The Health Information Technology for Economic and Clinical Health Act ("HITECH") contained in the recent federal stimulus package seeks to widely advance the use of information technology across healthcare providers in a short period of time. The American Recovery and Reinvestment Act of 2009, which contains HITECH, establishes new mandates on the implementation of health information technology ("HIT") and privacy of patient information.
HITECH signals a major step forward toward the goal of an interoperable system for the exchange of health information that improves healthcare outcomes, increases global coverage, lessens disparity in treatment, reduces medical errors and improves security.
HITECH mandates that the Department of Health and Human Services ("HHS") adopt uniform policies, standards, implementation specifications, and certification criteria, the initial set of which is expected later this year.
Electronic Health Records
Over $19 billion in incentives are earmarked for healthcare providers who implement an electronic health records ("EHR") system. Grants also will be provided through states to defer purchase and implementation costs. Non hospital-based physicians can receive Medicare bonuses of between $44,000 and $64,000 and hospitals may receive up to $11 million for the implementation and "meaningful use" of EHRs and other HIT.
Early implementation of an EHR system is encouraged. The transition to an EHR system takes some time in order to select the proper technology and technology provider, negotiate an agreement, develop an implementation strategy, and install and test the system. In order to maximize incentive monies providers receive under HITECH, demand on HIT vendors in the next few years is expected to be high. Early adopters are rewarded with higher incentive amounts, which are reduced over time. Providers who are noncompliant with HITECH will be penalized through reduced Medicare reimbursements. Exceptions will only be made on a case-by-case basis for significant hardships. Early adoption is further encouraged through the available grant monies. The minimum investment required of grant recipients by HITECH increases over time.
HITECH's Impact on HIPAA Privacy and Security
HITECH includes some of the most comprehensive patient information privacy and security reform since the introduction of HIPAA in 1996. Nearly all privacy and security obligations of covered entities under HIPAA are now also imposed through HITECH on their business associates, who must therefore assume full liability for security breaches. This may require review of, and amendments to, presently existing agreements between providers and their business associates who obtain patient information. Encryption efforts by providers and business associates are therefore expected to increase in response to HITECH.
Notification requirements also have been significantly broadened under HITECH. Unlike most prior HIPAA disclosure requirements addressed through state legislation, there is no "risk of harm" threshold before a breach must be reported to an individual under HITECH. Any security "breach" (as defined by HITECH) must be reported to the individual, regardless of the generality of the information at issue (such as a patient's height or hair color, without any other personally identifiable information). In certain larger scale breaches, simultaneous notification to HHS and prominent media outlets is required.
Civil and monetary penalties that now will apply to covered entities and business associates have been increased under HITECH to between $25,000 and $15 million. Enforcement resulting in these penalties is also expected to increase, since HITECH authorizes state attorneys general to prosecute violations, including, through enforcement actions brought directly against individual employees who violate HIPAA. However, while increased HIPAA enforcement efforts are anticipated, results may vary, based upon differing interpretations of HIPAA among state attorneys general.
Under HITECH, patients are entitled, upon request, to accountings of all uses or disclosures of their information, including, lawful uses or disclosures. HITECH prohibits, with limited exceptions, the sale of patient information without written authorization.