To fully answer the question why is the HITECH Act important, you have to assess the Act from different perspectives. This is because the consequences of HITECH are different for HIPAA Covered Entities than they are for Business Associates, while the Act also has implications for the quality of care provided to patients.
The Health Information Technology for Economic and Clinical Health (HITECH) Act was passed in 2009 as part of the American Recovery and Reinvestment Act (ARRA) and appeared in ARRA as two separate Titles – Title XIII of Division A (“Health Information Technology”) and Title IV of Division B (“Medicare and Medicaid Health Information Technology; Miscellaneous Medicare Provisions”).
The reason for HITECH appearing under two Titles is that Subtitles A, B, and C of Title XIII outlined a strategic plan for the development of a nationwide health information technology infrastructure; the adoption standards, implementation specifications, and certification criteria for EHRs; and how proposed Regional Extension Centers to support implementation of the plan would be funded.
The carrot for healthcare organizations to support the plan appeared in Title IV of Division B with the Meaningful Use incentive program for Medicare-eligible entities. Title IV also provided incentives for Medicaid-eligible entities in the form of grants for implementing certified EHRs or upgrading existing EHRs. The incentive program and grants were time-limited to accelerate the rate of adoption.
Due to the incentive program and grants being time-limited, adoption was rapid. Prior to the passage of ARRA, only 10% of healthcare organizations used EHR systems. By 2017, more than 90% of healthcare organizations had EHR systems and were putting them to meaningful use. However, the increased adoption of EHRs is not the only answer to the question why is the HITECH Act important.
Title XIII Subtitle D – Privacy Provisions
Possibly the most wide-ranging consequences of the HITECH Act can be found in Title XIII Subtitle D. While given the general title “Privacy”, this subtitle required Business Associates to comply with elements of the HIPAA Security Rule, made Business Associates liable for violations of HIPAA, and placed reporting requirements on Business Associates in the event of a breach of unsecured PHI.
Timelines were introduced for all breach notifications, Business Associate Agreements were required for relationships between Covered Entities and Business Associates (or Covered Entities acting as a Business Associate for another Covered Entity), and new enforcement provisions were announced – including increased fines for non-compliance and the right for State Attorneys General to take civil action.
One of the most significant changes made by HITECH was in relation to the “burden of proof”. When a breach of unsecured PHI occurred prior to the enactment of the HITECH privacy provisions, HHS´ Office for Civil Rights had to prove a “significant risk of financial, reputational or other harm” before taking enforcement action. HITECH reversed the burden of proof onto Covered Entities and Business Associates who – if not reporting a breach – had to demonstrate a low probability of harm.
Other provisions that help fully answer the question why is the HITECH Act important include:
- Strengthening limitations on the permitted uses and disclosures of Protected Health Information (PHI).
- Prohibiting the use of PHI for marketing purposes without patient authorization.
- Expanding patients´ rights to receive electronic copies of their health information.
- Restricting disclosures to a health plan when a patient has paid for healthcare privately.
- Modifying the content and distribution of Covered Entity’s Notices of Privacy Practices.
- Amending requirements to facilitate disclosures of child immunizations to schools,
- Enabling access to decedent information by family members or authorized others.
Privacy Provisions Enacted in Final Omnibus Rule
While the majority of HITECH provisions were enacted in 2011, the privacy provisions were not enacted until 2013 when the Department of Health and Human Services published the Final Omnibus Rule. The Final Omnibus Rule incorporated most of the HITECH privacy provisions into the HIPAA Privacy, Security, and Breach Notification Rules, along with changes attributable to Executive Order 13563 and the Genetic Information Nondiscrimination Act (GINA).
However, not every privacy provision was included in the Final Omnibus Rule. For example, the HITECH Act instructed the Secretary of Health and Human Services to promulgate regulations for the distribution of civil money penalties that would include a percentage for the victims of data breaches. Despite plans being drawn up in 2018 to enact this provision, the difficulties in identifying victims and distributing funds fairly has prevented any action on this instruction.
