HIPAA Compliance and the HITECH Act in 2018
HIPAA compliance is an essential part of running a medical practice. The current incarnation of the HIPAA regulations has been in place since 2003 and they haven’t changed much in the intervening years — until now, that is.
The HITECH Act (Health Information Technology for Economic and Clinical Health), which was signed into law in 2009, is expected to be fully adopted this year. What does the HITECH Act mean for HIPAA compliance, and what are the changes you need to make to your practice to ensure you’re in compliance with both HIPAA and HITECH?
Overview of the HITECH Act
The HITECH Act was designed to expand the types of businesses covered by HIPAA. It requires not only medical professionals to be HIPAA compliant, but any subcontractors, companies that cover the transmission of protected health information (PHI), electronic prescription gateways and patient safety organizations to also be in compliance with HIPAA regulations.
This doesn’t make any changes to the currently established exceptions to HIPAA’s business associate standard.
HITECH was also designed to focus more on the patient than HIPAA, allowing patients to more directly access their electronic health records (EHR). This also demands patients be informed by their provider if their health records are compromised in any way.
The act encouraged “meaningful use” of electronic health records, helping to improve communication between health care facilities in direct relation to patient care.
If your practice or facility has an IT security department, it’s probably entirely different than the ones that are part of other businesses surrounding you. Network security is usually managed by many different departments or even different businesses, making universal security compliance difficult to manage.
The new HIPAA/HITECH overlap mandates universal compliance. This makes security simpler and easier to maintain for workers while still ensuring the safety of patient PHI.
One solution that is being suggested is the use of “smart cards” which will act as employee identification, a security access token and authenticator, all in one simple card. This helps to keep the system more regulated because you don’t have to worry about carrying — and potentially losing — multiple cards or remembering long identification numbers.
Know Your Compliance
How can you determine if your practice is compliant with both HIPAA and the HITECH Act? You can go over the rules yourself, but these laws are so sweeping and expansive that it’s easy to miss something that could end up costing you thousands of dollars.
If you’re still concerned about your current HIPAA and HITECH Act compliance, hiring a professional Privacy Officer can help you evaluate your current practices and ensure that you are checking all the boxes when it comes to meeting your obligations.
Changes in Fines
HIPAA fines, until now, have been standard — unfortunately, they often weren’t costly enough to discourage HIPAA violations. Before HITECH was enacted, it was impossible to impose fines of more than $100 for individual offenses or $25,000 for all offenses at the same time.
The new overlap has changed the cost of violating the HIPAA or HITECH Act. These offenses are broken into three categories, based on the intent of violation.
Violations in the Did Not Know category are the only ones that may still generate a $100 fine. The change here is that the U.S. Department of Health and Human Services now has the option to charge between $100 and $50,000 for each violation, with a total fine of $1.5 million for identical offenses in a calendar year.
Reasonable Cause violations will start at $1,000 with the same $1.5 million cap for identical violations.
Willful Neglect fines fall into two categories — corrected and not corrected. Fines for corrected Willful Neglect charges will range from $10,000 to $50,000. Fines for not corrected violations start at a minimum $50,000 each.
HIPAA and the HITECH Act are both essential tools for ensuring the security of patient health information. Take the time to review alone or with a professional that you are in compliance with both acts so you can continue to serve your patients without the worry of massive fines for privacy violations.