What is the HITECH Act?
The Health Information Technology for Economic and Clinical Health Act (HITECH) Act is part of the American Recovery and Reinvestment Act (ARRA) of 2009 that HIPAA stems from, and it encourages the use of electronic health record (EHR) systems through incentivization.
The argument could be made that EHR system providers, and the healthcare IT industry as a whole, have reaped the benefits provided by the HITECH Act.
HITECH increases the exchange of electronic protected health information (ePHI) and broadens the potential for Security/Privacy Rule enforcement under the Health Insurance Portability and Accountability Act (HIPAA).
Since the Final Rule of 2013 has been under enforcement, both Covered Entities (CEs) and Business Associates (BAs) are subject to fines for non-compliance with a whole smorgasbord of loosely defined rules. Fines for “willful neglect” have increased drastically, and ignorance was eliminated as an excuse – unless it is remedied within 30 days (not always possible to do, even if you’re a HIPAA professional).
So how did we get here? Everything happens in stages and before we had the Final Rule of 2013, there was the Interim Final Rule of 2009… and it was a game changer. Don’t believe us? Let’s go straight to the source.
Here is the actual press release for the Interim Final Rule that was issued by the U.S. Department of Health and Human Services (HHS) Press Office:
HITECH Act News Release
FOR IMMEDIATE RELEASE
October 30, 2009
Contact: HHS Press Office
(202) 690-6343
HHS Strengthens HIPAA Enforcement
The U.S. Department of Health and Human Services (HHS) issued an interim final rule with request for comments today to strengthen its enforcement of the rules promulgated under the Health Insurance Portability and Accountability Act (HIPAA). The Health Information Technology for Economic and Clinical Health (HITECH) Act, which was enacted as part of the American Recovery and Reinvestment Act of 2009, modified the HHS Secretary’s authority to impose civil money penalties for violations occurring after Feb. 18, 2009. These HITECH Act revisions significantly increase the penalty amounts the Secretary may impose for violations of the HIPAA rules and encourage prompt corrective action.
Prior to the HITECH Act, the Secretary could not impose a penalty of more than $100 for each violation or $25,000 for all identical violations of the same provision. A covered health care provider, health plan or clearinghouse could also bar the Secretary’s imposition of a civil money penalty by demonstrating that it did not know that it violated the HIPAA rules. Section 13410(d) of the HITECH Act strengthened the civil money penalty scheme by establishing tiered ranges of increasing minimum penalty amounts, with a maximum penalty of $1.5 million for all violations of an identical provision. A covered entity can no longer bar the imposition of a civil money penalty for an unknown violation unless it corrects the violation within 30 days of discovery.
The interim final rule with request for comments published today conforms the HIPAA enforcement regulations to these revisions made by the HITECH Act. It may be viewed and commented on at: www.regulations.gov. This rulemaking will become effective on Nov. 30, 2009, and HHS will consider all comments received by Dec. 29, 2009.
“The Department’s implementation of these HITECH Act enforcement provisions will strengthen the HIPAA protections and rights related to an individual’s health information,” said Georgina Verdugo, the director of HHS Office for Civil Rights (OCR). OCR is responsible for administering and enforcing HIPAA’s privacy, security and breach notification rules.
“This strengthened penalty scheme will encourage health care providers, health plans and other health care entities required to comply with HIPAA to ensure that their compliance programs are effectively designed to prevent, detect and quickly correct violations of the HIPAA rules,” said Verdugo. “Such heightened vigilance will give consumers greater confidence in the privacy and security of their health information and in the industry’s use of health information technology.”
This interim final rule with request for comments is the first of several steps HHS is taking to implement the HITECH Act’s enforcement provisions. The remaining provisions, which have yet to become effective, will be addressed in the next few months in forthcoming rulemakings. Additional information about HIPAA and several related rulemakings may be found on OCR’s Web site: https://www.hhs.gov/ocr/privacy/.
