HIPAA & the HITECH Act: Facing the Teenage Years
It has been almost 3 ½ years since the President signed the American Recovery and Reinvestment Act of 2009 (ARRA). From an economic perspective the Health Information Technology for Economic and Clinical Health Act (HITECH Act) might be considered a footnote within ARRA, but it is a very important footnote for those of us in the healthcare industry. HITECH has given birth to many things that affect us on a daily basis including the Meaningful Use EHR incentive program, regional extension centers and educational opportunities related to health informatics. HITECH also brought us some changes related to HIPAA. Although most of us would prefer to just shut that troublesome child in its room, we’d all be wise to pay attention.
HIPAA’s identity crisis and the Audit Protocol
The Health Insurance Portability and Accountability Act (HIPAA) was enacted by Congress in 1996. I know it is hard to believe but HIPAA has been with us for over 15 years, and like some teenagers, it is beginning to present some unique challenges. As the name implies, HIPAA (not HIPPA as we continue to see on occasion) is principally devoted to protecting health insurance coverage for workers changing or losing their jobs. Camouflaged by the act’s title, however, is the broad impact this legislation has had upon health care providers. Starting with the Privacy Rule and later the Security Rule, HIPAA defines the way we are expected to safeguard our patients’ Protected Health Information (PHI). In anticipation of an explosion in EHR adoption, the HITECH Act broadened the scope of HIPAA from not only the Privacy and Security perspectives, but also with regards to Breach Notification. The Office of Civil Rights (OCR) is the division within Health and Human Services tasked with enforcing HIPAA. Recently, OCR published a HIPAA Audit Protocol related to the HITECH Act requirements.
At first glance, the HIPAA Audit Protocol appears daunting. The section related to the HIPAA Security Rule has 77 individual points; Privacy and Breach add an additional 88 items to the mix. Remember though, HIPAA is not a “one size fits all” program. For example, the expectations for a 15,000-employee health system are substantially different than those for the solo practitioner. Having said that, all health care providers, regardless of size, are expected to meet the basic requirements of the HIPAA Privacy and Security Rules.
Navigating HIPAA and staying compliant
Many of you have appropriately sought outside counsel regarding HIPAA compliance. This is particularly true of larger practices. Due to resource constraints, smaller practices often incorporate HIPAA compliance by leveraging internal assets. In a past life, I wore the hat of Privacy Officer for a medical practice with almost 150 employees. And while I am not qualified to pass out advice on the subject, I would suggest that whether you belong to a large or a small practice, you or someone in the group take a look at the OCR HIPAA Audit Protocol. Spend an hour reading the points that are raised. Try to identify gaping holes, and if they exist, fill them.
Historically, some have wondered about OCR’s diligence in enforcing HIPAA. It’s unclear whether or not we can expect that to change, but the added teeth brought to bear by the HITECH Act should not be ignored. For example, one of the Stage 1 Meaningful Use core objectives addresses compliance with a component of the HIPAA Security Rule. In addition, EHR adoption is clearly on the rise, and a substantial amount of money is changing hands due to the HITECH Act.
HIPAA remains one of the least favorite acronyms in medicine, but at the end of the day, we owe it to our patients to do what we can to protect their health information. Someone recently reminded me there are 168 hours in every week. Spend one of them with the HIPAA Audit Protocol. Like spending quality time with an unruly adolescent, in the long run, it will be time well spent.