HITECH Act and Meaningful Use
When the HITECH ACT and Meaningful Use incentive program was enacted in 2009, it was considered “the most important piece of healthcare legislation to be passed in the last 20 to 30 years.” Not only did the HITECH Act and Meaningful Use incentive program aim to have every US citizen´s health information electronically accessible within five years, it also introduced new measures to protect the integrity of electronic Protected Health Information (ePHI).
One of the key measures introduced by the HITECH Act and Meaningful Use incentive program was to make Business Associates and subcontractors liable for any unauthorized disclosures of ePHI attributable to their own negligence. Previously, Business Associates and subcontractors could avoid liability for breaches of ePHI by claiming they were unaware of the requirement to be HIPAA compliant. HITECH closed that loophole.
Other Measures Introduced in the HITECH Act and Meaningful Use Program
Several other measures were introduced in the HITECH ACT and Meaningful Use incentive program that apply to every business with access to PHI – whatever formats it is stored or transmitted in. These included a new Breach Notification Rule, increased penalties for businesses responsible for breaches of PHI, and the introduction of HIPAA compliance audits. Businesses applying for Meaningful Use incentive payments also had to conduct a HIPAA Security Rule risk assessment.
For Business Associates and subcontractors – who had historically made little effort to ensure the integrity of PHI – the HITECH ACT and Meaningful Use incentive program not only meant they now had to comply with HIPAA, they could be audited to check on their compliance efforts, and fined if they were found not to be HIPAA compliant – irrespective of whether a breach of PHI had occurred or not. This was quite a reversal from the previous state of affairs.
Get The Checklist
Free and Immediate Download
of HIPAA Compliance Checklist
Delivered via email so verify your email address is correct.
Your Privacy Respected
There are implications for Covered Entities as well. Before entering into a Business Associate Agreement with a third-party service provider who will have access to PHI, Covered Entities are required to conduct due diligence on the Business Associate. If Covered Entities fail to conduct appropriate checks that the Business Associate is HIPAA compliant, the Covered Entity can be considered liable if a breach of PHI subsequently occurs.
Fines for Non-Compliance with HIPAA and the HITECH Act
Non-compliance with HIPAA is not an option for Covered Entities and Business Associates that have access to PHI. When the HITECH Act and Meaningful Use incentive program increased the fines that could be imposed by the HHS Office for Civil Rights (OCR), it also gave the OCR more resources to enforce HIPAA, conduct more audits and impose more fines. Some of the early settlements to have reached the public domain include:
- In June 2016, Catholic Health Care Services of Philadelphia became the first Business Associate to be fined for non-compliance with HIPAA when it agreed to pay $650,000 for failing to conduct a risk assessment and implement appropriate security measures (read more).
- In January 2017, Presence Health – one of the largest health care networks in Illinois – agreed to pay $475,000 after failing to comply with the HIPAA Breach Notification Rule which requires the OCR is notified of PHI breaches (of more than 500 records) within sixty days (read more).
- In April 2017, the Center for Children´s Digestive Health in Illinois agreed to pay $31,000 for failing to have a Business Associate Agreement in place with a document storage company to whom it had provided the medical records of 10,728 patients (read more).
Details of more recent fines and settlements can be found in our guide to penalties for HIPAA violations.
To find out more about HIPAA, the HITECH Act and Meaningful Use incentive program, download our HIPAA Compliance Guide – a valuable source of information that outlines the key essentials of what is required to be HIPAA compliant. Within the Guide there are sections dedicated to Covered Entities obligations and the regulations governing Business Associates, plus a useful resource guide in the Appendix if further information is required about specific topics.
Is the Meaningful Use program still incentivizing the adoption of health IT technology?
In 2018, the Meaningful Use program was renamed the Promoting Interoperability program with the emphasis no longer on the adoption of health IT technology, but rather the use of the technology to improve information sharing. The current objectives and required reporting criteria can be found on the Promoting Interoperability page of the CMS website.
Do businesses applying for payments under the Promoting Interoperability program still have to conduct risk assessments?
Businesses applying for payments under the Promoting Interoperability program have to “conduct or review a security risk analysis in accordance with the requirements in 45 CFR § 164.308”. Additionally, businesses must attest to having implemented all security updates as necessary and corrected any security deficiencies that have been identified in the risk analysis.
Did Covered Entities and Business Associates have to comply with the HITECH Act as soon as it was passed?
No. Although some provisions of the HITECH Act were enacted immediately, some provisions were delayed for 60 days, 90 days, or a year. The Meaningful Use incentive program did not start until 2011. Additionally, most of the provisions in Subtitle D (“Privacy”) were not enacted until the Department of Health and Human Services published the HIPAA Final Omnibus Rule in 2013.
How did HITECH close the loophole that allowed Business Associates to get away with data breaches?
As a result of HITECH, Covered Entities were required to conduct due diligence on any third party with whom they shared PHI and sign a Business Associate Agreement with the third party stipulating the terms and conditions of their business arrangement in relation to what PHI would be disclosed to the third party and what measures the third party had to implement to keep it secure.
Did the HITECH Act and Meaningful Use program achieve its objective of having every US citizen´s health information electronically accessible within five years?
Unfortunately, not. However, they did increase the adoption of health information technology considerably. At the time the HITECH Act was passed, EHR adoption in the U.S. was just 3.2%. By the end of 2017, 96% of non-federal acute care hospitals and 86% of private physician´s offices had adopted EHRs. Furthermore, each state now also has a Health Information Exchange.