Are you noticing any advances in the use of technology by your health care providers?
This time I don’t mean the latest fandangle imaging equipment or surgery done through a scope. I mean health information technology, not diagnostic or treatment technology.
You might be thinking that HIPAA—Health Insurance Portability and Accountability Act—took care of a lot of that. Information flow was a big part of that 1996 legislation. Care and coverage information was supposed to be made available quickly when and where needed and personal health and health care information was supposed to be kept private and confidential, safe from the eyes if anyone without a valid need to know.
Implementation has been patchy and slow. Providers have complained that it all costs too much during times of budgetary stress. It requires equipment, staff and training. Employers have joined the chorus, with woes of their own.
Then came the Health Information Technology for Economic and Clinical Health Act (HITECH Act). It is part of ARRA, American Recovery and Reinvestment Act of 2009. Right. Stimulus.
The connection might seem tenuous, but the idea was that incentives were needed to get providers to invest in health care information technology. This funding would accelerate the switch to electronic health record (EHR) systems.
Also, HITECH helps fund the creation of national health care information infrastructure.
Electronic protected health information (ePHI) is expanding logarithmically, or is supposed to be, and with it, the potential for legal liability over privacy breaches, security failures and communications failures.
A spoonful of sugar helps the medicine go down, and grant fund elixir is known to be a good way to get providers to swallow requirements to get health care and coverage information flowing.
The HITECH Act contains several effective dates, with the earliest having come 12 months after passage—so several were last year.
A widely held view of HIPAA within the health care industry is that enforcement has been lame. The HITECH Act contains language that includes mandatory penalties for “willful neglect.” A provider that is unable to provide a “story” concerning compliance efforts is at risk of financial penalties.
Civil penalties can be as high as $250,000, initially, and ongoing noncompliance can push penalties to $1.5 million.
And it isn’t just health care providers that are under the gun to comply. There are situations in which HIPAA’s civil and criminal penalties can be applied to business associates.
HIPAA does not allow an individual to bring a cause of action against a provider, and neither does the HITECH Act. But it does allow a state attorney general to act on behalf of the state’s residents. And now Health and Human Services (HHS) is required to do periodic audits of providers and their business associates.
These measures are all about putting carrots and sticks in place, enticing and punishing to achieve “enhanced enforcement.”
The HITECH Act requires data breach notification concerning unauthorized disclosures and uses of “unsecured PHI.” These are not unlike various notification requirements concerning personally identifiable financial information data breaches, such as when banking or credit card data are exposed to use or capture by unauthorized persons or entities.
What is “unsecured” personal health information? The basic definition is data that are unencrypted.
Patients must be notified of any breach. A breach involving 500 patients or more must be reported to HHS. HHS posts identities of breached providers on its website. Sometimes the local media are notified.
Privacy and security of patient records have become a priority. Funds have been made available for help to providers, in putting the necessary technology in place. Patients and employees are entitled to know the policies and measures in use by their health care providers, insurance companies and employers.
No doubt this is good news to vendors of the requisite technology. I think its good news to consumers too.