The HITECH Act Fundamentals

» Articles » Medical Records Articles » Article

July 25, 2018


The HITECH Act

A. What is it? The Health Information Technology for Economic and Clinical Health Act, or the “HITECH Act,” is a group of provisions enacted as part of the 2009 economic stimulus. The stimulus act, more precisely referred to as American Recovery and Reinvestment Act12 (“ARRA”), implemented sweeping programs through new legislation and amendments to existing laws. These programs ranged from unemployment assistance to promotion of broadband internet access and limits on executive compensation. Among the programs implemented by the ARRA is the HITECH Act13, the goal of which is to encourage the use of electronic health records (“EHR”) and health information technology. The HITECH Act accomplishes this through three principal means:

1. standardizing and certifying the data and interface requirements applicable to EHRs;
2. offering incentives for the prompt implementation of EHRs and, ultimately, penalties for failing to adopt those technologies; and,
3. providing increased privacy protections and notification requirements for the breach of unsecured personal health information.

Standardization

Because one of the goals of the HITECH Act is to implement the use of electronic health records, it is essential to ensure that providers are using technologies that can interface with each other. For example, if a primary care physician is using an HER system that cannot be accessed or read by the community hospital’s system, when the physician’s patient presents to the hospital’s emergency department the physician’s office records that would include the patient’s current medications and past medical history would be unavailable to the emergency department staff. The HITECH Act accomplishes the need for EHR standardization through the creation of the Office of National Coordinator for Health Information Technology, or “ONC.” The purpose of the ONC is to assist in the development of a nationwide health information technology infrastructure, allowing for the electronic use and exchange of personal health information. The ONC is obligated to review and endorse certain health information standards and provide implementation, specification, and certification criteria.

The HITECH Act contemplates and incentivizes the use of “Certified HER Technology,” but does not specifically establish certification standards. Instead, Congress left the establishment of those standards to the ONC. On July 28, 2010, the ONC issued a Final Rule regarding an initial set of standards, implementation specifications, and certification criteria for EHRs. These standards are closely aligned with the requirement that, to qualify for incentive payments, providers must “meaningfully use” EHR technology, as discussed below. Therefore, the initial certification standards adopted by ONC, which are detailed in the July 28, 2010 Federal Register, establish the capabilities and specify the standards and implementation specifications that EHR technology will need to include to support the achievement of meaningful use pursuant to CMS requirements.14 These standards are obviously of paramount importance to EHR vendors; if those vendors do not develop systems that incorporate the ONC standards, healthcare providers and hospitals would be unlikely to adopt their product.

Pursuant to the HITECH provisions, the ONC is making it relatively simple for healthcare providers to be confident that the EHR product they choose meets the standards necessary to qualify for incentive payments. On June 24, 2010, the ONC published a Final Rule establishing a temporary certification program for health information technology. Under this program, the ONC will authorize organizations to test and certify EHRs or EHR Modules to ensure that they are compliant with standards established by the Coordinator. It is anticipated that only a few organizations will qualify to become an authorized testing and certification body, thus centralizing the EHR certification program and simplifying – or limiting – healthcare providers’ selection of an EHR vendor that will supply compliant technology that qualifies for CMS’s incentive program.

Continue reading below

FREE Medical Records Training from Lorman

Lorman has over 37 years of professional training experience.
Join us for a special report and level up your Medical Records knowledge!

Basic Legal Regulation of Medical Records
Presented by Bryant C. Witt

Learn More

Incentive Programs

Having in place standards for the maintenance and use of EHR technology, the stage is set to incentivize hospitals and healthcare providers to use that technology, which is the second goal of the HITECH Act. The Act includes Division B, Title IV of the ARRA, relating to Medicare and Medicaid Health Information Technology. Through the Medicare and Medicaid programs, and amendment of the Public Health Service Act, the HITECH Act offers monetary incentives to “eligible professionals” for the “meaningful use” of certified EHR technology.15 The incentive payments, which began in 2011, are available for up to 5 years if chosen through Medicare or up to 6 years if elected to be received through Medicaid. Hospitals are eligible to receive millions of dollars in incentive payments.

Medicare incentive payments are available for “eligible professionals,” such as doctors, dentists, podiatrists, optometrists, and chiropractors, who use certified EHR in a meaningful way. Hospital-based eligible professionals, such as pathologists, anesthesiologists, and emergency room physicians are unable to receive the incentive payments. Presumably such in-house practitioners do not qualify for the incentive programs because hospitals, themselves, have their own incentive program. CMS has responded to questions regarding whether hospital-based providers in ambulatory care settings qualify for the incentive programs by indicating that those professionals who perform substantially all of their services in an inpatient hospital or emergency room setting are outside of the incentive program. The CMS definition suggests that hospital based providers who provide services in an ambulatory care setting, as opposed to an inpatient setting, are qualified to receive incentive payments in the event they meaningfully use EHR technology.