Just Imagine The Possibilities with the HITECH Act
While the HITECH Act encouraged the use of EHR systems, it also increased the liability burden of EHR system software vendors. Webs are often tangled, and this one is no exception.
Since HITECH holds BAs jointly responsible with CEs for security breaches, and since EHR system software vendors are clearly identifiable BAs, EHR system software vendors became liable for security breaches. They also have to comply with the Breach Notification Rule.
It’s not difficult to form the hypothesis that breach reporting services and breach notification services saw a lucrative spike in demand for their offerings. But the biggest winner of all could be the providers of credit monitoring services, due simply to the predictable (and sizable) breaches that regularly occur as a result of insufficient cybersecurity.
Cybersecurity firms appear to be the underutilized potential heroes! But back to the current winners – cyberinsurance is a newer one.
But back to the alleged biggest winner: you hear about credit monitoring services being awarded free to victims of breaches- rest assured that these companies are being paid, though.
Can you imagine how much they made as a result of the massive Equifax breach?
Then there is the unfathomable Capital One breach of 2019, where the alleged lone hacker was intelligent enough to pull off the biggest big bank breach (say that ten times) of all time, but not smart enough to cover their digital footprint (again, allegedly), all while busy reportedly taking their cat to the vet every day (true story).
But they are now under arrest, and the Seattle-based hacker is likely now sleepless in Seattle – so they don’t make the winner list. So, back to that! Also winning is the FBI who successfully followed the trail of the brilliant/not so brilliant Seattle hacker, and the law firms who get paid as part of identity theft insurance awards-handed out by big banks (even online banks).
Also winning is anyone and everyone who is a branch in the tree of identity theft protection and identity theft insurance. Trees often have cobwebs that connect their many branches, and this tree boasts the potential of a very elaborate web.
Who really pays the price for all this?
The consumers who suffer data breaches, and the unsuspecting medical practices/practitioners who do not adequately understand- and therefore cannot adequately comply with- HIPAA and HITECH regulations.
Although all of this is reportedly in place for the benefit of individuals, HITECH does not allow individuals to bring action against Covered Entities and Business Associates, but a state’s Attorney General can.
Someone with a good imagination could even wonder if this allows for the targeting of selected Covered Entities and Business Associates for rule enforcement, and for the powerful all-seeing eye to be blinded towards others. What is not left to imagination, is the danger to you in all of this HIPAA and HITECH violation business.
We painted the pretty ugly picture above using non-rose colored glasses, but only because we believe in considering all angles. That’s just how thorough we are, and we suggest that you be just as thorough when it comes to complying with the HITECH Act.
You’ve taken the first step, and that is learning about the HITECH Act.
Now you know, and a great American once said that “knowing is half the battle.” We are always available if you need help with the other half.
The HITECH Act’s Impact on Artificial Intelligence
HITECH put computer systems in almost every medical practice, by incentivizing meaningful use of EHR with up to $27 billion in payments to providers.
The resulting data is “big data,” and machines learn on it. Algorithms are fed vast quantities of data to discover patterns, and the HITECH Act created many datum. The HITECH Act might have been the reason for most medical data that has been made available to algorithms as part of their learning process.
This could lead to the discovery of new cures and life-extending treatments by Artificial Intelligence.
We won’t talk about how all of the medical data that’s inputted via a keyboard or keypad can be stolen with keylogger malware, but we will tell you that all of your devices should be equipped with patented keystroke encryption- not to be confused with regular (ineffective) encryption.
But back to Artificial Intelligence.
We are a bit unsure as to why this Intelligence is called “Artificial,” because it’s pretty real. We’re pretty smart, but can’t read much more than a book a day.
Try looking into how much data AI can consume in one day, largely owing to HITECH and the mountains of data it’s created!
The other benefit to Artificial Intelligence is that it can put you in charge of your medical care, and your medical records. You can determine who gets to see your records, for what reason, and for how long.
Assistants are great, so wouldn’t you want the smartest one available?