The Health Information Technology for Economic and Clinical Health Act (HITECH Act
or "The Act") is part of the American Recovery and Reinvestment Act of 2009 (ARRA).
ARRA contains incentives related to health care information technology in general
(e.g. creation of a national health care infrastructure) and contains specific incentives
designed to accelerate the adoption of electronic health record (EHR) systems among
providers.
Because this legislation anticipates a massive expansion in the exchange of electronic
protected health information (ePHI), the HITECH Act also widens the scope of privacy
and security protections available under HIPAA; it increases the potential legal
liability for non-compliance; and it provides for more enforcement.
Under the HITECH Act, business associates are now directly "on the compliance hook"
since they are required to comply with the safeguards contained in the Security Rule
(SR). The HITECH Act does not speak directly to the rationale, but even casual observers
understand that a potentially massive expansion in the exchange of ePHI increases
the privacy and security concerns of all stakeholders. Most, if not all, software
vendors providing EHR systems will clearly qualify as business associates. Requiring
vendors to comply directly ensures that more provider/vendor dialog will occur regarding
the necessary contracts, and regarding other compliance issues of mutual interest.
The vendors themselves will insist on it.The "fun" for business associates does not
stop with Security Rule compliance and contractual agreements.
Dr. Bob Osenenko final words. The HITECH ACT will be enforced to those using EHR
systems but sets the tone for others to be more careful when transfer of medical
information. Pertaining to this website, referrals can still be made thru emails
because we use a secure line and verify system and secure socket layer technology.
Civil penalties for willful neglect are increased under the HITECH Act. These penalties
can extend up to $250,000, with repeat/uncorrected violations extending up to $1.5
million. Legislators appear to be sending a clear message that "we are not in Kansas"
anymore.
Furthermore, under certain conditions HIPAA's civil and criminal penalties now extend
to business associates. Like HIPAA, the HITECH Act does not allow an individual to
bring a cause of action against a provider. However, it does allow a state attorney
general to bring an action on behalf of his or her residents. Finally, HHS is now
required to conduct periodic audits of covered entities and business associates.
Clearly, the legislative intent is to provide for "enhanced enforcement." To what
degree enforcement actually increases on the ground is yet to be determined, but
the HITECH Act significantly ups the ante for non-compliance.
Because this legislation anticipates a massive expansion in the exchange of electronic
protected health information (ePHI), the HITECH Act also widens the scope of privacy
and security protections available under HIPAA; it increases the potential legal
liability for non-compliance; and it provides for more enforcement.