The Act provides a general definition and guide for “meaningful use,” but the Rule published by CMS contemplates a more detailed, staged approach of defining the level of use necessary to qualify for incentive payments. In short, the statute outlines the following general principles constituting “meaningful use”:

1. Using certified EHR technology, including electronic prescribing;
2. Demonstrating connectivity as required by regulation for the electronic exchange of health information; and,

3. Providing reports to the Department of Health and Human Services about HER clinical quality measures and other reports as required by regulation. CMS’s regulations, however, provide significantly more detail in terms of what it intends to consider “meaningful use.” CMS has established a staged approach, with three stages in total, to defining “meaningful use.” The staged approach is anticipated to gradually implement increasing capability of EHR systems.

Within a proposed Rule published in the July 13, 2010 Federal Register, CMS has established 25 objectives (23 for hospitals) that must be met in connection with reported use of EHR technology to qualify for incentive payments under the Medicare program.16 These objectives consist of a core group of objectives required by all participating providers and a “menu set” of objectives from which providers can choose based upon their own choices, needs, and capabilities of EHR systems. Among the objectives is the provision of patient-specific educational resources and, for hospitals, recording of advance directives.

On September 4, 2012, CMS published a final rule specifying the Stage 2 criteria that eligible professionals must meet to continue participating in the EHR incentive program.17 The Rule was effective on November 5, 2012. As expected, the Stage 2 criteria increase implementation of EHR systems.

Enhanced Privacy Protections

The HITECH Act also includes provisions related to enhanced privacy protections for electronically stored health information, presumably to avoid and mitigate the increased potential for disclosure of personal health information with the move to electronic record-keeping. Among these protections include direct enforcement authority against business associates of covered entities and notification of any breach of unsecured personal health information.18

The privacy protections required by the Health Insurance Portability and Accountability Act (HIPAA) are by now well established and well known. Among the HIPAA requirements is that covered entities enter into Business Associate Agreements with individuals or organizations with which it must disclose personal health information as part of its business operations. These agreements impose confidentiality requirements on the business associate consistent with what is required of the covered entity under HIPAA.

After HIPAA, however, HHS had no direct enforcement authority over the business associate. Instead, its authority existed over the covered entity, which would arguably have rights against the business associate in the event that the business associate was responsible for any breach of personal health information. The HITECH Act,  however, directly imposes the HIPAA privacy rule provisions19 on business associates in the same manner that they are applicable to the covered entity. The HITECH Act further provides that business associates will also be subject to the same civil and criminal penalties applicable to covered entities.

The HITECH Act also includes privacy breach notification requirements in connection with its attempts to increase privacy protections.20 Under the Act, a “breach” is defined as follows:

…the unauthorized acquisition, access, use, or disclosure of protected health information which compromises the security or privacy of such information, except where an unauthorized person to whom such information is disclosed would not reasonable have been able to retain such information. The definition of the term “breach” excludes those unintentional disclosures made in good faith and in the course and scope of employment of a covered entity employee, agent, or business associate provided that such information is not further disclosed to any additional individuals; and, inadvertent disclosures to individuals who are otherwise permitted to access the personal health information. In the event of a breach of “unsecured personal health information,” the Act requires individual notification to each of the patients whose personal information was reasonably believed to have been accessed, acquired, or disclosed. Business associates are also under a notification obligation and must notify the covered entity following a discovery of a breach of their systems of those individuals whose personal health information is reasonably believed to have been accessed, acquired, or disclosed. The notification of any suspected breach must occur within 60 days of the discovery that the breach occurred. Actual notification, however, is not the only measure of when the covered entity or business associate received notice; the Act includes a provision that notice of a breach occurs when the covered entity or business associate actually receive notice of the breach or when they reasonably should have known.

There are situations where more aggressive breach notification is required. If a breach affects 500 or more patients, notification must be made immediately to those affected; the 60 day period is inapplicable. Additionally, local media must be notified of a breach of this magnitude, which will likely result in publicity for the covered entity or business associate.

The Act also requires that covered entities and business associates maintain a log of all breaches of unsecured personal health information. This log must be submitted annually to HHS. However, in the event of breaches affected 500 or more patients, immediate notification is required to HHS, which will then result in a posting of the breaching entities name and additional details with regard to the breach on HHS’s website.