Other HITECH privacy provisions incorporated into HIPAA were modified following public and stakeholder comments when the Interim Final Rule was published. These included patients being able to receive copies of their health information maintained on any electronic device (HITECH´s provisions only related to EHRs), and Business Associate accountability being extended to any subcontractors of Business Associates with whom PHI is shared.
The changes to the Privacy, Security, and Breach Notification Rules had significant implications – not only for Covered Entities and Business Associates, but also for patients. To demonstrate how the changes have affected operations in the healthcare industry, the following sections explain separately why the HITECH Act is important to Covered Entities, Business Associates, and patients.
Why is the HITECH Act Important to Covered Entities?
One of the primary objectives of the original HIPAA Act in 1996 was to streamline functions in the healthcare industry to improve efficiency and reduce costs. The Act had been partly successful in achieving its objectives by standardizing health care transactions and code sets but had failed to reach anything close to its full potential because many patient, treatment, and payment records were still maintained on paper.
HITECH kicked the healthcare industry into the digital age by incentivizing healthcare organizations to become more efficient. In its 2016 Report to Congress, the Office of the National Coordinator for Health Information technology reported “84 percent of academic studies examining health IT functionalities required under the Medicare and Medicaid EHR Incentive Programs had a positive or mixed positive effect on quality, safety, and efficiency of care”.
HITECH´s privacy provisions also encouraged Covered Entities to become HIPAA-compliant. Prior to HITECH and the publication of the Final Omnibus Rule, it was often cheaper to pay any fine issued for non-compliance than it was to invest in compliance. With the fines substantially increased, and the revenue from fines used to finance increased enforcement action, it was no longer financially viable for Covered Entities to pretend HIPAA didn´t exist.
Why is the HITECH Act Important to Business Associates?
Why is the HITECH Act important to Business Associates is an easy question to answer when you consider the privacy provisions of Title XIII Subtitle D. Since the publication of the Final Omnibus Rule, Business Associates (and their subcontractors) have had to comply with the Administrative, Physical, and Technical Safeguards of the Security Rule plus the “Policies and Procedures and Documentation Requirements” (§ 164.316) and the Breach Notification Rule.
Undoubtedly this has created a lot of work for Business Associates, and some might consider certain requirements excessive. For example, Business Associates are required to implement a security awareness and training program for all members of the workforce. As a workforce consists of any individual under the control of the Business Associate (i.e., cleaners), this means resources may have to be assigned for training individuals with no access to a workstation.
However, the requirement to enter into a Business Associate Agreement with a Covered Entity before PHI is shared does provide some security against being falsely accused of non-compliance in the event of a data breach due to the negligence of a Covered Entity. Additionally, being able to demonstrate HIPAA compliance via an audit or certification can also contribute towards an increase in business with organizations in the healthcare industry. So, it´s not all bad news.
Why is the HITECH Act Important to Patients?
There are multiple reasons why HITECH is important to patients – from facilitating faster, better-informed clinical decisions to enabling patients to have more involvement in their healthcare. Improved patients´ rights under HIPAA (via HITECH) enable patients to choose where they obtain healthcare (subject to the terms of their insurance) and smooth the transfer of medical histories from one provider to another – eliminating the necessity for repeat tests.
Beyond the impact HITECH has had on the healthcare experience, the increased enforcement of HIPAA and application of the Security Rule to Business Associates mitigates the risk of data breaches. This reduces the likelihood of individually identifiable information being used to commit identity theft; and – should a breach of unsecured PHI occur – the mandated notification procedures enable patients to take timely measures to mitigate the risk of being a victim of the data breach.
At a holistic level, the digitalization of medical records has driven innovation in the healthcare industry. Data can be collated quickly to be used for immunization reporting, disease surveillance, and in research projects such as Cancer Moonshot. There is also evidence to suggest that the digitalization of medical records reduces physician burnout, which in turn leads to more accurate diagnoses and treatments, and better patient outcomes – primarily thanks to HITECH.