Privacy, security, and the HITECH Act

The basics

The Health Information Technology for Economic and Clinical Health Act (HITECH) was signed into law as part of the American Recovery and Reinvestment Act of 2009 and was designed “to promote the adoption and meaningful use of health information technology,” according to the U.S. Department of Health and Human Services (HHS). The act allows the HHS to create programs that will improve the quality and efficiency of healthcare in the United States through the meaningful use of technology.¹

One program related to HITECH that has generated buzz among chiropractors is the incentive program operated by the Centers for Medicaid and Medicare Services (CMS), which encourages the use of certified electronic health records (EHR) systems. In this program, as in all programs related to HITECH, chiropractors are considered eligible professionals and may receive incentive payments for the purchase, implementation, and meaningful use of EHR software.

Privacy and security

Along with promoting the use of technology, the law also addresses the privacy and security laws of the Health Insurance Portability and Accountability Act (HIPAA), which was signed into law in 1996. Subtitle D of HITECH strengthens the civil and criminal provisions of HIPAA related to the electronic transmission of private health information.¹

According to HHS:

Section 13410(d) of the HITECH Act, which became effective on February 18, 2009, revised section 1176(a) of the Social Security Act (the Act) by establishing:¹

• Four categories of violations that reflect increasing levels of culpability;
• Four corresponding tiers of penalty amounts that significantly increase the minimum penalty amount for each violation; and
• A maximum penalty amount of $1.5 million for all violations of an identical provision.

It also amended section 1176(b) of the act by:¹

• Striking the previous bar on the imposition of penalties if the covered entity did not know and with the exercise of reasonable diligence would not have known of the violation (such violations are now punishable under the lowest tier of penalties); and
• Providing a prohibition on the imposition of penalties for any violation that is corrected within a 30-day time period, as long as the violation was not due to willful neglect.

The idea is that technology can make healthcare more efficient, but it must be used in a safe and secure way. Fears surrounding security had been a roadblock to the use of technology in healthcare for many years. Consider the rapid rate of adoption in other sectors, while most doctors and other healthcare providers continued to use paper records. HITECH addresses both aspects of the problem: the adoption and the security.

Where EHR systems come into play

Adopting EHR systems, as well as other technologies, allows for interoperability, which improves healthcare overall. For example, it could be helpful for a chiropractor to access a patient’s medical records and for that patient’s MD to access the records from chiropractic office visits. Coordination and collaboration becomes easier for the providers.

At the same time, security is a real concern for both patients and providers. The certification programs that are associated with HITECH are one way to ensure the highest security measures are in place. Software that has been certified by the Office of the National Coordinator (ONC) has been rigorously tested and found to be secure.

Although learning about and following all of the regulations and guidelines of laws such as HIPAA and HITECH can be onerous, the ultimate goal is to provide the best possible care to patients. Both laws are designed to help providers do that, as well as to make sure patients enjoy a comforting level of security regarding their personal information.

Reference

¹ U.S. Department of Health & Human Services. “HITECH Act Enforcement Interim Final Rule.” HHS.gov. http://www.hhs.gov/ocr/privacy/hipaa/administrative/enforcementrule/hitechenforcementifr.html. Accessed May 2015.