Hitech: An Acronym For All To Fear
Another day of healthcare reform, another cheeky acronym and another pot of federal funds.
Tomorrow, something called the HITECH Act takes effect. For those of you (like me) who find acronyms ironic because they only serve to make the English language more confusing, HITECH stands for "Health Information Technology for Economic and Clinical Health." For insurance companies and medical providers, it's just another cold day in February. For anyone at any other company that so much catches a whiff of wet ink on a medical record with their eyes closed, it's going to be a pretty crazy at the filing cabinets.
Among the most important of the new HITECH Act mandates is a federal breach notification requirement for stored health information that is not encrypted or otherwise made indecipherable, as well as increasing penalties for violations. Until this law was passed, only two of the 48 states with data breach notification requirements included health information as a specified data type.
Now with the HITECH Act, the entire United States health industry and their business partners must quickly understand and get ready for these new data breach notification. Under HITECH, the HIPAA privacy and security rules were strengthened, with business associates now required to comply as if they were covered entities. Breach notification rules also require business associates to report breaches of protected health information to affected covered entities. That means your attorneys, your accountants, your health insurance companies and their vendors are all liable if your medical record falls into the wrong hands while in their possession.
Ah, but there's also Obama money to be made. In February of 2009, the American Reinvestment and Recovery Act (ARRA) allocated $19 billion in funding for hospitals and clinics that make meaningful use of CCHIT certified Electronic Medical Record (EMR) systems. Funds under the ARRA can begin flowing as early as October 1, 2010 for hospitals that meet the meaningful use standard. A typical 300 bed hospital can expect as much as $6 million if they qualify in 2010 or 2011. Hospitals qualifying later than 2015 will receive none of these funds. Hospital administrators are knee deep in grant applications and filing them faster than I can type these words.
Companies the Health Information Technology for Economic and Clinical Health (HITECH) Act applies to also include accounting, software, billing and law firms that work directly with medical records through a contract with medical providers. What's more, their own business associates are responsible for updating their vendor contracts for compliance with the HITECH Act, but covered entities (like group health insurance plans) are being advised by the Feds to review their existing agreements to obtain reasonable assurances that business associates have appropriate security measures in place if the privacy breach notification requirements are triggered.
What this all means in theory is if you sue someone for, let's say, money to pay medical bills you got in a car wreck that wasn't your fault. Your attorney e-mails his or her office assistant a PDF of your hospital discharge record so it can be filed away for court. Next, let's say that office clerk accidently forwards that e-mail to her boyfriend or anyone else who doesn't have a server that's locked down like Fort Knox. Your attorney, the office clerk and the clerk's boyfriend who got your medical record instead of that Valentines Day e-Card she meant to send can be hauled into court.
Word to the wise, folks: Check your Outlook settings. Maintain your "In" boxes with more regularity. Also, if you're in a small business that comes into contact with any health information, make sure your employees know about HIPPA, HITECH and all those other letters that can get you sued after tomorrow.
Tomorrow, something called the HITECH Act takes effect. For those of you (like me) who find acronyms ironic because they only serve to make the English language more confusing, HITECH stands for "Health Information Technology for Economic and Clinical Health." For insurance companies and medical providers, it's just another cold day in February. For anyone at any other company that so much catches a whiff of wet ink on a medical record with their eyes closed, it's going to be a pretty crazy at the filing cabinets.
Among the most important of the new HITECH Act mandates is a federal breach notification requirement for stored health information that is not encrypted or otherwise made indecipherable, as well as increasing penalties for violations. Until this law was passed, only two of the 48 states with data breach notification requirements included health information as a specified data type.
Now with the HITECH Act, the entire United States health industry and their business partners must quickly understand and get ready for these new data breach notification. Under HITECH, the HIPAA privacy and security rules were strengthened, with business associates now required to comply as if they were covered entities. Breach notification rules also require business associates to report breaches of protected health information to affected covered entities. That means your attorneys, your accountants, your health insurance companies and their vendors are all liable if your medical record falls into the wrong hands while in their possession.
Ah, but there's also Obama money to be made. In February of 2009, the American Reinvestment and Recovery Act (ARRA) allocated $19 billion in funding for hospitals and clinics that make meaningful use of CCHIT certified Electronic Medical Record (EMR) systems. Funds under the ARRA can begin flowing as early as October 1, 2010 for hospitals that meet the meaningful use standard. A typical 300 bed hospital can expect as much as $6 million if they qualify in 2010 or 2011. Hospitals qualifying later than 2015 will receive none of these funds. Hospital administrators are knee deep in grant applications and filing them faster than I can type these words.
Companies the Health Information Technology for Economic and Clinical Health (HITECH) Act applies to also include accounting, software, billing and law firms that work directly with medical records through a contract with medical providers. What's more, their own business associates are responsible for updating their vendor contracts for compliance with the HITECH Act, but covered entities (like group health insurance plans) are being advised by the Feds to review their existing agreements to obtain reasonable assurances that business associates have appropriate security measures in place if the privacy breach notification requirements are triggered.
What this all means in theory is if you sue someone for, let's say, money to pay medical bills you got in a car wreck that wasn't your fault. Your attorney e-mails his or her office assistant a PDF of your hospital discharge record so it can be filed away for court. Next, let's say that office clerk accidently forwards that e-mail to her boyfriend or anyone else who doesn't have a server that's locked down like Fort Knox. Your attorney, the office clerk and the clerk's boyfriend who got your medical record instead of that Valentines Day e-Card she meant to send can be hauled into court.
Word to the wise, folks: Check your Outlook settings. Maintain your "In" boxes with more regularity. Also, if you're in a small business that comes into contact with any health information, make sure your employees know about HIPPA, HITECH and all those other letters that can get you sued after tomorrow.
Source...