The HITECH Act – or Health Information Technology for Economic and Clinical Health Act – makes up part of an economic stimulus package that was established during the Obama administration: lmown as the American Recovery and Reinvestment Act of 2009 (ARRA).
Before the HITECH Act was passed in 2008, only 10% of hospitals had implemented EHRs. In order to further progress healthcare, improve efficiency and care coordination, and make it more simple for health information to be shared between different covered groups, electronic health records needed to be created.
While many healthcare groups wanted to move to EHRs from paper files, the cost of making such a change was extremely costly. The HITECH Act introduced incentives to encourage hospitals and other healthcare providers to make the shift. Had the Act not yet been passed, many healthcare groups would still be using paper files. The Act grew the rate of adoption of EHRs from 3.2% in 2008 to 14.2% in 2015. By 2017, 86% of office-based physicians had implemented an EHR and 96% of non-federal acute care hospitals has added certified health IT.
The HITECH Act also helped to ensure healthcare groups and their business associates were in compliance with the HIPAA Privacy and Security Rules, were implementing security measures to keep health information private and confidential, controlling uses and disclosures of health information and were respecting their obligation to provide patients with copies of their medical records on request.
The Act did not make compliance with HIPAA obligatory as that was already a legal necessity, but it did make sure that entities found not to be in compliance could be issued with a substantial penalty.
What are the Aims of the HITECH Act?
The HITECH Act was created to promote and grow the adoption of health information technology, specifically, the use of electronic health records (EHRs) by healthcare suppliers.
The Act also took away the loopholes in the Health Information Portability and Accountability Act of 1996 (HIPAA) by tightening up the language of HIPAA. This helped to ensure that business associates of HIPAA covered entities were complying with HIPAA Rules and alerts were shared to impacted individuals when health information was compromised.
Stricter financial penalties for HIPAA compliance failures were also brought in to add an additional incentive for healthcare organizations and their business associates to comply with the HIPAA Privacy and Security Rules.
With a much-boosted income source, HHS was able to dedicate more resources to look into the cause of data breaches and, in 2011, the HHS launched the first phase of its HIPAA compliance audit program. The next phase of ‘desk audits’ – paperwork checks – on covered entities was finished during 2016, paving the way for a permanent audit program.
The HIPAA Breach Notification Rule
A vital change brought about from the introduction of the HITECH Act was the creation of a new HIPAA Breach Notification Rule. Under the new Breach Notification Rule, covered entities are required to issue alerts to impacted individuals within 60 days of the discovery of a breach of unsecured protected health information.
The breach notification correspondence to patients must be sent via first class mail and must explain the extent of the breach, the range of protected health information that were exposed or infiltrated, the measures that are being taken to address the breach, and the actions affected individuals can take to reduce the chances of harm being inflicted.
Breaches of 500 or greater records also need to be made known to the HHS within 60 days of the breach being spotted, and smaller breaches within 60 days of the end of the calendar year in which the breach happening. Along with reporting the breach to the HHS, a notice of a breach of 500 or more records must be sent to a prominent media outlet serving the state or jurisdiction impacted by the breach. The Breach Notification Rule also states that business associates to notify their covered entities of a breach or HIPAA violation to allow the covered entity to report the incident to the HHS and set up individual notices to be sent.
The HITECH Act also updated the permitted uses and sharing of PHI and tightened up the language of the HIPAA Privacy Rule. Business associates were stopped from using ePHI for marketing purposes without official permission, patients were given the right to take away any authorizations they had previously given, and new requirements for accounting for disclosures of PHI and maintaining records of disclosures were introduced, including to whom PHI had been shared and for what reason.