The “Health Information Technology for Economic and Clinical Health Act” was passed in 2009 as part of the American Recovery and Reinvestment Act. The HITECH Act primarily addresses privacy and security issues related to the electronic storage of medical records. HITECH overlaps greatly with the Health Insurance Portability and Accountability Act (HIPAA), a major federal law governing access to private medical records.
In this country, the Health Information Technology for Economic and Clinical Health Act has significantly improved the protection of medical information. Specifically, HITECH:
- Improves security and privacy measures for health care information
- Enhances the effectiveness of HIPAA rules
- The Act requires entities covered by HIPAA to report breaches and unauthorized access to protected health information to the Department of Health and Human Resources (HHS).
How Does the HITECH Act Affect Consumers of Medical Services?
HITECH also requires HIPAA-covered entities to notify individuals if their medical records have been breached.
Consumers now have a right to know when their medical records or history have been accessed without authorization. Individuals may also be able to check who has viewed their electronically stored medical records under certain HITECH provisions. These particular rights are similar to people’s privacy rights concerning their credit reports.
How Does the HITECH Act Affect Providers of Medical Services?
Those who fail to comply with HITECH and HIPAA guidelines may be subject to disciplinary action by a federal administrative agency. The provider may face legal consequences if they fail to report a breach of electronic security.
The medical provider may also be exposed to civil litigation by individual consumers who may have been harmed by the failure to report a breach. The medical organization could be held liable for reimbursing the individual for losses that resulted from the breach of security.
The HITECH Act’s Goals
According to the HITECH Act, its five goals are similar to those of the United States’ healthcare system – raise quality, safety, and efficiency; engage patients in their care; increase coordination of care; better the population’s health status; and ensure privacy and security.
To achieve these goals, HITECH encouraged the adoption and use of health information technology, enabled patients to take an active role in their health, paved the way for the expansion of Health Information Exchanges, and reinforced the privacy and security provisions of the Health Information Portability and Accountability Act of 1996 (HIPAA).
HIPAA was strengthened in several ways by HITECH. The HIPAA Security Rule also applies to Business Associates of Covered Entities. They must comply with the documentation requirements of the Privacy Rule and the new Breach Notification Rule (described below).
HIPAA compliance failure penalties were also increased to add an extra incentive for healthcare organizations to comply with the HIPAA Privacy and Security Rules and to fund increased enforcement action per the Office for Civil Rights of the Department of Health and Human Services.
Why Is the HITECH Act Noteworthy?
Before the HITECH Act was introduced in 2008, only 10% of hospitals used electronic health records (EHRs). The adoption and use of EHRs must increase to advance healthcare, improve efficiency and care coordination, and make it easier for health information to be transmitted between Covered Entities.
Most healthcare providers wanted to switch from paper records to EHRs, but the cost was prohibitive. The HITECH Act introduced incentives to incentivize hospitals and other healthcare providers to adopt the changes. In the absence of the Act, many healthcare providers would still use paper records.
The HITECH Act also helped ensure healthcare organizations and their business associates adhere to the HIPAA Privacy and Security Rules, implement safeguards to keep health information private and confidential, limit uses and disclosures of health information, and honor their obligation to provide patients with copies of their medical records upon request.
While the act did not mandate compliance with HIPAA as was already required, it introduced a new requirement for Covered Entities and Business Associates to report data breaches – which ultimately allowed the Office for Civil Rights of the Department of Human Services to take more enforcement action against non-compliant organizations.
HITECH Act Summary
In response to the HITECH Act, healthcare providers were encouraged to adopt electronic health records and improve privacy and security protections. By offering financial incentives to adopt EHRs and increasing penalties for violations of HIPAA privacy and security rules, this was accomplished.
The HITECH Act has four subtitles (A-D). Subtitle A deals with the promotion of health information technology and is divided into two parts. The first part deals with improving healthcare quality, safety, and efficiency. Part 2 discusses the application and use of health information technology standards and reports.
Subtitle B details testing of health information technology, Subtitle C covers grants and loans, and Subtitle D details privacy and security of electronic health records. It is also divided into two parts. Part 1 discusses health IT privacy and security, while Part 2 covers the relationship between the HITECH Act and other laws.
Tougher Penalties for HIPAA Violations
In addition to Covered Entities avoiding sanctions by claiming their Business Associates were unaware that they were violating HIPAA before the HITECH Act, the financial penalties the HHS Office for Civil Rights could impose were little more than a slap on the wrist ($100 per each violation up to a max fine of $25,000).
In the HITECH Act, tougher penalties were introduced for HIPAA violations, and they were separated into different tiers based on various levels of culpability. The max financial penalty for a HIPAA violation has been increased to $1.5 million per violation category per year. Since 2016, HIPAA violation fines have been adjusted yearly to account for inflation, and as of 2022, the maximum financial penalty per violation sits at $1,806,757.
What Is the Meaningful Use Program?
To achieve the objectives of the HITECH Act, the Department of Health & Human Services (HHS) was allocated a budget of over $25 billion. HHS used part of that budget to fund the Meaningful Use program, which offered financial incentives to healthcare providers to adopt certified EHRs. The term “certified EHR” refers to those that have been certified as meeting defined standards by an authorized testing and certification body.
A certified EHR must be used in a meaningful way, such as for issuing electronic prescriptions and exchanging electronic health information to improve the quality of care. It aimed to improve coordination of care, improve efficiency, reduce costs, ensure privacy and security, and improve public and population health, as well as engage patients and caregivers more in their own healthcare.
At the beginning of the program, the financial incentives were significant and increased over time as new requirements were added at each of the three stages of Meaningful Use.
As of 2015, Medicare-eligible professionals who didn’t comply with the HITECH EHR requirements had their Medicare claims penalized by 1%. Penalties for failing to demonstrate the adoption and use of certified EHRs increased to 3% in 2017.
Do I Need an Attorney for Issues with the HITECH Act?
Legislation such as the Health Information Technology for Economic and Clinical Health Act can significantly impact both consumers and medical care providers.
If you have any problems or a dispute involving the security of electronic medical records, you may wish to consult with a qualified insurance attorney. An experienced attorney can help you interpret the Act’s provisions and represent you in court if needed.