Chapter 3: How to Fill the Gaps Left by Standard Insurance Policies
Part 2: HITECH Act: What Allied Health Professionals Need to Know
The Health Information Technology for Economic and Clinical Health (HITECH ) Act supports the enforcement of HIPAA requirements by raising the fines health organizations can face for violating HIPAA Privacy and Security Rules. It's the HITECH Act you can thank for the new maximum penalty of $1.5 million for repeat or uncorrected violations. Before the act, the HHS could not impose a penalty greater than $25,000 for all identical violations. HHS is now required to conduct periodic audits of covered entities and their business associates.
But the HITECH Act does more than raise the stakes for offenders — it also makes provisions for the use, storage, and transmission of electronic protected health information (ePHI). See below for a few of the meaningful ways HITECH has changed how medical professionals handle digital health information.
- Notification of breach. According to the HITECH Act, you must provide notification of data breaches that result in unauthorized uses and disclosures of "unsecured PHI." In other words, you must notify affected parties about breaches. If 500 or more patients are affected, then HHS must be notified as well. In turn, the HHS will post the breach under your practice's name on its website, and sometimes, release a report to local media.
- Electronic health record access. HITECH stipulates that HIPAA-covered entities must implement and demonstrate "meaningful use" of e-records. In a nutshell, that means you must have an electronic heath record system, and you must ensure your patients can access their protected health information digitally. Your patients can also designate that a third party be the recipient of the ePHI. The Act provides that only a fee equal to the labor cost can be charged for meeting a request for ePHI.
- Business associate agreements. Under the HITECH Act, business associates of healthcare practices and providers are now on the compliance hook. This means that software vendors providing electronic health record systems can be considered business associates and subject to privacy penalties for violations. When considering IT contractors or consultants, be sure to verify that they're aware of and able to comply with HIPAA and HITECH guidelines.
Next: Chapter 4: How to Comply with HIPAA Regulations and the HITECH Act