HITECH Act and Meaningful Use

HITECH Act and Meaningful Use

Health

The American Recovery and Reinvestment Act was made into law in February, 2009. The Health Information Technology for Economic and Clinical Health Act (HITECH) piece of this act includes extensive new requirements for privacy and security that impact HIPPA covered entities and business associates (Information Memorandum, 2010). Congress enacted HITECH with the intent to create a national infrastructure for the exchange of health information. HITECH's privacy provisions establish a secure process for the electronic exchange of PHI by enhancing the existing privacy protections available under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) (Marietta, 2010).

The least necessary standard for the use and disclosure of PHI is the central aspect of HIPAA's and HITECH's privacy provisions. Under HITECH, a covered entity will be compliant with the HIPAA minimum necessary standard for use, disclosure, and requests for PHI if the entity limits such PHI to the extent practicable. With this rule, a covered entity must first limit any use of, disclosure of, and requests for PHI to a limited data set (LDS) to the extent it is practicable. However if the covered body concludes that it needs more information than what is contained within the LDS, then it must analyze and determine what PHI is the minimum amount necessary to accomplish its intended purpose of such use, disclosure, or request, respectively (Marietta, 2010).

There is an estimated six-month window from the time HITECH's new minimally necessary limitations become effective on February 17, 2010, until the time they will expire on or before the deadline of August 17, 2010, when DHHS must issue its new guidance on what constitutes minimally necessary for purposes of using, disclosing or requesting PHI. Even though these restrictions will be short-lived, they should not be overlooked. Covered units need to take steps to update and revise their HIPAA minimally necessary PHI policies and procedures to ensure compliance with the same, or otherwise, they may face the potential for greater civil monetary penalties than under HIPAA (Marietta, 2010).

The HIPAA privacy and security rules along with the new penalties, now apply directly to business associates, such as claims clearinghouses, billing firms, banks, health information exchanges and software companies. It treats these entities as though they were healthcare organizations. Before, the regulations only applied to covered entities, such as hospitals, physician group practices and health insurers. Now, the rules apply to any party that has access to protected health information (Anderson, 2010).

All covered entities along with their business associates, must inform those affected within 60 days if protected health information has been breached. If the breach involves more than 500 people, they also must tell the Department of Health and Human Services along with the local news media. Covered entities must keep a record of all data security violations and annually submit it to HHS. Business associates who have a breach must inform the covered entity, which then must advise the individuals. Companies that sell personal health records must obey a similar breach notice rule from the Federal Trade Commission. Under HITECH, the term breach refers to the unlawful attainment, access, use or disclosure of protected health information in which the security or privacy of such information is compromised. If a breach occurs a healthcare organization would have to send out first-class letters to any patients who might have been affected by the breach. Electronic mail can be used if the individual agrees to receive electronic notice and such agreement has not been withdrawn. If at least ten of the first-class letters come back for a bad address, the hospital must then post a notice of the breach on its home page and offer a toll-free breach information number for 90 days (Anderson, 2010).

To receive the financial incentives, eligible professionals and hospitals must achieve meaningful use of an electronic health record (EHR). In December 2009 the Centers for Medicare & Medicaid Services (CMS) released an advanced copy of a notice of proposed rulemaking defining the requirements for meaningful use, the measures and the details of how eligible providers and hospitals will be paid the incentive dollars. The requirements are substantially the same as those approved the by the Office of the National Coordinator (ONC) policy committee in July of 2009. Meaningful use necessities are still grouped into three stages but the designations are no longer tied to dates. In Stage 1, the focus is on capturing data, in Stage 2 on reporting health information and tracking key clinical conditions, and in Stage 3 on improving performance and health outcomes (Update on Meaningful Use, 2010).