The HITECH Act and Meaningful Use of Electronic Health Records
Before 2011, healthcare providers struggled to transition to electronic healthcare record (EHR) systems. Despite obvious benefits to quality of care, potential data breaches threatened HIPAA policies. The cost of the transition and security concerns gave pause to healthcare providers. Some entities willfully ignored HIPAA policies. Fines were often less expensive than updating processes and systems. The US government wanted to overcome these issues by implementing the HITECH Act. This article explains exactly what the HITECH Act is. We'll also explain how it differs from HIPAA. Read to the end and learn how companies can ensure compliance and avoid penalties.
Summary of the HITECH Act
HITECH stands for Health Information Technology for Economic and Clinical Health Act. It is one piece of the February 2009 American Recovery and Reinvestment Act (ARRA). The ARRA is an economic stimulus bill drafted in response to the US Great Recession. It funded programs that would result in long-term economic benefits. The US Healthcare system was notorious for monetary losses. Between mispractices and duplication of efforts, practitioners often lost money between offices. The law pushed for widespread use of digital record systems to help with these issues. It aimed for better care for patients and the protection of their personal information. Note that HITECH is not the same thing as HIPAA. These two pieces of legislation are mutually-reinforcing, though. HIPAA only requires certain privacy standards for digital records. HITECH created motivation for healthcare practitioners to go digital. HITECH adds enforcement mechanisms to the preexisting rules set forth in HIPAA. The legal text of the act describes a two-part program. The first part addresses the logistics of transition. The second addresses funding methods and security protocols.
Part 1: "Improving Health Care Quality, Safety, and Efficiency"
Subtitle A: Promotion of Health Information Technology
Health Information Technology (HIT) is the IT network used within the healthcare field. Think of HIT as digital filing cabinets for patient records. The health IT system holds sensitive patient records. Thus, providers must use secure digital networks to store and share information. The ONCHIT office established a nationwide health IT infrastructure following a strategic plan. This office recommended how to establish a secure system in which every citizen had an EHR by 2014. A standards committee evaluated the rollout of HITECH. First off, they planned an implementation process. They ensured providers had an understanding of technologies and their proper use. This section requires businesses to use the same quality systems as healthcare providers.
Subtitle B: Testing of Health Information Technology
Voluntary pilot testing of programs rolled out before standards were set in stone. This helped ensure that the new systems were appropriate and efficient. The Director's office established standards for this process. These pilot programs rolled out before penalties went into place for non-compliance. Grant funds created testing programs at participating university hospitals. These research programs helped illuminate what technology worked and what didn't. The standards committee took feedback from testing sites as well as public input. They worked with the ONCHIT to incorporate relevant recommendations.
Part 2: "Application and Use of Adopted Health Information Technology Standards; Reports"
All funds for HITECH come through the Health and Human Services (HHS) Department. Their office requires all hardware had to be of certain quality standards. These quality control requirements applied to private entities and healthcare providers. This policy made for equal application of rules, no matter who handles patient data. Section two also called for a report on the nationwide adoption of the HITECH program. HHS reported barriers to the rollout. They also gave recommendations to the US House of Representatives as well as the Senate.
Subtitle C: Grants and Loans Funding
No headway in HITECH rollout could have been made without Federal funds. This section of the Act amended the Public Health Service Act to include incentives for health IT use. This amendment improves the security, privacy, and accuracy of health records. Moving from pen-and-paper records to digital filing systems required a great financial investment. Regional providers received money so the switch didn't burden local systems. They prioritized hospitals and health centers. Small practices serving as primary care providers also received high priority. State grants also funded both competitive and non-competitive planning and implementation purposes. Grants funded various activities, including:
- Promoting the increased use of electronic health records
- Providing technical assistance services for both providers and patients
- Sourcing state and other sources of funds to match federal investments
These Federal funds were a key piece to making the transition to a digital system possible. Their availability was key to success, especially for low-income areas. Many healthcare networks would otherwise be unable to afford the necessary technology.
Subtitle D: Privacy
The patient's privacy is of the utmost concern in the Act. Every patient's information is resistant to data breaches. Data breaches are the unnecessary access, use, or disclosure of private health information. HIPAA security was minimal and without any meaningful enforcement mechanisms. HITECH created penalties for non-compliance to protect the security of patient information. The Act also addresses the course of action should a breach occur. Healthcare providers must notify each individual affected. Business entities interacting with patient data must notify providers of potential breaches. This section requires addressing all security and privacy breaches as soon as possible. This means that patients receive a notification as soon as possible after detection. Notification of breaches must occur before a 60-day deadline after discovery. Notifications must come by mail, web postings, phone calls, and press releases. The Secretary of Health and Human Services is also notified in the case of larger information breaches. Privacy standards are the same for businesses that associate with healthcare providers. They must follow the same rules to protect patient information. They face the same penalties for noncompliance. Healthcare providers must prove that they are compliant with HIPAA standards. Providers have their practices audited on an annual basis. HITECH Act penalties can result in fines as well as other legal repercussions.
