![]() In 2013, the HIPAA Omnibus Rule combined and modernized all the previously mentioned rules into one comprehensive document. (Again, we go into more detail on these two rules in our HIPAA article.) In the aftermath of the passage of the HITECH Act in 2009, its mandates were formulated into two rules: the HITECH Enforcement Rule, which set out more stringent enforcement provisions that extended the HIPAA framework, and the Breach Notification Rule, which established that, when personally identifying information was exposed or hacked, the organization responsible for that data had to inform the people involved. The Security Rule and the Privacy Rule had been laid down in the ’90s to formalize the mandates set out in HIPAA. government mandates are set down in broad form by legislation like HIPAA or the HITECH Act, but the details are formulated in sets of regulations called rules that are put together by the relevant executive branch agency-the Health and Human Services Department (HHS), in this case. The HITECH Act strengthened HIPAA’s regulations by expanding the number of companies it covered and punishing violations more severely. government enforcement only applied to the medical organizations themselves, who could in cases of violation simply say they were unaware their business associates were noncompliant and avoid punishment.Īnd when medical organizations were found guilty of violating HIPAA, the potential punishment they faced was quite light: $100 for each violation, maxing out at $25,000, which was little more than a slap on the wrist for many large companies. Business associates were theoretically required to adhere to HIPAA’s privacy and security requirements, but under the law those rules couldn’t be enforced directly onto those companies by the U.S. In HIPAA regulatory jargon, business associates are standalone companies that provide support services to medical organizations like billing, scheduling, marketing, or even IT services or software, rather than providing direct medical services to patients. In particular, there were loopholes in HIPAA when it came to business associates of the medical providers covered by the act. As a result, the HITECH Act established a regulatory framework for EHRs that imposed security and privacy requirements not only on medical providers, but also on other companies and organizations they did business with that might also handle EHR data. However, while EHRs held a lot of promise to improve the health care industry, they also made it much faster and easier to transmit personally identifying data between organizations, which had serious implications for privacy and security. This aim of the law can be considered successful, with the number of acute care hospitals deploying EHRs expanding from 28% in 2011 to 84% in 2015. The law provided HITECH Act incentives for this purpose, in the form of extra payments to Medicare and Medicaid providers who transitioned to electronic records. The HITECH Act aimed to use some of that government spending to help the health care industry make the expensive leap into using EHRs. The HITECH Act was part of the larger American Recovery and Reinvestment Act of 2009, which was the stimulus package enacted in the early days of the Obama Administration to inject money into the economy in order to blunt the effects of the Great Recession. ![]() Why was the HITECH Act created and why is it important? As a result, much of the regulatory ecosystem that falls under the broad (and expensive) umbrella of HIPAA compliance today is actually a result of the passage of the HITECH Act. ![]() ![]() The law tackles its security and privacy goals by extending the rules laid down by the pre-existing HIPAA law to more and different kinds of businesses, and by adding tougher reporting and enforcement provisions. Those latter aspects will be the main focus of this article. (HITECH stands for Health Information Technology for Economic and Clinical Health.) There are a number of provisions of the law that provide direct and indirect incentives to health care providers and consumers to move to EHRs, but the parts of the law of most interest to infosec professionals are those that tighten rules on providers to ensure that EHRs remain private and secure. The HITECH Act is a law that aims to expand the use of electronic health records (EHRs) in the United States. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |