The $787 billion American Recovery and Reinvestment Act of 2009 pushed healthcare into a new era of personal health information regulation and enforcement—and companies need to deal with these changes now.
As part of the stimulus law, President Barack Obama and Congress infused billions into the country's struggling economy. Not stopping there, they also set aside $19 billion for healthcare information technology and created new HIPAA regulations through the Health Information Technology for Economic and Clinical Health Act (HITECH). Much of what has been written about HITECH has focused on Medicare reimbursement incentives for healthcare providers who use "certified" electronic health records in a "meaningful way."
There is another piece of HITECH that will have a larger impact on health plans and companies working in the managed care arena—changes to the HIPAA law.
Much of the new healthcare security and privacy requirements created through HITECH will go into effect February 18, 2010, one year after Congress passed the stimulus bill. Over the next year, the feds will issue many new regulations in the area of health IT to resolve questions that remain following the legislation's passage, but companies shouldn't wait to get started.
Colleagues have explored many of the aspects of the HIPAA changes as it relates to hospitals and physicians, but health plans and—especially—population health, disease management, and wellness companies also face changes.
"This has a profound impact on disease management organizations as well as the healthcare industry," says Reece Hirsch, CIPP, partner at Sonnenschein Nath & Rosenthal LLP in San Francisco, who spoke during a members-only DMAA: The Care Continuum Webinar this week.
Here are the five things you need to know as a health plan, disease management, or population health company executive about the HITECH Act:
1. Federal leaders used stimulus as a way to make HIPAA changes
Washington leaders have debated revising HIPAA for the past decade and legislators used the stimulus bill as a way to finally revamp HIPAA's privacy and security provisions.
David C. Kibbe, MD, MBA, principal of the Kibbe Group and senior advisor for the American Academy of Family Physicians, says these changes are an attempt to protect individual health information while also trying to create better, cheaper, and faster technology. It also places patients in greater control of their health information. He says HITECH stops short of a European-type policy that requires any entity that handles personally identifiable health information to comply with the same privacy and security rules, but it does move the U.S. a step closer to that.
"That day is a little nearer as a result of these changes, but I don't think [lawmakers] wanted to take the time to do that and didn't feel it was actually necessary," says Kibbe.
2. HITECH extends privacy and security rules
The new legislation protects patient information from unauthorized acquisition, access, use, or disclosure.
As so-called covered entities, health insurers will need to work with their multiple vendors to make changes to business associate agreements. For instance, health insurers must incorporate the new privacy and security requirements into agreements and remove amendments from contracts that are no longer necessary under HITECH. They may also need to amend "notice of privacy" practices to reflect new patient rights to their health information under HITECH, says Hirsch.
Business associates, such as disease management companies, will need to perform those duties and incorporate changes to comply with the same obligations as covered entities.