Written by the AIHC Education Volunteer Committee
Contributors: Nancie Cummins, Sheryn Honest, Joanne Byron
This article is written to help educate individuals new to HIPAA & HITECH compliance by addressing the basic elements needed for a health care organization and/or business associate to be in compliance with Health Information Technology for Economic and Clinical Health (HITECH).
The focus of this article is to “connect the dots” between Health Insurance Portability & Accountability Act (HIPAA) and HITECH regarding privacy and security of electronically protected health information (ePHI).
HIPAA covers all protected health information (PHI), while HITECH extends the HIPAA privacy and security provisions to electronic health records (EHRs).
What is “HITECH”?
“HITECH” is the acronym for the Health Information Technology for Economic and Clinical Health (HITECH Act), which is title XIII of division A and title IV of division B of the American Recovery and Reinvestment Act of 2009 (ARRA), Pub. L. 111-5.
HITECH is a federal regulatory requirement used to implement privacy and security provisions for healthcare providers and entities, by the Office of Civil Rights (OCR). HITECH enhanced the HIPAA Privacy & Security Rules, while addressing the standards and implementation of electronic health record technology. There are four sections to the HITECH Act (Subtitles A, B, C, D):
Subtitle A—Promotion of Health Information Technology
Subtitle B—Testing of Health Information Technology
Subtitle C—Grants and Loans Funding
Due to the implementation of advanced technology, the HIPAA security requirements have become insufficient. HITECH puts a “bite” into specific elements of the HIPAA rule, such as higher penalty amounts for non-compliance. However, your organization should not address only “HIPAA” or only “HITECH”. Combining the requirements of both Acts and implementing best practices will help mitigate risk suffering non-compliance consequences for violating the rules.
It has to do with the every-evolving advancement in healthcare information technology.
If you have been working in healthcare over the past 10 years, you’ll remember the implementation of attesting to “Meaningful Use”, the government’s ploy to strongly encourage implementation of electronic health records. Meaningful use means healthcare providers need to show that they are using certified EHR technology in a way that can be measured in both quantity and quality.
The transition from paper to electronic records has been both expensive and exhausting resources for providers. Documentation, for most providers, takes longer in an electronic system. Combining this with historical documentation requirements, progress notes became “bloated” with information required for reimbursement purposes with little impact on quality of care. This increase in expense and provider time was added to the exposure of potential hacking, ransomware and other cybersecurity risks associated with storing and transmitting electronic patient records.
In addition to complying with the HIPAA security standards, the HITECH Act also set the stage for stricter enforcement of the Privacy and Security Rules of HIPAA by mandating security audits of all healthcare providers. These audits are used to investigate and determine whether providers meet minimum specified standards and are therefore in compliance with the HIPAA’s Privacy Rule and Security Rule.
Summary of the Goals or Objectives of the HITECH Act
There are five HITECH Act goals in the United States healthcare system:
- Improve quality, safety, and efficiency
- Engage patients in their care
- Increase coordination of care
- Improve the health status of the population, and
- Ensure privacy and security
To achieve these goals, HITECH incentivized the adoption and use of health information technology, enabled patients to take a proactive interest in their health, paved the way for the expansion of Health Information Exchanges, and strengthened the privacy and security provisions of the Health Information Portability and Accountability Act of 1996 (HIPAA).
What about Artificial Intelligence?
The HITECH Act will continue to evolve and adapt due to the rapid development in health care information technology (HIT). In 2020, the U.S. government introduced the 21st Century Cures Act, which builds upon the HITECH Act and aims to promote innovation in HIT and improve patient access to healthcare services. The 21st Century Cures Act provides additional funding for HIT research and development and includes provisions for interoperability and patient access to health information.
The HITECH Act supports advancements in HIT, such as the use of artificial intelligence (AI), telemedicine, and other innovative technologies. These new technologies have the potential to further improve patient care, provide innovations to increase the quality of care and patient outcomes while increasing efficiency, and reduce costs.
The consequences for noncompliance with the HITECH Act can be severe. The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) is the government enforcement agency over both HIPAA and HITECH. OCR can impose civil money penalties up to $1.5 million per violation, as well as criminal penalties for violations that involve the wrongful disclosure of individually identifiable health information (IIHI).
