Businesses within the healthcare industry (“Covered Entities”) should already be familiar with their HITECH compliance obligations, as they are closely related to HIPAA compliance and often referred to as HIPAA HITECH compliance obligations. However, following the passage of HITECH, third-party service providers (“Business Associates”) now have a legal requirement also to comply with HIPAA.
Although only one section (Subtitle 4) of the Health Information Technology for Economic and Clinical Health Act (HITECH) applies to Covered Entities and Business Associates, it is a very important section. It gives the Office for Civil Rights (OCR) the resources to pursue breaches of HIPAA HITECH compliance by introducing a four-tier penalty structure with much higher financial penalties than before.
Now any business in breach of HIPAA or HITECH compliance can be fined up to $1.5 million – even if there has not been an unauthorized disclosure of Protected Health Information (PHI). The fines can be issued by OCR if a business is found to be lacking in any element of its compliance efforts during an OCR audit or during an investigation into a complaint filed by a member of the public.
What is HITECH Compliance?
In order to answer the question “What is HITECH compliance” it is necessary to take a step back and look at the objectives of HITECH. HITECH was enacted as part of the American Recovery and Reinvestment Act in 2009 with the purpose of encouraging the use of technology in the healthcare industry. Its ultimate goal was an electronic health record for each person in the United States by 2014.
In order to encourage the healthcare industry to adopt technology, the Meaningful Use program was developed. This program incentivizes healthcare providers to implement EHRs and similar tools, but concerns were raised about the integrity of electronically-stored PHI while it was at rest and while in transit. Consequently, three new measures were introduced:
- The legal requirement for Business Associates to comply with the HIPAA. It later became necessary for Covered Entities to conduct due diligence on Business Associates.
- The legal requirement for healthcare providers to conduct HIPAA Security Rule risk assessments in order to be eligible for Meaningful Use incentive payments.
- The legal requirement for all parties to comply with the Breach Notification Rule. Financial penalties were also introduced for the failure to report a breach of PHI.
HITECH Compliance Checklist
In order to ensure HITECH compliance, Covered Entities and Business Associates should compile a HITECH compliance checklist. The HITECH compliance checklist should be based on a series of risk assessments to determine the entities´ vulnerabilities and the threats to electronically-stored PHI, regardless of whether the entities are eligible for Meaningful Use incentive payments.
It is also necessary for Covered Entities and Business Associates to integrate the relevant areas of HITECH into their mandatory HIPAA training. This should include an explanation of the Breach Notification Rule, the exclusions to the Rule (i.e. when it is not necessary to report an unauthorized disclosure of PHI), and the financial penalties for failing to report a breach.
One very important change to how breaches are handled is that OCR no longer has the burden of proof that a breach of PHI has occurred following an unauthorized disclosure. A breach is assumed to have occurred unless it can be proven by the Covered Entity or Business Associate there is a low probability that the integrity of the disclosed PHI has been compromised.
Other Elements of the HITECH Act
Although Subtitle 4 of the Health Information Technology for Economic and Clinical Health Act was the only element of the Act to relate directly to HIPAA, other elements of the HITECH Act were influential in later amendments to HIPAA – the first three Subtitles in particular that related to the establishment of the Office of the National Coordinator for Health Information Technology (ONCHIT).
ONCHIT was given the responsibility of implementing an information security program to ensure the privacy, safety and integrity of PHI. The program developed into the Physical, Technical and Administrative Safeguards that “proactively classify and protect data from unauthorized access, transfer and use” and that were added to the HIPAA Security Rule in the Final Omnibus Rule 2013.
The remaining elements of the HITECH ACT related to the establishment of the Meaningful Use program, Medicare incentives and Medicaid incentives. As mentioned above, these included the necessity for healthcare providers to conduct HIPAA Security Rule risk assessments, and also led to further research on the benefits and risks of information technology in the healthcare industry.