The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was introduced to protect the privacy of patient data. It limited how health records could be shared, how they were stored, and even mandated the shredding of old records.
Unfortunately, while HIPAA required document security procedures, the Department of Health and Human Services (HHS) did a poor job of enforcing the new rules.
Very few practices and hospitals were penalized when data security breaches were disclosed.
To ramp up security efforts, the Health Information Technology for Economic and Clinical Health Act (HITECH) of 2009 further expanded the security requirements of organizations handling medical records.
This act sought to incentivise medical practices to scan medical records into electronic health records (EHRs), increased potential legal liability for non-compliance, introduced a requirement for organizations to disclose data breaches, and much more.
HITECH Penalties and Regulations
HITECH introduced a number of new regulatory standards to help increase accountability and security in the heathcare field.
Breach Notification Requirement
HITECH imposes data breach notification requirements when unsecured PHI is leaked. It requires that patients be notified of any unsecured breach, and that the HHS be notified if more than 500 patients are affected.
Penalties for not carefully handling sensitive patient information are high under HITECH. Depending on the violation and how negligent the violator was, fines can be up to $1.5 million within a calendar year.
- If the person did not know (and by exercising reasonable due diligence would not have known) that he or she violated the law, the penalty shall be at least $100 (and no more than $50,000) for each violation
- If the violation was due to reasonable cause and not to willful neglect, the penalty shall be at least $1000 (and no more than $50,000) for each violation
- If the violation was due to willful neglect and the violation was corrected, the penalty shall be at least $10,000 (and no more than $50,000) for each violation
- If the violation was due to willful neglect and was not corrected, the penalty shall be at least $50,000 for each violation not to exceed $1.5 million for all such violations of an identical requirement
HITECH created mandatory penalties for willful neglect. The civil and criminal penalties created under HIPAA extend to businesses associates including third parties who provide EHR systems. It also requires the HHS to conduct periodic audits of covered entities and business associates.
HITECH and EHR Incentive Programs
With the goal of creating an efficient, secure, nationwide electronic healthcare system, the HHS supported HITECH and issued an EHR Incentive Program rule. The rule helped support hospitals and practices that adopted a meaningful use of EHRs.
EHR incentive programs allowed eligible professionals to receive up to $44,000 over a 5 year period through Medicare and up to $63,750 over a 6 year period through Medicaid, while hospitals could receive millions in aid.
Organizations were eligible to receive funding for these programs from 2011-2016.
The HHS supports the transformation from a paper based healthcare system to an electronic one because electronic records, when used correctly, offer more accessibility and convenience for patients while providing a higher level of security.
Comply with HITECH and Prevent a Data Breach Before it Occurs
“We know from the statistics on breaches that have occurred since the notification provisions went into effect in 2009 that the healthcare industry appears to be rarely encrypting data.”
—Deven McGraw, Director of the Health Privacy Project at the Center for Democracy and Technology
All electronic patient data should be encrypted.
Large hospitals and healthcare organizations handle hundreds of thousands of patient records, and data encryption can be an expensive endeavor—but compared to multi-million dollar fines over a few years time, encryption can be the conservative and responsible option.
In addition, HITECH and the HHS encourage organizations to scan their files into an electronic format. One of the benefits of EHRs is the ability to backup data. Backing up your data ensures that it can’t be stolen and held hostage. If you have a backup copy you will be able to stay up and running in the event of a breach.
A basic tenant of any backup strategy is to keep one copy offsite. A tape rotation service can offer security and the proper care of the magnetic media.
Avoid taking backup tapes home. This is the weak link in the security chain and is the source of many healthcare data breaches. The tapes should always be transported securely and stored securely.
Take Your Medical Practice into the Digital World
Keeping patient data safe and secure is the top priority of HITECH, and should be a top priority at your practice.
Call us at (866) 385-3706 or fill out the form on the right for a free quote on services in your area. We look forward to helping you keep your patient’s information safe and accessible.