To help alleviate many of the economic problems that accompanied the Great Recession of 2008, the Obama administration introduced the American Recovery and Reinvestment Act (ARRA) in 2009. The Act was an economic stimulus package aimed at creating jobs, reducing poverty, and improving infrastructure.
Another large part of ARRA aimed at encouraging advancements in health and science, hoping that the resulting technological advances and increased efficiency in the healthcare sector would spur economic growth.
To achieve these advancements in the health sector, ARRA introduced the Health Information Technology for Economic and Clinical Health Act (HITECH Act). The Act had five goals, each of which focussed on a different aspect of health and the healthcare system:
- Improve the efficiency, quality, and safety of the healthcare system,
- Engage patients more with their care;
- Improve the coordination of patient care;
- Improve the health of the population;
- Safeguard the security and privacy of health records.
Anyone versed in health privacy law will note that there is a clear overlap between the goals of the HITECH Act and HIPAA. Indeed, the HITECH Act had several modifying effects on HIPAA, which can cause a lot of confusion between the two Acts.
The HITECH Act strengthened HIPAA by extending the remit of the HIPAA Security Rule such that it applied to Business Associates. Previously, only Covered Entities were required to comply with this Rule, leaving obvious vulnerabilities in patient data.
HIPAA compliance was always mandatory, but before the HITECH Act, the penalty structure was relatively weak. To incentivize compliance, new penalty structures were introduced in 2009. Those who violate HIPAA can now be fined up to $50,000 per violation, a strong deterrent for violations. The revenue generated from these fines is fed into the Department of Health and Human Services’ Office for Civil Rights’ (OCR) enforcement budget.
The HITECH Act also introduced a new HIPAA Rule. The Breach Notification Rule requires that, if an unauthorized individual gains access to PHI, all affected patients must be notified within a specific time period. In addition, if the breach involves more than 500 patients, the OCR must also be notified, as well as a news agency serving the local area. This can help patients take the necessary actions to protect themselves.
As we can see from the five goals listed above, one of the major focuses of the HITECH Act was to improve the efficiency of the healthcare system and, relatedly, increase the coordination of patient care. One of the primary mechanisms used to achieve these goals was to incentivize the use of Electronic Health Records (EHRs). As well as eliminating the requirement for bulky filing cabinets and complicated library systems, EHRs are easier to transfer between healthcare organizations. The HITECH Act also required that patients could request EHRs, only allowing Covered Entities to change a “reasonable” fee for the request.
The HITECH Act was updated in 2021 to introduce the HIPAA Safe Harbor Law. This law changed how HIPAA violations could be prosecuted; the OCR could now opt either not to enforce HIPAA in cases where a violation occurred despite the fact that the CE or BA was HIPAA compliant, or reduce the penalties they apply. Alternatively, they can request that a Corrective Action Plan is implemented. This rule was introduced after consultations with CEs and BAs, who voiced concern that violations that happened in spite of their HIPAA compliance were penalized in the same manner as those that resulted from negligence.
Finally, the HITECH Act prevented CEs or BAs from using PHI for marketing purposes without obtaining prior authorization from the patients. The patients could rescind this, and other authorizations, at any time.
The HITECH Act had far-reaching consequences for healthcare, both in terms of how it modified HIPAA and its laws and requirements. All changes were enacted with the ultimate aim of promoting patient health and safety.