Consequences can include public disclosure of the provider’s violation, administrative reprimands, and termination of Medicare and Medicaid billing privileges by being listed on the Office of Inspector General (OIG) Exclusions List.
On February 27, 2023, due to OCR’s increase in case load, OCR has renamed the Health Information Privacy Division (HIP) to the Health Information Privacy, Data, and Cybersecurity Division (HIPDC) to be more reflective of their work and role in cybersecurity.
- For example, breaches of unsecured PHI, including ePHI, reported to OCR affecting 500 or more individuals (large breaches) increased from 663 large breaches in 2020 to 714 large breaches in 2021.
- This trend is continuing with OCR reporting hacking incidents accounting for 80% of the large breaches they have received.
HIPDC will continue to meet the growing demands to address health information privacy and cyber security concerns.
HITECH’s Recognized Security Practices” (“RSPs”)
Back in January of 2021, Congress enacted an amendment to the HITECH Act aka as the “HITECH Amendment”. This requires the Department of Health and Human Services (“HHS”) to consider whether a covered entity or business associate has “adequately demonstrated” that the organization has, for not less than the previous 12 months, “recognized security practices” in place when making certain determinations under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Security Rule (e.g. mitigation of fines, early termination of an audit, or other remedies).
The HITECH Amendment provides that “recognized security practices” (“RSPs”) include:
- standards, guidelines, best practices, methodologies, procedures, and processes developed under section 2(c)(15) of the National Institute of Standards and Technology (“NIST”) Act;
- the approaches promulgated under section 405(d) of the Cybersecurity Act of 2015; and
- other programs and processes that address cybersecurity and that are developed, recognized, or promulgated through regulations under other statutory authorities.
Documentation of historical, present and future security practices is critical for your organization. OCR suggests the following can be provided as evidence, although the list is not exhaustive:
- Policies and procedures regarding the implementation and use of RSPs
- RSP implementation project plans and meeting minutes
- Diagrams and narrative detail of RSP implementation and use
- Training materials regarding RSP implementation and use
- Application screenshots and reports showing RSP implementation and use
- Vendor contracts and statements of work regarding RSP implementation
- OCR also requires dates that support the implementation and use of RSPs for the previous 12 months
Are there Resources to Help Organization Subject to HIPAA/HITECH Compliance?
When an enforcement agency offers free templates, education and resources, it is wise to participate.
- OCR Recognized Security Practices VIDEO
This video released in October, 2022 features Nick Heesters, senior advisor for cybersecurity at OCR. He explains how the HITECH Act was amended, what constitutes Recognized Security Practices, and how they can be implemented to reduce liability. Recognized Security Practices are standards, guidelines, best practices, methodologies, procedures, and processes developed under:
- The National Institute of Standards and Technology (NIST) Cybersecurity Framework
- Section 405(d) of the Cybersecurity Act of 2015, or
- Other programs that address cybersecurity that are explicitly recognized by statute or regulation
HIPAA-regulated entities are free to choose the Recognized Security Practices that are best suited to their organization. Click Here or copy this link to view the video:
- HHS 405(d) Program
The HHS 405(d) Program is a collaborative effort between The Health Sector Coordinating Council and the federal government to align healthcare industry security practices.
As the leading collaboration center of the Office of the Chief Information Officer, the 405(d) Program is focused on providing organizations across the nation with useful and impactful Healthcare and Public Health (HPH) focused resources, products, and tools that help educate, raise awareness, and provide vetted cybersecurity best practices which drive behavioral change and strengthen the sector’s cybersecurity posture against cyber threats.
Take advantage of “Knowledge on Demand” located on the Education page of the 405(d) website. Click Here or copy this link to view resources on this page:
- HIPAA/HITECH for Managed Service Providers
If your organization is a Managed Service Provider, it is highly recommended that at least one person has HIPAA/HITECH training specifically designed for IT professionals. Click Here for more information about this online training w/option to certify online or use this link:
- HIPAA Compliance Officer Training
This online program in HIPAA Privacy & Security is designed for those working for a Covered Entity or Business Associate. Click Here for more information or use this link:
Copyright © 2023 American Institute of Healthcare Compliance All Rights Reserved