Fortunately, there is a safe harbor developing that mitigates the breach notification obligations. Notification is required only in instances where the provider knows or should have known of the breach of “unsecured personal health information”; conversely, any breach of secured personal health information is not reportable. Pursuant to the HITECH Act, HHS must issue regulations defining “unsecured personal health information”; in the absence of that regulatory definition, the HITECH Act’s definition of unsecured is applicable and essentially means unencrypted. On August 24, 2009, HHS published an Interim Final Rule regarding Breach Notification for Unsecured Protected Health Information.21 The purpose of the Rule was to specify “the technologies and methodologies that render protected health information unusable, unreadable, or indecipherable to unauthorized individuals.” The Rule provides details regarding the types of encryption necessary to render unsecured personal health information secured thus providing a safe harbor for providers to maintain EHRs without undue concern regarding potential breaches, issuing breach notifications, and the monetary and publicity related implications inherent in breach notification.

Although HHS developed a Final Rule relating to breach notification and submitted it for regulatory review on May 14, 2010, it withdrew that Rule to allow for further consideration. HHS has determined that its experience to date in administering the regulations require additional consideration given the complexities surrounding health information security and breach notifications.

B. Penalties and Enforcement

After enactment of the HIPAA Security Rule, the health care industry was anxious over the threat of sanctions for failure to comply with the Rule’s requirements. That anxiety has largely been unfounded inasmuch as investigation and sanctions related to HIPAA violations has been largely infrequent.22 However, the HITECH Act includes provisions specifically titled “Improved Enforcement,”23 raising questions regarding the possibility of stepped-up enforcement on the part of HHS. Specifically, the HITECH Act amends the Social Security Act to mandate investigation of any complaint that preliminary investigation indicates violation of HITECH provisions by virtue of willful neglect. Moreover, if complete investigation demonstrates an act of willful neglect leading to violation of HITECH provisions, HHS is required by the Act to impose monetary penalties. The Act further specifically establishes a tiered system of penalties, ranging from $100 per violation for violations committed unknowingly to $50,000 per violation for violations due to willful neglect. The inclusion of provisions requiring investigation and mandatory penalties for violation of the Act raise the possibility that healthcare providers can anticipate stepped-up enforcement of these provisions from the enforcement measures seen in the past with regard to HIPAA violations.

Other penalties loom in the future for healthcare providers who opt not to ultimately adopt EHR systems. Although the Act initially provides an incentive program designed to motivate healthcare providers to adopt EHR technology, the incentives ultimately transition to penalties should such adoption not occur.24 Under the Act, beginning in 2015 non-hospital based Medicare providers who chose not to implement EHR practices will see a 1% reduction in their fee schedule amounts per year until 2017; those reductions may further continue up to 5%. A similar draw-down of the incentive program and transition to a penalty program exists for hospitals. Therefore it makes sense for providers who do not currently have plans to implement EHR technology to locate a vendor that offers certified EHR systems and proceed with implementation.

Although there will certainly be up-front costs associated with that implementation, those costs may be partially offset by the incentive program. In the long-term, however, those costs can be recovered whereas the cost to not implement an EHR system by 2015 will continue for the foreseeable future through a gradual and continuing, but capped, reduction in fee schedule amounts.

C. Impact on Business Associates

The HITECH Act’s impact on business associates, who long flew under the radar with regard to HIPAA enforcement exposure, cannot be understated. The Act makes clear that the Privacy Rule provisions apply directly to business associates and that business associates will now face potential civil and criminal penalties for Privacy Rule violations to the same extent as covered entities. The HITECH application of the Privacy Rule obligations directly on business associates will affect a vast array of service providers who work with personal health information in conjunction with services provided to healthcare providers. These providers can consist of EHR vendors, transcription service organizations, and any other organization that has reason to handle or have access to personal health information as a result of services provided to healthcare professionals.

Not only must these business associates comply with the Privacy Rule provisions directly, but they must also comply with the breach disclosure requirements. Pursuant to the Act, business associates must report a breach of personal health information to the covered entity within the same periods during which covered entities must notify individuals of any such breach. The burden of proving that a timely notification was made falls to the covered entity or business associate, not HHS or any other governmental organization. In the event the business associate fails to timely comply with the reporting obligations, it will be subject to direct enforcement and penalties.

