HIPAA and HITECH rules are often discussed together for a number of reasons, and it makes sense because one is meant to be an extension of the other. However, HIPAA was developed before the days of ubiquitous technology, meaning that it wasn't properly accounting for or regulating patient privacy when it came to keeping electronic records from prying eyes. Instead of working solely with the language used in HIPAA, regulators decided to make the update more memorable in the form of a plan that was meant to help the additional rules related to technology stand out to the various affected businesses. We'll tell you what you need to know about how and why the Health Information Technology for Economic and Clinical Health strengthens the measures laid out by the Health Information Portability and Accountability Act.
Times Change
At one time there were only so many people who felt the need to strictly regulate the medical field, and HIPAA laws were much more lax back then. Its main rules were to keep patients' information confidential, and only share it when there was a justifiable reason for doing so. However, as healthcare became more profitable and technology proliferated, it attracted more insurers, equipment manufacturers, researchers, etc. The processes of testing in a lab and clinical trials became more complicated, and there were companies operating across the country who didn't even realize that they were subject to HIPAA laws. Plus, HIPAA was only so well enforced before, meaning that paper files were likely left out longer than the should be, case stories were given without regard to the identifying information within them (e.g., rare symptoms, etc.) and a number of other questionable practices were occurring with no one to step in. The addition of technology being introduced to every company in the world further complicated the process of storing information across multiple software programs, updates, upgrades, equipment selections and security perimeters. It called for either a revamping of HIPAA or a new set of requirements to flesh out the original laws. Enter HITECH, which was proposed in 2009 in the stimulus package. As it stands right now, a company can no longer afford to risk their reputation by taking shortcuts when it comes to patient data. It shouldn't need to be said, but companies are playing a dangerous game that may result in hefty fines from the government and a loss of business with their customers.
What It Does
Both HIPAA and HITECH have rules and guidelines that are formed to keep a business from letting any personal health information (PHI) out, and it's helpful to remember that HIPAA laws have also been updated. The newer regulations for HIPAA concentrate more on the original tenets of the act (e.g., how health data can be used, etc.) as opposed to more regulations on the technology you're using. While HITECH's regulations do everything possible to address the current circumstances and privacy needs of the day, they can only be so specific due to the nature of technology. This means you'll still maintain a certain amount of autonomy and customized solutions you may have honed over the years, but you will likely need to consider your decisions again and how they might look to an auditor. HITECH increased the fees levied upon a business who fails to keep up with their security, and it also requires additional communication to the public about the details regarding a possible breach or error when releasing data. This not only applies to your business but also associates that you may work with like financial institutions, software proprietors or health information exchanges. You can see why an independent bank or credit union may not realize that they're subject to the same fines as a doctor for failing to comply with one of these rules.
Looking at the Details
Electronic Health Records (EHR) are utilized by practically everyone in the health care field, but there is unfortunately a lack of cohesion amongst how it is all used. HITECH focuses on the terms 'meaningful use' when it comes to handling EHR, meaning a company would need to prove that they're using certified technology that can be measured in quantifiable ways. Companies must show that they're facilitating the sharing of health information when they need to, and doing so in a secure way that doesn't interfere with a patient's ability to receive care. EHR is the great hope for medical professionals and patients to turn people away from paper files and onto a system where information is stored without the possibility of loss. It was supported by Congress when it agreed to help fund and theoretically speed up the transition. We'll give you more information about how the government expects it all to be done.
Communicating the Problem
If an organization that falls under HIPAA and HITECH's laws is breached, they'll have 60 days to let their affected patients know. This can be done through paper mail, electronic mail given permission from the patient and/or by posting the information on a company home page, or even via local news. According to HITECH, a breach is defined as any unauthorized access that could potentially compromise the privacy of an individual, unless the unauthorized party was unable to retain the information for any reason. If the security glitch affected more than 500 people, the organization is required to tell the Department of Health and Human Services (HHS.) It should be noted that while HITECH is about cracking down on improper practices, there will still only be so much government oversight. It will be up to organizations to decide which incidents constitute a breach. Any covered entity, meaning those who pay out for medical care, process health data, or supply health care goods or services, must keep a log of any breach and submit the information every year to HHS. If you are a business associate of a covered entity, you'll need to notify that entity who will then notify those affected.
The Real-Life Consequences of HITECH
It's important you do not simply see these rules as an abstract set of legalese clauses. Besides having to send out memos that patients' information has been leaked, a violation fine can run up to $1.5 million and this fee is allowed to be charged to individuals within an organization, as well as to the company itself. While you are able to maintain a certain control over how you determine your security performance, you will likely start to see more audits as time goes by. When you're attempting to decide whether or not you should notify patients, you may want to err on the side of caution, especially considering that civil action may be brought against you through a class-action lawsuit. You are required to give all treatment and care records to an individual patient upon request, including providing an electronic copy if asked for. When it comes to other parties, you should be limiting the sharing as much as possible. These subjective rules are meant to give you a standard of operation, meaning you should be developing practices that will fall in line as closely as possible to avoid the negative ramifications of taking a shortcut.
The Cost of Change
Ultimately, trying to comply with regulations can get expensive because it typically means buying goods and services or hiring more people to focus solely on compliance, and any change you make to an organization is liable to do more harm than good during the transition phase. When people are used to doing something a certain way, it can almost feel more beneficial to keep the status quo rather than risk an internal implosion. However, if you're not currently doing everything possible to secure data then the cost of not changing is too high to risk. Employees deserve to be trusted and to know exactly how their work is affected by HITECH, and what they can do to strengthen their own habits when it comes to sharing, saving, or sending PHI.
How Encryption Can Help
"Covered entities and business associates should keep encryption keys on a separate device from the data that they encrypt or decrypt." This statement is made in the Interim Final Rule of HITECH, and it's an important one to remember. If a breach occurs when you have effective encryption, you are not in any type of violation of the rules and are not required to notify anyone. In other words, if you can prove that when a criminal broke into your EHR they were not able to gain any kind of useful information, you're in the clear. You will be required to use encryption that follows the NIST Federal Information Processing Standard, though, so it's pivotal you choose a company who can provide software that meets the specifications. The amount of data that has been collected and stored has become a virtual treasure chest for hackers everywhere. Not only can criminals expose high-profile individuals' information as well as personal information about doctors and staff, but they can also retrieve SSNs, personally identifiable information (PII), as well as financial information about patients. Everyone is at a precipice for how to care for this data, and without encryption, you could potentially be left behind in your practice. Ultimately, this technique could wind up saving you more money because it both fits with HITECH rules, and it's a sustainable solution for anyone working with PHI.
