For healthcare patients, the Health Insurance Portability and Accountability Act (HIPAA) of 1996 was a huge accomplishment in protecting their privacy. The passing of HIPAA limited how health records could be shared, how they were stored, and even mandated the shredding of old records.
Unfortunately, while HIPAA required document security procedures, the Department of Health and Human Services (HHS) did a poor job of enforcing the new rules. Very few medical practices and healthcare organizations were penalized when data security breaches were disclosed.
To increase security, the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 further expanded the requirements of organizations handling medical records. In this post, we’ll dive into the ways HITECH changed the landscape of medical records management.
HITECH Regulations and Penalties
The HITECH act sought to incentivize healthcare organizations to convert medical records into electronic health records (EHRs). With HITECH came new regulatory standards intended to help increase accountability and security in the healthcare field.
Breach Notification Requirement
HITECH imposes data breach notification requirements when unsecured protected health information (PHI) is leaked. This requires that patients be notified of any unsecured breach, and that the HHS be notified if more than 500 patients are affected.
Heightened Enforcement
HITECH also created mandatory penalties for willful neglect. The civil and criminal penalties created under HIPAA extend to business associates, including third parties, who provide EHR systems. It also requires the HHS to conduct periodic audits of covered entities and business associates.
Tiered Penalties
The penalties for HITECH noncompliance can be quite high. Depending on the violation and how negligent the violator was, fines can be up to $1.5 million within a calendar year.
- If the person did not know (and by exercising reasonable due diligence would not have known) that he or she violated the law, the penalty shall be at least $100 (and no more than $50,000) for each violation.
- If the violation was due to reasonable cause and not to willful neglect, the penalty shall be at least $1000 (and no more than $50,000) for each violation.
- If the violation was due to willful neglect and the violation was corrected, the penalty shall be at least $10,000 (and no more than $50,000) for each violation.
- If the violation was due to willful neglect and was not corrected, the penalty shall be at least $50,000 for each violation not to exceed $1.5 million for all such violations of an identical requirement.
HITECH and EHR Incentive Programs
With the goal of creating an efficient, secure, nationwide electronic healthcare system, the HHS supported HITECH and issued an EHR Incentive Program rule. The rule helped support hospitals and practices that adopted a meaningful use of EHRs. Organizations were eligible to receive funding for these programs from 2011-2016.
EHR incentive programs allowed eligible professionals to receive up to $43,720 over a five-year period through Medicare and up to $63,750 over a six-year period through Medicaid. Hospitals, meanwhile, could receive millions in aid.
The HHS still supports the transformation from a paper-based healthcare system to an electronic one via the Promoting Interoperability Program. Advocacy for transitioning remains because electronic records, when used correctly, offer more accessibility and convenience for patients while providing a higher level of security.
Data Breach Prevention for HITECH Compliance
As with any data, it’s crucial to take the necessary steps — like encryption and backing up data — to protect patient records from exposure. For large hospitals and healthcare organizations that handle hundreds of thousands of patient records, it can seem like a daunting task. However, encryption has come a long way and can go far in supporting your data breach prevention strategy.
In addition, HITECH and the HHS encourage organizations to scan their files into an electronic format. One of the benefits of EHRs is the ability to back up data. Backing up your data ensures that it can’t be stolen and used against you. If you have a backup copy, you’ll be able to maintain operations in the event of a breach.
Secure EHR Solutions With Record Nations
Keeping patient data safe and secure is the top priority of HITECH, and should be a top priority for your organization. With Record Nations, you’ll be connected to experienced scanning professionals in your area who can help you through the digitization process. Our nationwide network means you’ll find providers in Louisville, Little Rock, or anywhere in between to help you with securely scanning, storing, and destroying patient records in a way that complies with HITECH.
Call us at (866) 385-3706 or fill out the form on the right for a free quote on services in your area. We look forward to helping you keep your patient’s information safe and accessible.
