The Health Information Technology for Economic and Clinical Health (HITECH) Act[i], signed into law on February 17, 2009, is designed to promote the adoption and meaningful use of health information technology. Subtitle D of the HITECH Act strengthens the civil and criminal enforcement of the privacy and security requirements of the Health Insurance Portability and Accountability Act (HIPAA)[ii]. For example, Section 13411 of the HITECH Act mandates that the U.S. Department of Health & Human Services (DHHS) shall conduct periodic audits of entities covered under HIPAA (e.g., health plans, healthcare clearinghouses and certain medical providers) and their business associates.
It has been reported that the DHHS Office for Civil Rights (OCR) will begin conducting HITECH/HIPAA audits later this year[iii]. Reportedly, the audits will check to ensure that covered organizations have completed a risk assessment and have implemented appropriate administrative, technical and physical safeguards in compliance with the HIPAA Security Rule. Audits for compliance with the HIPAA Privacy Rule reportedly will include confirmation that individual rights (e.g., a patient’s right to access her or his medical records) have been upheld by the covered entity.
The HITECH Act strengthened the enforcement penalties of HIPAA by, among other things, (a) increasing the maximum penalties for violations due to willful neglect (e.g., up to $50,00 per violation, with an overall cap of $1.5 million for all violations of an identical requirement or probation during a calendar year), (b) providing that fees collected for violations are retained by the OCR, thus supporting further enforcement efforts, (c) striking the bar on the imposition of penalties if the covered entity did not know and with the exercise of due diligence, would not have known of the violation, (d) having business associates be directly regulated for HIPAA Security Rule enforcement purposes by DHHS, rather than be subject merely to contractual oversight by the HIPAA covered entities, as was the case prior to passage of the HITECH Act, and (e) prohibiting penalties for violations corrected within a 30-day period, so long as the violation was not due to “willful neglect”. The HITECH Act also strengthened certain of the substantive requirements of HIPAA, such as by imposing new security breach notification requirements on covered entities[iv].
Incentives for “Meaningful Use” of EHRs
In addition, the HITECH Act provides for billions of dollars in incentives in order to promote the improvement of the healthcare infrastructure and the use of electronic health records (EHRs). For example, physicians and hospitals are to receive monetary incentives if they can demonstrate the “meaningful use” of certified EHR technologies, including existing systems as well as new installations and upgrades.
Recommendation: Seek Privacy & Security Accreditations
Given the announced start of HITECH/HIPAA audits later this year, covered health plans, health care clearinghouses and medical providers (hospitals and physicians) and their business associates (and vendors) should make sure they are ready to undergo an audit and not be found to be in violation of HIPAA and/or HITECH. Audited organizations especially will not wish to be found in violation as a result of “willful neglect”. One step that could be considered by covered organizations is to apply for a HIPAA Privacy Accreditation and HIPAA Security Accreditation from URAC, a leading healthcare accreditation organization[v]. It likely would be exceedingly difficult for any regulator or state attorney general to successfully claim that an entity was guilty of “willful neglect” of its obligations under HIPAA and/or the HITECH Act if the entity’s HIPAA privacy and security program had obtained the URAC accreditation.
Recommendation: Utilize Portal Technologies, Alone and With Certified EHR Technologies
A second step that covered entities might wish to consider is using currently available portal technology to set up a dedicated HITECH/HIPAA site for communication and collaboration (both internally and with external business associates and vendors) and for due diligence and training purposes. For example, Microsoft SharePoint 2010 (which launched on May 12, 2010)[vi], Microsoft SQL Server 2008[vii] and other related Microsoft product offerings[viii] are well-suited to be used for such a purpose, due to their communication and collaboration, privacy and security, record retention, workflow, search and other relevant capabilities. Use of portal technology and related solutions in connection with certified EHR technologies under certain circumstances also could serve to establish “meaningful use” of EHRs in order to qualify for HITECH Act stimulus funding[ix].
[i] See http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/hitechact.pdf.
[ii] See http://www.hhs.gov/ocr/privacy/hipaa/administrative/combined/index.html.
[iii] See, e.g., http://www.healthcareinfosecurity.com/podcasts.php?podcastID=516&rf=051410ph and http://www.hipaa.com/2010/05/ocr-stepping-up-hipaa-security-enforcement.
[iv] See http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/index.html.
[v] See, e.g., http://www.healthnewsdigest.com/news/Guest_Columnist_710/URAC_Accreditation_Streamlines_HIPAA_Compliance_and_Mitigates_Risk.shtml and http://www.urac.org/programs/prog_accred_HIPAAS_po.aspx.
[vi] See http://sharepoint.microsoft.com/en-us/Pages/default.aspx.
[vii] See http://www.microsoft.com/sqlserver/2008/en/us/R2.aspx.
[viii] See, e.g., the Microsoft Health Portals site at http://www.microsoft.com/industry/healthcare/providers/solutions/portals.mspx; the Microsoft Health Solutions Group site at http://www.microsoft.com/hsg; and the CareGroup Healthcare System case study, at http://www.microsoft.com/casestudies/Case_Study_Detail.aspx?CaseStudyID=4000001003.
[ix] See, e.g., http://healthit.hhs.gov/portal/server.pt?open=512&objID=1325&parentname=CommunityPage&parentid=1&mode=2. .