The Obama administration has pushed the adoption of electronic health records as a way to increase health care efficiency and safety. However, computerized drug orders may need further testing.
The University of Pennsylvania tested software intended to prevent dangerous drug interactions. The software successfully prevented the dispensing of two drugs together that taken in combination could cause dangerous complications.
The software's not ready for prime time yet. It also caused long delays that prevented some patients from getting the drugs they needed.
The study showed that doctors may need simpler methods to override computer blocks when prescribing drugs for patients with HIV and other conditions. For some patients, the prompt administration of both drugs is important.
To help stimulate the economy, the American Recovery and Reinvestment Act into law on February 17, 2009 by President Barack Obama. A large part of the Recovery Act addresses health information technology. It gives incentives for hospitals and business to switch to electronic health record systems. These changes are expected to improve the quality of care and result in cost savings to the health care system.
However, a potential problem with electronic health records and information is they can be easily copied, stolen or compromised. As a result, widespread adoption of such systems won't occur unless the privacy and security of patient information can be protected.
To meet these challenges, the Recovery Act contains significant revisions to the Health Insurance Portability and Accountability Act (HIPAA) privacy and security requirements.
What Is the Purpose of the HITECH ACT?
Some states require a patient be notified if the security of their personal data has been breached. These laws generally cover personal information such as social security numbers, credit card numbers and banking information, etc. However, only a few states have extended such laws to health information. The federal government has now addressed this issue.
There's a need to address threats and risks to this data as more businesses and hospitals electronically store their patients' information. The HITECH Act attempts to address the privacy and security concerns surrounding this information.
The fear is that hospitals may rush to start using the new technology just to receive the benefits under the Recovery Act. However, while hospitals and doctors are given incentives to use new health information technology, they'll also face bigger consequences if a data breach happens. Doctors and hospitals must implement the health information technology quickly but carefully.
How Are HIPAA and the HITECH Act Related?
One of the goals of HIPAA was to encourage individual control over personal health records. However, HIPAA didn't address or regulate the privacy or security of health information held by people who work with personal health records.
What Does the HITECH Act Require?
The HITECH Act includes several new requirements that were implied in HIPAA, such as:
• Notifying individuals when security breaches occur
• Regulating personal health record vendors
• Establishing more duties and penalties for business associates
• Increasing limits on the use and disclosure of protected health information
• Enforcing penalties when a breach has occurred
What Is a Data Breach under the HITECH Act?
A data breach is when a patient's health information is made public or accessed by someone other than authorized personnel. For example, if the computer where the information is stored is stolen or hacked. The HITECH Act has strict standards for notification when such breaches occur. It also extends the group of potential violators to "covered entities." Covered entities are defined as health plans, health care clearinghouses and treatment providers who send or receive electronic information.
These groups must notify you if your protected health information has been accessed, acquired or disclosed as a result of a breach. This notice requirement applies to breaches that occur in both electronic and paper format.
The HITECH Act Extends the Notice Requirement
HITECH addresses privacy and security concerns by extending the notice requirements when a breach occurs, to broader category of people including:
• Personal health record vendors
• Entities that offer products or services through a Web site of a personal health record vendor
• Entities that access information in, or send information to, a personal health record vendor
The Federal Trade Commission (FTC) will govern this aspect of the HITECH Act.
The HITECH Act Extends to Business Associates
Under HIPAA, business associates of health care providers were only indirectly subject to the security requirements. Now, the privacy and security requirements, and the penalties for non-compliance, have been expressly extended to business associates. This means that a breach of an agreement's terms can subject the associate to civil and criminal penalties.
The HITECH Act Sets Limits on Marketing
The HITECH Act also changes how personal health information can be used for marketing. There are specific rules governing the use or disclosure of such information, even for fundraising purposes. Furthermore, the sale of personal health records isn't allowed without authorization from the patient.
Penalties under the HITECH Act
The HITECH Act adds to HIPAA's enforcement capabilities by increasing penalty amounts and requiring formal investigations of potential breaches. It allows state attorneys general to bring civil actions for potential HIPAA violations. There are also fines for violations. The amount of the fine depends on whether the law was violated intentionally or unintentionally and whether the violation was corrected. Penalties can range from $100 to $50,000 per violation.
As a result of the HITECH Act, health care businesses need to evaluate their operations to see how they can comply with its requirements. Finally, you as a patient will likely be enjoying more privacy protections due to the passing of the HITECH Act.
Questions for Your Attorney
• Does my employer have the right to review my medical records under HIPAA or the HITECH Act?
• I think I suffered identity theft and the source may have been health care records; does the HITECH Act offer any relief for my situation?
• If there's a data breach in violation of HITECH, would a provider have to do anything else besides notify a patient?