HITECH, or Health Information Technology for Economic and Clinical Health Act, necessitates safeguarding PHI, i.e., Protected Health Information. It also focuses on the digitalization and electronic transfer of information to patients and doctors.
Even though HIPAA prevails in the healthcare sector, it’s important to understand the rules and regulations enforced by HITECH. It’s vital to know how HITECH has transformed and raised standards to fulfill health security and privacy requirements.
What is the HITECH Compliance ACT?
HITECH came into existence in 2009 as a part of the American Recovery and Reinvestment Act Bill.
The HITECH Act was enforced to initiate the meaningful use of electronic health records (EHR) by healthcare providers. Here the term ‘meaningful use’ refers to the adoption and implementation of certified EHR technology which can be measured both qualitatively and quantitatively. All the patients must gain access to their respective protected health information electronically and must be informed of any data infringement of the PHI of the patient. It also delineates stringent penalties for organizations involved in the wilful neglect of HITECH prerequisites.
HITECH mandates the security audits of all the medical care resulting in the effective implementation of the Privacy and Security Rules of HIPAA. These audits help identify whether the healthcare service providers fulfill the set standards and comply with the Privacy and Security Rule of HIPAA or not. It aims to deliver maximum benefits of healthcare to the patients.
HIPAA vs HITECH: What’s the difference?
HITECH and HIPAA are autonomous laws. However, they enrich each other in some ways. For instance, technologies and technology standards established under HITECH cannot compromise with the privacy and security laws of HIPAA. Doctors and hospitals must conduct a security risk assessment for HIPAA if they certify to purposeful use as specified by HITECH.
HITECH Compliance Checklist
The quintessential objective of HITECH compliance is to enhance the application of secure EHR. Thus, it is mandatory to monitor and safeguard the quality and security standards ensuring appropriate implementation of EHR.
The HITECH Compliance checklist focuses on the following parameters:
Business Associates & Breach Rules
One way to assess the potential areas that need to be addressed for full compliance of HITECH Act requirements is to have an audit by the Office of Civil Rights. This audit identifies the deviations in the current scenario concerning the HITECH security requirements. Such audits can be conducted whenever required and not just in acknowledgment to the accusations. Arbitrary audits ensure that the healthcare providers and their business associates comply with the set standards.
The compliance audits cover the following spheres:
- Policies and Procedures
- Agreements of Business Associates
- Training and Awareness
- Data Security and Management
Prerequisites for Office of Civil Rights Audit
- All the HITECH policies and procedures must be in action. The users must be aware of and well-trained about the legal procedures. They can be questioned during the audit to test their knowledge and understanding of the HITECH subtleties.
- Storage and transfer of confidential information must be under strict supervision with the absolute aim to safeguard protected health information.
- Reducing interaction with sensitive information leads to lower possibilities of infringement. Conversion of PHI into digital forms is one way to avoid a breach. You can also keep strict control over the location and accessibility of the information.
- Integration of data with the document management system is extremely beneficial. This software helps you maintain strong security and minimize threats to the data by limiting the user access levels. It also makes it easy to detect any potential breaches if they happen.
- Wrong use and disclosure of PHI is the main reason for complaints. A clear trail audit helps to identify three main parameters– who, what, and when. It gives a detailed report on who retrieved the data, at what time, and how they used the accessed data. This ensures you have made every effort to secure PHI.
- Ensure that your business partners comply with the HITECH business associate requirements mentioned in the HITECH business associate agreement. You must also evaluate them when required.
- All the personal protected health information must be enciphered both in storage and transfer modes.
- Strong security mechanism must be implemented for the security of PHI for mobile phones.
Under HIPAA, there are clear guidelines about the release of information – what information can be released without the patient’s authorization and what cannot. The notification requirements under HITECH are akin to data breach laws in many states. These laws usually deal with personally identifiable financial information.
As per the HITECH Compliance Act, if there is any unsecured breach of the patient’s data, the patient has to be notified. In case 500 or more patients are affected by the breach, notifications have to be sent to HHS as well. Local media, too, needs to be notified in such a case. Notifications also have to be sent to the State Privacy Officer. Patients whose information has been breached need to be sent a first class mailing. The mailing has to address each patient personally and include information about what happened and what is being done to resolve the situation. In some cases, the entity will need to pay for patients to access their credit reports for free.
Breach Notification Rules
The procedures and policies for breach notification have to be established and explained so that when a breach occurs, whether or not to trigger notification is clearly determined.
The following factors may help in deciding whether the breach notification is needed:
- Grave risk of harm to the patient
- Inappropriate disclosure or use of unsecured PHI
- Any exception to breach rules
Interesting Read: What is PHI and What is Not?
What to do when a breach notification is triggered:
- The entity covered by HITECH needs to notify patients.
- The entities must be notified by business associates.
- The notification cannot take longer than 60 days to complete.
- As discussed earlier, depending on the number of patients affected by the breach, the notification methods will vary.
- The reported incident needs to be logged.
- If protected health information or PHI is involved, the incident has to be documented, and breach analysis needs to be conducted.
PHI that has not been encrypted or destroyed, or both, is known as unsecured PHI. For the data to be destroyed, it has to be rendered
- Unusable, or
Notification requirements are not triggered if the PHI is secured as per HHS guidelines.
As is evident, breach notification involves plenty of documentation. You need to ensure that you have policies and guidelines set up so that breaches of PHI are prevented. Also, note that if a breach occurs, you may need to deal with a lot more documentation and follow-up, depending upon what type of breach has occurred.
Agreements with Business Associates
Specific HIPAA provisions that earlier dealt with business associates are now under the purview of the HITECH compliance. As per these guidelines, responsibility for the protection of ePHI will be shared by
- the providers and
- the business associates.
This is because an increased amount of information is shared in such associations. The responsibility will also extend to
- the EHR vendor
- the provider
- the hubs that will be accessible to others.
New rules such as Omnibus are also coming up. They will allow small to medium entities to comprehend all the rules that they have to comply with to protect the patient’s data security and privacy.
Compliance and Security
Contrary to popular belief, technology doesn’t solve everything. PHI is vulnerable to all sorts of breaches. The best encryption is useless if the passwords your employees choose are weak. Patients can still sneak a peek at someone else’s information even if the system is set to log out automatically.
To counter all this, you need to focus on safeguards not just in IT but outside of it too. This means physical control of access to any areas where patient information is stored.
- In a small doctor’s clinic, this would mean barring patients from accessing areas where computers with patient information are kept.
- In larger hospitals and other such entities, this would mean keycard access, security guards, and cameras monitoring access.
As per HIPAA compliance rules and HITECH, your responsibilities as an organization cover:
- security of your employees and partners.
- securing any patient data that you share with other hospitals or with patients.
While HIPAA requires you to explain your security rules clearly, in the Business Associate Agreements (BAA) and internally, with HITECH you need security tools and policies that a patient can use easily.
Shailendra Sinhasane (Shail) is the co-founder and CEO of Mobisoft Infotech. He has been focused on cloud solutions, mobile strategy, cross-platform development, IoT innovations and advising healthcare startups in building scalable products.