HITECH Act and Meaningful Use

When the HITECH ACT and Meaningful Use incentive program was enacted in 2009, it was considered “the most important piece of healthcare legislation to be passed in the last 20 to 30 years.” Not only did the HITECH Act and Meaningful Use incentive program aim to have every US citizen´s health information electronically accessible within five years, it also introduced new measures to protect the integrity of electronic Protected Health Information (ePHI).

One of the key measures introduced by the HITECH Act and Meaningful Use incentive program was to make Business Associates and subcontractors liable for any unauthorized disclosures of ePHI attributable to their own negligence. Previously, Business Associates and subcontractors could avoid liability for breaches of ePHI by claiming they were unaware of the requirement to be HIPAA compliant. HITECH closed that loophole.

Other Measures Introduced in the HITECH Act and Meaningful Use Program

Several other measures were introduced in the HITECH ACT and Meaningful Use incentive program that apply to every business with access to PHI – whatever formats it is stored or transmitted in. These included a new Breach Notification Rule, increased penalties for businesses responsible for breaches of PHI, and the introduction of HIPAA compliance audits. Businesses applying for Meaningful Use incentive payments also had to conduct a HIPAA Security Rule risk assessment.

For Business Associates and subcontractors – who had historically made little effort to ensure the integrity of PHI – the HITECH ACT and Meaningful Use incentive program not only meant they now had to comply with HIPAA, they could be audited to check on their compliance efforts, and fined if they were found not to be HIPAA compliant – irrespective of whether a breach of PHI had occurred or not. This was quite a reversal from the previous state of affairs.

There are implications for Covered Entities as well. Before entering into a Business Associate Agreement with a third-party service provider who will have access to PHI, Covered Entities are required to conduct due diligence on the Business Associate. If Covered Entities fail to conduct appropriate checks that the Business Associate is HIPAA compliant, the Covered Entity can be considered liable if a breach of PHI subsequently occurs.

Fines for Non-Compliance with HIPAA and the HITECH Act

Non-compliance with HIPAA is not an option for Covered Entities and Business Associates that have access to PHI. When the HITECH Act and Meaningful Use incentive program increased the fines that could be imposed by the HHS Office for Civil Rights (OCR), it also gave the OCR more resources to enforce HIPAA, conduct more audits and impose more fines. Some of the settlements to have reached the public domain include:

  • In June 2016, Catholic Health Care Services of Philadelphia became the first Business Associate to be fined for non-compliance with HIPAA when it agreed to pay $650,000 for failing to conduct a risk assessment and implement appropriate security measures (read more).
  • In January 2017, Presence Health – one of the largest health care networks in Illinois – agreed to pay $475,000 after failing to comply with the HIPAA Breach Notification Rule which requires the OCR is notified of PHI breaches (of more than 500 records) within sixty days (read more).
  • In April 2017, the Center for Children´s Digestive Health in Illinois agreed to pay $31,000 for failing to have a Business Associate Agreement in place with a document storage company to whom it had provided the medical records of 10,728 patients (read more).

To find out more about HIPAA, the HITECH Act and Meaningful Use incentive program, download our HIPAA Compliance Guide – a valuable source of information that outlines the key essentials of what is required to be HIPAA compliant. Within the Guide there are sections dedicated to Covered Entities obligations and the regulations governing Business Associates, plus a useful resource guide in the Appendix if further information is required about specific topics.