HITECT Act was created aside from the pre-existing HIPAA laws to strictly implement the patients’ security of information. Nitin Chhoda explains the difference between the two, and how they are connected to each other.
HITECH Act or the Health Information Technology for Economic and Clinical Health Act expands on the already existing HIPAA regulations protecting patient health information.
The result is that healthcare practice management providers must take certain steps when privacy issues arise.
If sensitive and personal health information has been stolen or possibly viewed, HIPAA covered hospitals or medical facilities must notify their patients within 60 days.
Within the HITECH Act, the term breach is used to mean
“unauthorized acquisition, access, use or disclosure of protected health information which compromises the security or privacy of such information, except where an unauthorized person to whom such information is disclosed would not reasonably have been able to retain such information.”
A breach of patient health information not only requires the medical clinic to report to the patients, but also to a major media outlet and to the Secretary of the Dept of Health and Human Services.
The HITECH Act even outlines what must be included in the notice, including the date of the breach as well as the date of discovery of the breach along with a description of what happened. Other information that must be included:
- Steps that patients can take to avoid potential harm.
- Description of what was stolen or viewed.
- Description of what is being done by the medical clinic to minimize damage, investigate what happened, and avoid a similar incident in the future.
- Contact information so patients can call, email, review, or write to the company for more information or if they have questions.
HIPAA is thought to provide these protections, but it is also considered to be very poorly enforced.
The HITECH Act puts enforcement as a top priority and includes hefty fines for what has been termed “willful neglect”, a very imprecise term that will be defined by cases in the future.
Additionally, the HITECH Act puts more pressure on “business associates” of healthcare providers. HIPAA allows these business associates to have access to information via contracts.
But now they will be held responsible for breaches in a more comprehensive way. Providers of EMR or EHR systems are considered business associates and will have to consider HIPAA security and privacy rules when designing EHR or EMR systems.
Incentives for Healthcare Providers
The HITECH Act isn’t all focused on procedure, however, and as it is part of the American Recovery and Reinvestment Act (ARRA), there are also some incentives for healthcare providers.
Most of the incentives focus on promoting the use of electronic medical records and electronic health records. Because electronic records cut down on long term costs, but require an initial investment that many clinics don’t want to make, ARRA and the HITECH Act offer financial benefits if you make the switch.