What you are expected to know, but never quite understood...
* HIPAA – Health Insurance Portability and Accountability Act (Clinton, 1996)
* HITECH – Health Information Technology for Economic and Clinical Health Act (Obama, 2009)
The United States Congress passed the Health Insurance Portability and Accountability Act, commonly known as HIPAA in 1996. For the very first time, security standards came into existence to protect health information.
Then, in 2009, the scope and complexity of HIPAA was extended with the presentation of the Health Information Technology for Economic and Clinical Health Act (HITECH).
Both HIPAA and HITECH have risen to great importance with the health industry’s continual acceptance of electronic information systems.
Electronic data date systems and applications and electronic health records (EHRs or EMR’s), have considerably upgraded billing, surveillance and productivity. However, new security threats have arisen as well. As compared to paper charts, electronic health information is at greater risk of being distributed, tampered with or stolen which could lead to public disclosure.
In order to eradicate these threats, strict standards governing security and privacy were implemented by HIPAA and HITECH. Consequently, anyone who transmits any information in electronic form is required to comply with the standards implemented by the Department of Health and Human Services.
Both HIPAA and HITECH are similar rules: They address the safekeeping and discretion of healthcare protocols. Both Acts contain privacy requirements and have numerous effects on research and clinical care. But, the additions are important. For example:
* Section D of the HITECH Act will have significant and varied ramifications on health care participants. Four tiers of culpability and penalty are listed.
* HITECH restructures and strenghtens civil and criminal consequences for non-compliance. These are significant with the fine being $50,000 for each violation, not to exceed $1,500,000 for the calendar year. Prison terms have been issued as well.
* HITECH necessitates justifying the disclosure of PHI (Protected Health Information), even when it is done for healthcare treatment and billing.
What does this mean practically?
Email cannot be used unless it is within a closed and secure system. However, secure email is not only inadequate for retrieval and study, but it is also awkward to use and available only to a few participants tightly controlled within a system. Standard email meets no HIPAA requirements whatsoever. Beyond being public, it is increasingly the fodder of search engines. To place oneself above the law because of the perception of the higher importance of medical care and patient permission is not good for any of us.
There’s a need for a platform that provides an all-inclusive structure to help organizations restructure and systematize all facets of HIPAA/HITECH compliance. Among other things, this would ease time-tracking, email notices and operative effectiveness with the goal of condensing the time and energy necessary for security compliance.
In summary, HIPAA and HITECH are two powerful entities. They should be handled with extreme caution as they are mission critical to America’s healthcare and its people.