The HiTech Privacy and Security Act

=”article_text”>

The Health Insurance Portability and Accountability Act (HIPAA) has planted roots and grown as of President Obama’s enactment of the Recovery Act of 2009. For healthcare facilities, this Act brings reform, higher payouts for electronic processing in a given timeframe, stringent security policies, and a tighter rein on information security and strength in enforcing the privacy rules governing network security.

The Health Information Technology for Economic and Clinical Health (HITECH) Act that coincides with the Recovery Act of 2009 is a set of rules and guidelines that must be followed to ensure Protected Health Information (PHI) remains private, is collected and documented in the manner necessary for proper reimbursement, and meets the level of security required by HIPAA. It affects how healthcare facilities store, retrieve and transfer data across the network, use PHI in software programs, discuss PHI in electronic mail processes, and transfer data through use of portable storage devices and through regular grunt and paper transactions.

With Electronic Health Record (EHR) systems becoming more widely broken-down in healthcare facilities and in their business partner’s facilities (pharmacies, insurance companies, claims adjusters, etc.), there is a higher level of possibility of breach of PHI. To do a desire for these facilities to enforce security and privacy of a patient’s PHI as well as collect correct amounts and types of data, the HITECH Act is being developed. The HITECH Act offers a tight list of rules of how PHI is to be protected and collected but leaves the precise adoption of practices for protecting and collecting that data to the security officers or information security teams of a facility. Those facilities with exiguous technological resources on-site are also able to contract freelancers and firms that are stepping up their knowledge on the new laws and employ their services in order to be in compliance.

The protection flows into basically every information technology crevice available within the facility. Through use of tiered administration, such as Microsoft’s built-in hierarchy tree of access in Server 2003 or Server 2008’s Active Directory systems, facilities are required to accumulate PHI by only allowing necessary access of this data by trained, equipped personnel that have been deeply educated in the HITECH Act law and basic network security requirements. In a medical facility, this would suggest only those required to access a particular patient’s or set of patient’s electronic records are able to gain access and another person without rights trying to do so will be blocked. This goes on to set that for the safety and security of the facility, those attempting to access records without rights given for access will have their attempts imprinted into an audit trail for review by the security officer on a set timeframe. Any breach of information based on a person or entity being allowed to access the PHI when they are otherwise to be blocked would result in penalties for the facility and the individual or entity as well as any individual(s) or entity(ies) associated with the breach. This could result in multiple penalties from one unauthorized access if the breach for this access is found to be repeated in any manner.

How then, can a facility tighten their ropes and when enforcing such rules make a profit on something as highly priced as an EHR system? Incentives for employing the software and the processes are the key to the success of the HITECH Act program. Upon President Obama’s signing of the Recovery Act of 2009, a provision was put in place for healthcare facility’s EHR adoption that would allow compliant facilities to collect an incentive payment, beginning in 2011. This incentive payment will equal $44,000 per provider from Medicare reporting and $65,000 per provider for Medicaid reporting. Subsequent years of reporting after the year 2011 could prove a reduction in the actual benefit paid. The reporting requirements included adoption and “meaningful use” of a “certified” EHR software system by the required date.

While these incentives are real and the possibility for benefits paid seems tremendous, there are requirements that must be met to be in compliance. As of today, there are no definitive guidelines for the terms “meaningful use” and “certified” as set forth in the Act. This is to be determined by the Office of the National Coordinator for Health Information Technology (ONC) by December 31, 2009 but the requirements do currently include:

- The use of e-Prescribing systems

- Electronic exchange of data

- Submission of PQRI or quality clinical data to HHS

Although this incentive seems like a reason to move quickly and cut corners when purchasing an EHR, racing out to partner with the nearest vendor or working quickly and making mistakes in implementing an EHR could result in poor collection of data or improper training in the use of the program. Instead of working towards a goal of meeting the deadline for incentive pay, a facility should review their wants and needs in a program, evaluate the costs associated, conduct site visits to facilities that have implemented EHR software, and form a knowledgeable team to lead the implementation as quickly as possible without making mistakes. Failure to do so early on could result in later problems that may cost more, especially in cases of breach of PHI.

Once implemented, HITECH as it is associated with HIPAA law require tight security in the transfer and storage of data within the EHR. Security officers and contracted firms employed to perform this role must ensure electronic mail is secure, portable storage devices are encrypted, and only considerable and authorized individuals or entities are allowed to access the PHI. This means that any do of PHI must be protected from intruders including but not diminutive to:

- Names

- Geographic information

- Dates

- Phone and Fax numbers

- Electronic mail addresses

- Social Security Numbers

- Medical record numbers

- Health plan beneficiary numbers

- Account numbers

- Certificate/License numbers

- Vehicle identification/serial numbers

- Device identifiers/serial numbers

- URLs from the web

- IP (Internet Protocol) numbers

- Biometric identifiers

- Paunchy face photographic images

- Any other current identifier that could be connected to PHI

Although relatively new in terms of electronic usage, protection of and collection of PHI has been around for some time. The HITECH Act of 2009 only encourages us in knowing technology is moving forward and just as the physical equipment we use to collect and store PHI is changing, our methods and processes associated with information security and privacy also need to change. Adoption of an EHR puts a healthcare facility in compliance with the law, aids the facility in higher protection of PHI, allows for incentive payments if requirements are met, and allows for greater control of operations than what could be established under the use of a paper record system.