How much do you know about HITECH?

The Health Information Technology for Economic and Clinical Health (HITECH) Act was signed into law on February 17, 2009. Part of the “stimulus” bill that Congress passed, HITECH modifies the Health Insurance Portability and Accountability Act (HIPAA) that has been in effect for many years.

There are a number of areas in which HITECH will have a significant impact:

• Previously, physicians were permitted to disclose electronic health information to others if that disclosure was necessary for treatment of patients, payment of claims, etc. That has not changed, but now physicians will be required to track when that information is disclosed, necessitating them to implement policies, procedures and technologies to help them do that. That means that if they disclose electronic health information for a patient, they must track that information wherever it might go for as long as it exists.
• However, while HIPAA previously applied mostly to physicians, medical practices, hospitals and the like, now the business associates of these entities will be required to comply with HIPAA’s rules about the security and privacy of protected health information (PHI). That means that if you’re an accountant, a benefits provider, an attorney or anyone else who is given access to PHI, HIPAA now applies to you.
• Breach notification rules have been significantly beefed up in the new HIPAA. For example, if 10 patients’ records are breached, the offending organization must post information about the breach. If the breach impacts 500+ patients, every patient in the offender’s operation must be notified, the secretary of Health and Human Services must be told, and a prominent, local media outlet must be notified.

What does this mean for those who use email for the transmission of PHI or store it electronically? First, it will negatively impact small medical practices the most because, like any small business, these operations spend the most per patient on technology solutions. These practices will need to implement encryption solutions that will protect data in transit and at rest. Their business partners will also need to implement this technology so as to manage PHI during the entire lifecycle of the information.

For larger operations like hospitals and large medical practices, costs will also go up to protect PHI in more robust ways than has previously been necessary. Here, too, business partners of these larger organizations will need to implement encryption and other technologies to protect PHI.

Long term, profits in the healthcare industry will almost certainly decrease given that a) government is paying a larger share of healthcare costs over time, b) government will be paying less per patient in the future, and c) healthcare organizations will be spending more on technology to protect PHI.

On the positive side, PHI may be more protected as a result of these changes. Further, organizations inside and outside the healthcare industry will implement encryption technology (which they should be doing now anyway). Because the use of encryption is an important best practice, this might be the primary, positive impact that comes from the new HIPAA.