HIPAA Emphasizes Privacy; HITECH Enforces It
If you say HIPAA to anyone today, most people will think of all those forms they have to initial before seeing a doctor. Then, there are the letters that arrive in the mail from their medical providers and healthcare plans, assuring them that their HIPAA privacy rights are being protected. Those with a good memory may even be able to recall that HIPAA stands for Health Insurance Portability and Accountability Act. But other than that, their knowledge of HIPAA stops there. Very few know that in addition to requiring confidential handling of what it deems protected health information (PHI) and ensuring its privacy, the federal law enacted in 1996 also mandates standards for defining protected healthcare information on electronic billing and statements; makes it possible for workers to continue or transfer health insurance if they lose their jobs or change employers; and reduces the possibility of healthcare abuse and fraud.
If you know all these advantages, I am willing to wager that you work for either a healthcare provider or hospital, healthcare plan, third-party service provider, or healthcare clearinghouse. If so, you work for what HIPAA calls one of its covered entities and, as such, is subject to HIPAA security and privacy mandates. And the fact that you have googled the difference between HIPAA and HITECH makes me certain because virtually no one outside those fields has even heard of HITECH. That is, other than companies like mine. Technijian provides IT security consulting and compliance support for employers like yours.
I am not sure what is prompting you to dig deeper into the world of HIPAA and HITECH. Perhaps you have been given the duty of new-hire training and making sure everyone in your workplace is up to speed on the dos and don’ts of HIPAA and the consequences of not doing so. Or maybe you are joining the team charged with keeping up HIPAA and HITECH compliance and want to know more about the latest regulations.
The problem is both HITECH has undergone numerous changes, and no one on your staff is sure whether they are following them. But taking that possibility one step further (and I hope this is not the situation in which your company finds itself), perhaps you have just learned that in keeping with HITECH’s enhanced enforcement climate and its breach notification requirements, the Department of Health and Human Services (HSS) will be auditing your company. You have been charged with gathering all the internal documents and electronic health records related to the incident. If so, be assured that you are not alone, and I know because I have provided help in many of these instances.
Privacy and Security: The Main Concerns of HIPAA
The Privacy Rule
In a nutshell, the privacy rule created a set of standards that would protect the privacy of patient medical records and any references that would reveal the patient’s identity. It mandated that safeguards be put in place to set limits on how this information could be used and to whom it could be released without patient notification and permission. These personal identifiers, known as protected health information (PHI), include names, Social Security numbers, email addresses, gender, ethnicity, birth dates, ZIP Codes, phone numbers, medical record numbers, and fingerprints photographs. Furthermore, the privacy rule gives patients the right to obtain copies of their records to examine them and request that inaccuracies be corrected.
The Security Rule
While the HIPAA privacy rule puts limits on the ways PHI can be used and how and to whom it can be disclosed, the other rule, the Security rule, gets strict about it, demanding that it be kept integral, secure, and confidential. Furthermore, it specifies three types of safeguards that must be in place: physical, administrative, and technical. Physical means anything containing PHI, be it paper or electronic, be kept under lock and key. Administrative includes requiring that traceable access control devices keep track of anyone who handles PHI plus requiring them to attend security awareness training sessions. Technical requires firewalls to be set up to protect all networks, and encryption software is used on all data.
So be aware that since HIPAA defines the following types of businesses as covered entities, if you work for one of these, your employer will face financial and/or criminal penalties if it violates either the privacy or the security rule:
- healthcare facilities
- health plans and Medicare-endorsed sponsors of Part D prescription drug discount cards
- healthcare clearinghouses that take nonstandard data and translate it into a standard format so it can be processed
- business associates, including third-party service providers like claims processors, billing coders, and data analysts who, while they do not create, receive, transmit or maintain PHI, encounter it daily, and have signed a Business Associate contract, binding it to maintain its integrity
So if you are in any way involved with making sure your employer complies with HIPAA rules and restrictions, make sure you are familiar with them since ignorance will not be accepted as an excuse.
