HITECH Act – Privacy and Security What is the HITECH Act? Protecting the privacy of patient information is one of the top priorities of all healthcare providers and is specifically required by various state and federal laws. On February 17, 2009 the American Recovery and Reinvestment Act of 2009 (ARRA, sometimes referred to as “the stimulus”) included provisions making significant improvement in the privacy and security standards for health information was signed into law by the federal government (http://www. hpsafind. hrsa. gov).
Included in this law is $19. 2 Billion which is intended to be used to increase the use of Electronic Health Records (EHR) by physicians and hospitals; this portion of the bill is called, the Health Information Technology for Economic and Clinical Health Act, or HITECH Act (http://www. opencongress. org/bill/111-h1/show). The Act is directed towards protected health information that is not secured by a technology standard that renders protected health information unusable, unreadable or indecipherable to unauthorized individuals.
Additionally, it addresses entities subject to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) that access, maintain, retain, modify, record, store, destroy, or otherwise hold, use, or disclose unsecured protected health information. The HITECH Act require patients be notified of any unauthorized acquisition, access, use or disclosure of their unsecured protected health information. Why did the government pass this law? The government firmly believes in the benefits of using electronic health records and is ready to invest federal resources to proliferate its use.
Paper information increase the risk of unauthorized accessed due to human factor risks – leaving information on desk, leaving information on printer/fax, out where information can be viewed by cleaning people, dumpster incidents, and unlocked file cabinets/drawers and shared working areas. These are examples of unintentional breaches. The HITECH Act definition of a breach is defined as an unauthorized acquisition, access, use or disclosure of protection which compromises the security the security or privacy of such information.
Medical privacy breaches continue to be a serious problem for healthcare and life sciences. Some of the most highly respected healthcare organizations in the country still suffer data breaches, and new breaches make headlines regularly (http://www. opencongress. org/bill/111-h1/show). Research indicates that utilizing EHR would serve to improve patient care, increase patient safety and simplify compliance in the US healthcare system. Additionally, it would help cut costs in the long term, as it would minimize errors, increase productivity and administrative efficiency.
From a patient’s perspective doctors get quicker access to patient’s information, patient information can be shared between specialists, primary doctors, nurses on staff, quicker and more accurate diagnosis, better care and higher satisfaction (http://www. cdt. org/healthprivacy/20090324_ARRAPrivacy. pdf). Securing EHR The HITECH Act speaks of four areas of securing data. They are: data at rest (i. e. , data that resides in databases, file systems, and other structured storage methods); data in motion (i. e. data that is moving through a network, including wireless transmission); data disposed (i. e. , discarded paper records or recycled electronic media); or data in use (i. e. , data in the process of being created, retrieved, updated, or deleted) (Kline, 2009). The U. S. Department of Health and Human Services (DHHS) identifies two methods for rendering “secured”: encryption and destruction. Encryption is the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning to the data unless an individual uses a certain process or has a key.
DHHS regulations state that the valid types of encryptions processes to use will be those that are consistent with National Institute of Standards and Technology (NIST) standards for encryption. The second method, destruction, will also secure information found in paper or electronic format. The paper or other hard copy media must be shredded or destroyed in a manner that EHR cannot be read or otherwise reconstructed. Electronic media is to be cleared, purged or destroyed. Destruction should also be performed consistent with NIST standards (Kline, 2009).
What does the HITECH Act mean to physicians and hospitals? From a high level the act includes up to $44,000 in total incentives per physician under Medicare for “meaningful use” of EHR. Physicians reimbursed by Medicaid can receive up to $63,500 based on state-defined guidelines. Hospitals with high Medicare and Medicaid volumes could receive up to $11 million. These incentives will be paid out over a 4 to 5 year period beginning in 2011 (http://www. opencongress. org/bill/111-h1/show). How do physicians or hospitals qualify for HITECH Act Incentives?
Although the specific requirements have not been issued yet, we do know that in order to qualify for incentive payments, physicians must: use a “certified” EHR: the act does not specify what “certification” will mean or who will provide certification. There is general consensus that the certifying organization will be the independent Certification Commission for Healthcare Information Technology (CCHIT); demonstrate “meaningful use” of an EHR: according to the Health and Human Services (HHS) “meaningful use” includes communication with patients and families (e. g. ppointment reminders, access to lab results, etc. ). Additionally, EHR must: use e-prescribing: this means that EHR must allow physicians to prescribe over the Internet; electronically exchange information: exchanges of clinical information with labs, hospitals, providers, and payers across the country (including Medicare and Medicaid); submit clinical quality measures: a set of payer-specific quality (http://www. opencongress. org/bill/111-h1/show). What happens if HITECH Act isn’t adopted by physicians and hospitals? After 2015, further financial incentives will not be available and penalties will kick in.
There will be a 1% reduction in Medicare fees per year, up to 3% by 2017 (http://www. opencongress. org/bill/111-h1/show). Summary The use of health information technology and the electronic exchange of clinical information will promote health care quality, patient safety, cost-efficiency, and public health. Respecting individuals’ right to privacy and protecting their personal health information is critical to the successful widespread adoption and use of health information technology and exchange by health care providers.
Along with proper mechanisms for oversight and accountability, enhanced privacy and security will help develop public and provider trust and confidence in health information technology and exchange, leading to the realization of its potential benefits. It is essential that health care providers have access to the health information needed to care for patients where and when it is needed, while at the same time protecting patients’ information from privacy violations and security breaches.
Patients are just as concerned about the quality of care they receive as they are about the privacy and security of their health information. Achieving the right balance is the key to privacy and security in the electronic health care environment. The HITECH Act is clearly an ideal opportunity for physicians and hospitals that use EHRs effectively to be rewarded and to stimulate adoption for those who aren’t currently using EHRs. Reference Kline, M. (July 16, 2009). Securing Protected Health Information (PHI). Retrieved July 16, 2009, from http://hipaahealthlaw. foxrothschild. com/articles/privacy/.