The Path to Paperless

HITECH Now Complicates HIPAA

Part 1: New Law Protects Electronic Information

By Peter J. Polack, MD, FACS

As if physicians didn't have enough to concern themselves with regards to HIPAA, new healthcare legal guidelines are about to make things much more complicated. But first, let's examine some history of the regulations regarding the protection of patient information.

HIPAA (the Healthcare Information Portability and Accountability Act) has provisions requiring the safeguarding of “protected health information” (PHI). Specifically, this sets out the rules for encryption of the data so that if it falls in the wrong hands, the information will still be safe and sound. That's certainly fair enough. But just what kinds of data are covered under this definition? We'll discuss that a bit later in this column.

The HITECH Complication

Enter the HITECH Act (Health Information Technology for Economic and Clinical Health), part of the 2009 stimulus bill. With it comes another set of verbiage regarding protection of PHI data. Now, the HITECH Act itself doesn't require encryption of the data. It specifies the kinds of encryption that make the data j secure. For guidance on the specific requirements, HITECH punts back to HIPAA.

But what HITECH has done is to allow for sizeable increases in fines for violating provisions of HIPAA for not only “covered entities” such as medical practices, but also for what are known as business associates, those entities such as medical supply vendors who work with covered entities.

Practices should be careful with whom they make formal contractual agreements, specifically if those parties have any access to patient information; any infringement on the part of a business associate may bring investigators to your front door.

HITECH also sets more stringent provisions for what are known as breach notifications. Entities who have had data compromised are required to advise patients if there has been any kind of unauthorized acquisition, access, use or disclosure of their “unsecured” PHI. Unsecured in this case is defined as information not protected by technology that renders it unreadable or indecipherable.

HITECH Enforcement

The HITECH Act has also amended the HIPAA regulations to allow for enforcement and prosecution through the Department of Health and Human Services' Office of Civil Rights (OCR). They can levy fines from $ 100 to $50,000 per violation, and up to $1.5 million per calendar year. And through this office, the States Attorneys General have been given clear authority to prosecute healthcare providers for “criminal penalties” — and they get to keep part of the collected fines.

The problem is that there is much discrepancy between the two pieces of legislation concerning not only what information must be protected but also how that is to be accomplished. And the statutes have not quite caught up with the legislation. But for those who believe that this is just a bunch of bluster, a precedent has already been set: a UCLA researcher who was a licensed surgeon in China was sentenced to four months in jail for illegally accessing patient electronic records.

In Part 2, we'll discuss what kinds of data should be protected and how to go about complying with the new regulations. OM

Next: Part 2: HIPAA and the Security of Electronic Data.

Peter J. Polack, MD, FACS, is co-managing partner for Ocala Eye, a multisubspecialty ophthalmology practice located in Ocala, Fla. He is also founder of Emedikon, an online practice management resource for physicians and administrators.