The HITECH Carrot and Stick
Technically, the differences between HIPAA and HITECH are misleading since the two cannot be compared. Connected, yes. Compared, no. HIPAA, signed into law by President Bill Clinton in 1996, was created to set standards for healthcare privacy. It also specified that to improve efficiency, quality, and healthcare access, providers, and healthcare plans use the same billing codes and share the same patient records. To accomplish this, the use of electronic health records (EHR) was encouraged. However, when it was discovered that by 2008, 12 years after being signed into law, only 10% of hospitals in the U.S. had adopted EHR usage, it became apparent that more than encouragement was needed. HITECH filled this need
HITECH, formally the Health Information Technology for Clinical and Economical Health Act, is an economic stimulus package included in the American Recovery and Reinvestment Act of 2009, signed into law by President Obama. It was formulated to promote and expand the use of EHRs. To speed up the transition from paper to digital, HITECH contained incentives and penalties.
HITECH offered financial help for providers and hospitals willing to make the change but found the cost-prohibitive. For those who lagged for other reasons, HITECH levied substantial fines. As a result of this carrot-and-stick approach, the transition to EHR grew steadily from a paltry 10% in 2008, the year the Act went into effect, to 14.2% by 2015, and by 2017 86% of office practices were EHR-only and 96% for non-federal acute care hospitals.
HITECH Implications for Business Associates
By tightening up many of the loopholes left in HIPAA and levying a scale of financial penalties, the HITECH Act focused as much on business associates as it did on the healthcare facilities and organizations with which they worked. And it wasted no time. Requirements went into effect on November 30th of 2009 —a scant 12 months of its being signed into law.
The Omnibus Rule and Meaningful Use Program Ties It All Together
Five years later, on January 25, 2013, the Final Omnibus Rule incorporated HITECH requirements into HIPAA by bringing them together under the same law with a compliance date of September 23 of the same year. To facilitate compliance, HHS was given a $25 billion budget, a significant portion of which went into funding the Meaningful Use Program.
The Meaningful Use Program was a carrot dangled in front of healthcare providers, using financial incentives for them to adopt certified electronic health records (EHR) as a way of life. HHS defined certified as meaning it met the standards of authorized testing and compliance body. The purpose of this program, as the name says, is to use the information in the EHR in a meaningful, purposeful way to provide quality care, for example, the exchange of patient health information between a specialist and primary care doctor, or transmission of electronic prescriptions to pharmacies. The prime purpose behind the program was to make it possible to coordinate care in a way that would improve efficiency, contribute to better public health, including for those in rural or underserved communities, reduce cost, and facilitate patient/caregiver decisions — all in an atmosphere of privacy and security.
There were also financial incentives that increased each year as new privacy and security requirements were introduced in three stages. To qualify for federal funds, a covered entity had to prove that they were increasing the use of EHRs in meaningful private, secure ways and conducting prescribed risk assessments to demonstrate compliance with HIPAA privacy and security regulations. Failure to do so could result in a reduction of Medicare and Medicaid reimbursements.
HITECH’s Final Word: Ignore HIPAA Security and Privacy Rules at Your Own Financial Risk
Before HITECH, business associates signed contracts with covered entities who employed them, stating that they would abide by HIPAA security and privacy rules. However, should a breach occur on their watch, the covered entity could avoid sanctions by pleading that it did not know that the business associate was not HIPAA compliant. And since HIPAA made no provisions for fining associates, many were lax in meeting HIPAA standards. As a result, millions of patients had their medical records health records placed at risk.
But HITECH changed that. It legally required business associates to protect PHI, detect any breaches, and report them to their covered entities. They also underwent the same mandatory HIPAA audits and were subject to the same criminal and financial penalties if found to be at fault. And what is worse, the financial ante had been upped! Whereas in the pre-HITECH era, HHS fines ranged from $100 to $25,000 depending on the violation’s severity. Under HITECH rules, penalties for both covered entities and business associates were found to be guilty of willful neglect were subject to a tiered scale of penalties. Those found to be most egregious in their flouting of the rules were placed in Tier 4 and fined $50,000 per violation up to a yearly maximum of $1.5 million.
Perhaps you’re reading this because you’re getting your staff ready for a HIPAA audit, training new hires, or being responsible for the compliance so that you may be searching for some teachable material about audit compliance IT security. And so I invite you to take a look at our technijian.com website. Just select the resources tab and go to “blog,” where you’ll find several articles on compliance. Or if you prefer, contact us so we can tell you more.