D. Compliance

Although the statutory stage is set with the amendments and enactments effectuated by the HITECH Act, the regulatory landscape is still taking shape and continually shifting. Healthcare providers, their back office staff, or their legal counsel will have to continually stay abreast of the changes that HITECH will bring over the coming years. Just as HIPAA resulted in the creation of a “privacy officer” who could monitor organizational compliance with Privacy Rule requirements, HITECH will likely result in many providers designating an individual or individuals as “Health IT officers” who can continually monitor the shifting regulatory landscape and ensure compliance with HITECH provisions. Until the landscape is settled, it will be difficult to predict how often we will see new regulatory guidance, the enforcement steps that HHS will take with regard to HITECH violations, and the true amount of hidden costs that healthcare providers will face in implementing HITECH statutory and regulatory requirements.

E. HIPAA & HITECH Attorney Professional Responsibility Obligations

Legal counsel for healthcare providers and hospitals act as business associates insofar as the services that counsel provides includes access to personal health information. All healthcare providers and hospitals should have business associate agreements with their legal counsel that address this disclosure. Under the HITECH provisions directly applying the HIPAA Privacy Rule and breach notification provisions to business associates, legal counsel are now directly subject to the same obligations as their healthcare provider clients and face the same potential for civil and criminal penalties. Legal counsel will have to act with the utmost care at providing continuing protection to any personal health information they receive.

One area of notable significance is the legal provider that acts as defense counsel in malpractice litigation. Often, defense counsel has numerous files for each of its claims and volumes upon volumes of medical records associated with those claims. It is difficult to predict how the content of counsel’s files will change once EHRs are fully implemented; those volumes upon volumes of medical records may become gigabytes of data stored on servers within defense counsel’s office. Notwithstanding this uncertainty and the potential for electronic transmission and storage of EHRs to defense counsel, many legal counsel are now digitizing medical records received from their client for use in trial presentation software or even general case organization. This raises concerns because in the event this data remains “unsecured,” i.e. unencrypted until HHS prepares its final rules governing breach notification, any potential breaches of that data must be reported to the covered entity, which will in turn be required to report it to the patient and HHS.

Because of the current digitization of documents, and the likely increase in receipt of electronically stored personal health information from their clients, legal counsel for healthcare providers should also remain advised of the regulatory requirements related to EHR storage. Legal counsel should store any electronic personal health information in encrypted form so as to remain in the safe harbor of the breach notification provisions. Counsel should further continue to monitor the regulatory definitions related to “unsecured personal health information” and adapt their storage methods as necessary to remain in compliance with the safe harbors afforded by securing electronic health records. These obligations are broad and significant because they touch many devices that counsel use today, such as USB thumb drives, smart phones, laptops, and portable hard drives. In the event any of these items contain “unsecured personal health information” and are lost or stolen, they present the possibility of a breach requiring embarrassing notification to the client and ultimately to HHS. They further present the possibility of civil or criminal penalties directly upon counsel by HHS notwithstanding any waiver of privacy associated with a claimant’s assertion of legal rights in connection with medical care that they received.

11 42 U.S.C. §§ 1320d‐5, 1320d‐6.
12 Pub.L. 111‐5.
13 See, 42 U.S.C. § 201, Note.
14 See, 75 FR 44590‐44654.
15 See, 42 U.S.C. § 1395w‐4(o) et seq.
16 Id.
17 77 Fed. Reg. 53968.
18 Pub.L. 111‐5, § 13401.
19 See, 45 CFR §§ 164.308, 164.310, 164.312, 164.316.
20 Pub.L. 111‐5, § 13402.
21 74 Fed. Reg. 42740
22 Of notable exception is the July 27, 2010 announcement that Rite Aid Corporation entered into a $1 million dollar settlement regarding FTC charges that the company failed to protect sensitive financial and medical information of its customers and employees. See, In the Matter of Rite Aid Corp., FTC File No. 072 3121.
23 Pub.L. 111‐5, § 13410.
24 Pub.L. 111‐5, § 4001(b).

 


The material appearing in this web site is for informational purposes only and is not legal advice. Transmission of this information is not intended to create, and receipt does not constitute, an attorney-client relationship. The information provided herein is intended only as general information which may or may not reflect the most current developments. Although these materials may be prepared by professionals, they should not be used as a substitute for professional services. If legal or other professional advice is required, the services of a professional should be sought.

The opinions or viewpoints expressed herein do not necessarily reflect those of Lorman Education Services. All materials and content were prepared by persons and/or entities other than Lorman Education Services, and said other persons and/or entities are solely responsible for their content.

Any links to other web sites are not intended to be referrals or endorsements of these sites. The links provided are maintained by the respective organizations, and they are solely responsible for the content of their own sites.