Home > IT Perspectives > Countdown to the HITECH Act

Countdown to the HITECH Act

February 17th, 2010 Leave a comment Go to comments

My role as a secret change agent takes on many disguises. My technology credentials are strong enough to move me throughout the nerd community undetected.  As technology brings businesses, communities, and people together, I am able to stretch my legs into new areas, leveraging my technology credentials as  a form of VIP card.  Now I find myself in a new, though not unfamiliar role inside of the world of medical legislation. With an official title of IT Coordinator, I now carry the badge of HIPAA security officer.  Take the fast moving world of technology, watch the reaction when you mix in government legislation and the medical community, and you have the perfect train wreck for a change agent to prevent.

One year is a lifetime for technology, but one year moves really fast in the world of legislation.  While HIPAA policies are based off of legislation, meetings and adjustments representing a rather painful process from a change agent perspective, the technology screws were tightened this year, causing some growing pains throughout the HIPAA community.  Tomorrow is the one year anniversary of the HITECH Act, which also marks the deadline to implement the Act. Before we celebrate the anniversary, let’s run down what this means and what we missed.

The Health Information Technology for Economic and Clinical Health Act (HITECH Act) was part of the American Recovery and Reinvestment Act (ARRA)of 2009 or the economic stimulus plan that came about in February 2009. It has a series of dates and deadlines throughout the year, bringing us to this 1 year anniversary on February 18th, 2010 when it goes into effect.

If HIPAA was the neighborhood watch, setup to protect us in the medical world with rules and guidelines, the HITECH Act would be Tony Soprano, coming to break your knee caps if you weren’t playing by the rules. It doesn’t tell you how to fix everything wrong with your HIPAA policy, but sets up some pretty strict penalties for when you get it wrong.

Let’s review what happened so far…

February 17, 2009 – HITECH Act Enacted

This setup the application of tiered civil monetary penalties regarding breaches of PHI (Personal Health Information).
Huh? You mean if I loose a whole bunch of medical records, I have to pay for that?
Not only do you have to pay for it, but that is the first thing we are saying above all else. We will collect money and we must collect money when a breach is found. Not to worry, because later in 2010 we get to define what to do with that money.

April 20, 2009 – (60 Days)

Human Health Services must set forth a list of technologies and methodologies that render information “unusable, unreadable or indecipherable.”

Result: section 13402(h) of the Act, which really should be called the “Oh, that’s what encryption is” Act. While the tech industry knew what encryption meant, the medical world didn’t want to listen. Frankly, they made up their own interpretation of what encryption was and it was painful.

HHS & FTC Guidance Rules

August 18, 2009 – (180 Days)

HHS and FTC must each publish “interim final” regulations on breach notification. These regulations apply to breaches discovered on or after the “interim final” regulations have been published.

Result: Section 13402 of Subtitle D

There is an entire layering system defining who you are required to tell and notify if you loose information, starting with the owner of the information you lost. It is rather thick, but on the scary side of things people are legally bound to notify the news media if you breach over 500 records.  The new focus is also on the Burden of Proof, requiring everybody to prove that they notified everybody and that the message was received.

December 31, 2009 –

Due date for the HHS to adopt rules for the first set of standards regarding disclosures and accounting for disclosures. Then they have a 6 month stopwatch starting which requires them to implement the standard.

You are going to want to read up on Sec. 13405 for this one.  That defines what the HHS needs to have in order to process all of this information they are about to unleash.  This covers what needs to be disclosed, what can’t be disclosed, how long you need to prove that you disclosed the information and a few other guidelines to make sure you follow through. I read through it and ran out of white boards to draw the number of clauses.

February 18th 2010

This marks the date when everything is adhered to and organizations are responsible for following the legislation. The HIPAA Survival Guide site, setup a great breakdown of what just happened and what is about to take effect and do a much better job tying it all together, but here is the summary of what is happening.

  • Organizations are to apply the rules, are accountable for their consequences along with all business associates.
  • Patient’s right to restrict disclosures to health plans.
  • Deeming of limited data set as satisfying the minimum necessary standard.
  • Patient’s right to electronic access to, and an electronic copy of, their health record.
  • Clarification regarding marketing provisions.
  • Opt-out for fund raising communications; HIPAA’s current provisions regarding fund raising remain in full force an effect.
  • Clarification regarding the ability to impose criminal penalties against individuals.
  • Civil monetary penalties and settlements flowing to HHS/OCR (Office of Civil Rights) for enforcement.
  • Requirement for HHS to begin conducting mandatory audits.

The last one is important. (hence the powerful red color) No longer does the HHS only hold the right to conduct audits, they are required do. Now that the legislation is in place for the monetary values, they will hold audits, and they will collect your money.

What do I expect to really see out of this?   6 months from now, they want to review all of the initial findings from the audits and report back to the federal government.  I would predict that things will not be as secure as they “envisioned” when they wrote the act in the first place.  The government will tighten the screws a little more, legislation will react, and we will fall into a cycle that keeps us chasing stronger regulations.

That prediction isn’t what will happen, because there are factors in the mix that nobody wants to acknowledge.   Without tipping my entire hand, let’s just say that my work as a secret change agent is just beginning.

Regardless, nobody wants to be involved in the first round of audits, including the auditors.  So expect some scrambling around and tidying up as the first wave reaches the shore.

Categories: IT Perspectives Tags: