At this point, you already know about the Obama administration's goals for widespread EHR adoption, about the $19 billion being invested in healthcare IT, and about the carrots being offered to entice hospitals and physicians to play along.
But is that all you know about the Health Information Technology for Economic and Clinical Health, or HITECH, Act? Did you catch the part about stricter HIPAA requirements and stiffer penalties for violations?
There has understandably been a lot of focus on the incentives—$19 billion makes for a big pile of money, after all. But it is so big that it seems to have developed its own gravitational field that has pulled the entire healthcare industry into its orbit, and so big that it casts a shadow over anything too close to it.
Changes to HIPAA understandably haven't been getting as much attention. And while it makes sense for physicians to make EHR implementation a top priority, preparing for these new HIPAA requirements will be part of the process, and physicians should be aware of how they will affect their practices.
The two issues are linked, in fact. With vast amounts of new electronic data come many new opportunities for identity theft and security breaches, and the privacy and security rules are being updated to protect patients in the new digital age. But the rules also apply to paper records in some cases, so physicians across the board will be affected, regardless of the technology they use.
Some of the changes include:
Stricter accounting of disclosures. Physicians using an EHR will have to be able to track any disclosure of a patient's medical information, including disclosures made for treatment and payment. That information must be made available to patients upon request. Before, providers weren't required to constantly track when information was disclosed, but electronic information is in some ways easier to track, and legislators expect providers to know at all times who has accessed data and when they accessed it.
Mandatory publicizing of breaches. If a breach of patient information happens at your practice, the legislation requires you to post information publicly about it if the security breach affects 10 or more patients. If a security breach affects 500 or more patients, practices must notify all of their patients, a local media outlet, and the HHS secretary.
The primary focus for practices should be on preventing breaches from happening in the first place. But leaders should also prepare for worst-case scenarios. How will you handle the fallout if you are required to report a breach to all your patients? Local reporters love these types of stories, so you'd better be prepared to deal with the media as well.
Extension of requirements to business associates. Some of the burden for protecting patient data is now also on business associates that process or handle patient information on behalf of a practice. This includes any third party that has access to a patient's record—consultants, lawyers, and even vendors that offer personal health records. Business associates are now essentially subject to the same rules as practices—they can be fined and must comply with the breach requirements.
Harsher penalties. Although it has caused administrative headaches and major changes to practice structures since its introduction, HIPAA has essentially been a toothless tiger for most of its existence. The specter of fines and penalties was ever-present, but most cases were rarely prosecuted, and most prosecutions were resolved without fine.
That is changing. Seattle-based Providence Health & Services made an initial splash last fall when it was hit with a $100,000 penalty after losing information on about 365,000 home health patients, and more recently CVS was fined $2.25 million after allegedly disposing of patient information in unsecured dumpsters outside stores.
HITECH calls for beefed up enforcement rules and new aggressiveness in assigning fines, which start at $100 and can go as high as $1.5 million. The legislation also empowers state attorney generals to enforce some HIPAA elements, which could lead to more scrutiny from prosecutors looking for high-profile cases.
But, as is the case with many of the new requirements coming out of the stimulus package, the full impact of the HIPAA changes remains to be seen. Much of the legislation hinges on the protection of "unsecured patient health information," but we still don't have a clear-cut definition of that term.
It seems as if many of the requirements can be taken care of by simply encrypting patient data, but again, we're waiting on the details of what types of encryption software are endorsed under the legislation.
So at this point, the changes aren't worth losing a lot of sleep over. The bulk of HIPAA remains the same, and if you were compliant before, it won't be too hard to adapt. At the same time, we may see a wave of new fines and penalties, so the changes shouldn't be ignored, either.