends and outcomes to be monitored and analysed. They also allow all members of a care team to easily access essential health information of patients, regardless of the location where care is provided.
A considerable body of evidence has shown that the use of EHRs along with clinical decision improves coordination of care, quality, and safety.
To encourage healthcare providers to transition to EHRs, a considerable portion of the budget was used to fund a program to encourage the meaningful use of EHRs – Called the Meaningful Use Program. There were three stages to the Meaningful Use Program. Healthcare organizations were able to claim payment for completion of each stage to offset the cost of adopting EHRs.
Improving Privacy and Security in Healthcare
EHRs can help to improve efficiency in healthcare and allow health records to be easily shared, but they must also be shared securely. Patient privacy must be protected. HIPAA legislation already limited the allowable uses and disclosures of health information and required healthcare organizations to implement safeguards to ensure the confidentiality, integrity, and availability of health records.
While compliance with HIPAA Rules was mandatory, the penalties for noncompliance were low and didn’t serve as an effective deterrent. The HITECH Act greatly increased the penalties for noncompliance with HIPAA and paved the way for greater enforcement of HIPAA Rules.
TheHealth Information Technology for Economic and Clinical Health Actintroduced a new, tiered penalty system with mandatory financial penalties for wilful neglect of HIPAA Rules. Penalties for noncompliance with HIPAA were increased from $100 per violation up to a maximum of $25,000, to a maximum penalty of $50,000 per violation up to a maximum of $1.5 million per violation category.
Business Associates and HIPAA Compliance
Business associates of HIPAA-covered entities were already required to comply with HIPAA Rules and had to sign a business associate agreement with healthcare organizations. The business associate agreement explains the responsibilities the business associate has to protect healthcare data and patient privacy. However, prior to the introduction of the Health Information Technology for Economic and Clinical Health Act, business associates of HIPAA covered entities could not be fined directly for HIPAA violations.
The Health Information Technology for Economic and Clinical Health Act changed this and tightened up the language of HIPAA to ensure that healthcare providers were required to obtain satisfactory assurances that their business associates were in compliance with HIPAA and that HIPAA-covered entities and business associates shared the responsibility to safeguard health information.
Breach Notification Requirements
The Health Information Technology for Economic and Clinical Health Act also introduced therequirement to send notifications to individuals whose protected health information has been exposed or accessed by unauthorized individuals.
This requirement was incorporated into HIPAA in the Breach Notification Rule. The Breach Notification Rule requires individuals to be notified of any breach of unsecured protected health information within 60 days of the discovery of the breach and for a summary of the breach to be sent to the HHS’ Office for Civil Rights. The Breach Notification Rule also requires business associates of HIPAA covered entities to notify covered entities if they experience a breach of unsecured PHI.
Other Changes Introduced by the Health Information Technology for Economic and Clinical Health Act
Other key changes that were introduced include giving individuals the right to obtain copies of their protected health information in electronic form and allowing them to revoke previous authorizations given to healthcare organizations.
Restrictions were also placed on allowable uses and disclosures of protected health information with respect to marketing communications and HIPAA-covered entities were required to maintain a record of the individuals/companies with whom health information had been disclosed.