Although EHR systems were available for use early in the decade, only 10% of hospitals used them in 2008. Companies often found it cheaper to ignore HIPAA rules than comply. US Congress raised fines and closed loopholes with HITECH. President Barack Obama signed ARRA and HITECH into law in February of 2009. Two years later, extra funds were given out for proving meaningful use of electronic health records. Congress allotted a total of $25.9 billion for new health IT systems creation. Though providers had until 2014 to begin using EHR systems, the incentives shrank in size as time went on. Thus, early adopters received a greater amount of available funds to support implementation. Those who failed to go digital were subject to penalties beginning in 2015. By 2017, over 90% of healthcare providers had implemented the use of electronic records. The rollout of the Act was not without great effort, but it was in fact successful. In November of 2019, new minimum and maximum amounts for fines were set on the federal level.
Meaningful Use of Data
One major goal of HITECH was to reduce the cost of healthcare. This happened through establishing a data-sharing infrastructure focusing on meaningful use. Meaningful use of data helps meet many goals:
- Improving quality, safety, and efficiency of services
- Reducing health disparities
- Engaging patients and their families
- Improving care coordination
- Improving overall public health
- Ensuring privacy and security protection of patient health information
This is an important facet of the Act. HIPAA allowed for other, extraneous sharing of patient data. HITECH makes sure information is only transferred or shared to help to meet these goals. Interoperability programs allow the sharing of patient data for care purposes. This includes hospitals, primary care physicians, pharmacists, insurance companies, and other agencies. Meaningful use improves healthcare quality and reduces health disparities. It means engagement with patients and families in the healthcare process. It results in improved care coordination, better public health, and informational privacy. Meaningful use begins with capturing digital data and sharing it with patients electronically. Following that, providers can more easily improve the quality of their care. Specific reporting programs were established for the sake of Public Health Objectives, including:
- Immunization Registries
- Syndromic Surveillance
- Electronic Case Reporting
- Public Health Registries
- Clinical Data Registries
- and Electronic Reportable Laboratory Test Reporting
Penalties for Noncompliance
Those who deal with EHR are subject to tough measures for breaking the rules set forth in the HITECH Act. This includes healthcare providers and other businesses. The Department of Health and Human Services has an Office of Civil Rights. This office handles rule enforcement. Business entities are liable for compensating individuals or organizations whose information is compromised. Their violations are as serious as those of healthcare providers themselves. Violations of four levels are based on "increasing levels of culpability" with fines. At the very least, rule-breakers are charged $250,000 for violations. These fines max out at a cost of $1.5 million for repeat and offenders who willfully neglect and ignore policy. These costs do not include other potential criminal penalties. In the past, entities that were not aware of violations were not considered at fault. This changed with the November 2009 HITECH Act Enforcement Interim Final Rule. This rule made it so unknown violations were held at the lowest level of culpability. Violations corrected within a 30 day period are not subject to a penalty. This is the case only if the error was not because of willful neglect on behalf of the provider or other entity.
Ensure Your Company Is Compliant
It's important to get to know HITECH standards and to adjust your practices as necessary. Especially with such large fines as well as patient privacy at stake, keep compliance in mind. Here is a shortlist of what to keep in mind about the rules contained in the HITECH Act:
- The breach notification rule: Tell affected parties about breaches as soon as possible. Do so by all necessary channels
- Copies of records: Shred unnecessary paper copies of information. Know that all patients can have copies of their EHR upon request.
- Minimum necessary disclosures: Have a security plan in place. Train your employees to follow the law. Limiting unnecessary access to information is a good practice.
- Annual federal audits: Be able to prove your organization is protecting patient information.
The HITECH Act is an important piece of legislation. It brought the US healthcare system into the digital era. It prevented unnecessary duplication of information and minimized wasted resources throughout the sector. This important bill helps improve the medical sector in many ways. Digitization and systems upgrades make it easier for providers to give quality care. Healthcare providers and businesses are required to be compliant with HITECH. Those who don't follow the rules or cause data breaches will receive a fine from the US HHS Department. We have classes for healthcare workers with the most recent updates for 2020/21. We also offer a similar version for business associates as well. Bundle pricing makes for the most affordable option based on your team's size. Our eLearning courses are the most trusted source for compliance training. Sign up to ensure that you are in full compliance with these important policies. Participants get a certificate of completion after successfully completing the course. We have these and more compliance training courses available on our website. Enroll today! Make sure that you and your employees know these and other requirements by taking the getting certified on our website.