Anyone dealing with healthcare IT in the US will come across HIPAA and HITECH and HITRUST — and it’s easy to get them confused. They’re interrelated and they all concern health information and they all impact healthcare IT. But that certainly doesn’t mean they’re all the same.
Briefly, HIPAA is a law and compliance is mandatory. HITECH is another law that was subsequently folded into HIPAA. And HITRUST is a voluntary means to ensure compliance with laws such as HIPAA, including its HITECH provisions and any others that might come along. Here’s how it all breaks down:
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) covered a lot of healthcare modernization issues, including provisions addressing insurance and taxes. But when we reference HIPAA in the IT world, we’re generally concerned with details in the Act’s Title II.
HIPAA Title II stipulates national standards for digital healthcare information management and movement. Its intent was to establish comprehensive guidance on the way personal health information (PHI) is maintained, exchanged, and protected from unauthorized exposure and theft in healthcare industries. Since the Act was signed into law at the dawn of the dot.com days, it has naturally required amendment over the years.
The Health Information Technology for Economic and Clinical Health (HITECH) Act was part of the American Recovery and Reinvestment Act of 2009. HITECH allocated $28B to fund greater adoption of electronic health records (EHRs) through incentives, resulting in a massive digitization of health information. It also outlined additional sets of stipulations for digital standardization and added more privacy and security protections for healthcare data enforced by penalties for compliance failures.
HITECH was consolidated into HIPAA Title II in 2013 with the Final Omnibus Rule, which also expanded security and breach notification details and, notably, extended HIPAA-compliance requirements to business associate agreements. A business associate is any entity that “creates, receives, maintains, or transmits protected health information” for a HIPAA-covered entity. So pretty much anyone handling PHI has to comply with HIPAA — not just hospitals and insurance companies.
There are several regulatory compliance requirements that healthcare organizations must follow. Even so, it’s the Health Insurance Portability and Accountability Act (HIPAA) that gets the most recognition. If your organization is involved in the healthcare industry, you should ensure that it complies with the Health Information Technology for Economic and Clinical Health Act (HITECH) as well.
These two compliance requirements are somehow interrelated. However, HITECH is meant to enhance information technology in the healthcare industry while protecting the security and privacy concerns regarding ePHI. HITECH significantly modified HIPAA and the Social Security Act. Therefore, it can be difficult to understand how these regulatory compliance frameworks complement each other.
How HITECH And HIPAA Are Similar
HITECH and HIPAA compliance is overseen by the Health and Human Services Department (HHS). Typically, healthcare organizations tend to focus on HIPAA compliance since it is the backbone of the Privacy Rule that sets national standards regarding PHI and medical record protection. The Privacy Rule was adopted in 2000. Since then, HHS has only made one modification. That was in 2002 when the Privacy Rule was modified to become one of the initial information privacy and security regulations.
The Office of the National Coordinator for Health Information Technology (ONC) is mandated to promote the quality of healthcare by advancing health IT. ONC is also tasked with the role of securing ePHI and establishing procedures for electronic health records (EHRs) to promote privacy.
Therefore, while HITECH and HIPAA complement each other, they are dissimilar. HITECH focuses on information technology as well as the preservation of electronic information, whereas HIPAA dwells on protecting privacy as well as expanding beyond information systems.
How HITECH And HIPAA Differ
Although HITECH and HIPAA have many similarities, the two regulations also differ on various vital details. HITECH was meant to expand HIPAA. Even so, the latter remains focused on addressing privacy and breach notification issues to protect against identity theft and fraud. On the other hand, HITECH differs from HIPAA because it established restructured criminal and civil compliance penalties. Furthermore, HITECH extended HIPAA’s breach notification requirement beyond covered organizations also to include business associates.
From an IT perspective, compliance managers ought to focus on the significance of robust encryption. In case malicious actors breach the ePHI, effective encryption will mitigate rule violations. Therefore, if the encryption makes the information unreadable, the organization won’t be fined. Nonetheless, proving effective encryption means complying with the NIST Federal Information Process Standard. Therefore, healthcare regulatory compliance can only be realized if you fully understand your organization’s IT infrastructure.
The healthcare industry is ripe for disruption and transformation. According to McKinsey & Company, U.S. pharma is “in a state of flux.” Seismic shifts are happening, from significant merger and acquisition (M&A) activity to pharmacy store closures to changes in strategic partnerships between major health insurers and pharmacy benefit managers (PBMs), and the seemingly inevitable entry of Amazon into the market. Moreover, the healthcare ecosystem continues to face challenges as it attempts to comply with regulations like HIPAA and HITECH.
During this period of change, McKinsey’s research establishes three imperatives for healthcare businesses to consider. The first is to pursue business models that deliver a lower total cost of care for consumers and employers. The second involves leveraging data aggregation and big data analytics to generate insights and create value, and the third is to put the consumer at the center of everything by creating innovative ways to bring more consumer-driven insights and actions into the business.
The growth in digital health indicates that many businesses are acting on these imperatives and are finding commercial success. The digital health sector currently is estimated at $86.4 billion and is predicted to grow by almost 30 percent year-over-year through 2025. But with such a vast and complex industry like healthcare, it is challenging to appreciate the realities of digital disruption without drilling down into specific sub-sectors and profiling some of the disruptors that are in the process of altering their landscapes.
Following are some examples of how the “value pool” is shifting in this industry, resulting in cost savings for patients through the elimination of waste.
Pharmacy benefit management value pool shifts by removing inefficiencies
Pharmacy benefit management (PBM) includes third-party administrators for prescription drug programs at insurance companies, businesses, self-insured employers and government health plans. PBMs have a vast market valuation of $368 billion, as of 2018, within the U.S. healthcare system and an expected annual growth forecast of more than 9 percent.
Despite the size of the market, however, many PBMs do not have the technical sophistication to flourish in the digital world, which has given rise to companies such as RxSense. Previously a PBM, RxSense pivoted to meet the real-time needs of customers by providing a business-to-business (B2B) digital platform for the whole PBM industry. Its goal is to bypass problems with legacy PBM systems, including a lack of innovation, inefficiencies, inflexibility and challenges around accuracy and transparency.
The next step beyond digitization for players such as RxSense will be the application of artificial intelligence (AI) and machine learning technologies to further increase administrative efficiency, drive down costs and, ultimately, improve clinical outcomes.
The Health Insurance Portability and Accountability Act, known as HIPAA, was enacted in the United States in 1996. The legislation creates data security and privacy requirements for safeguarding medical information. In recent years, HIPAA compliance has become a hot button issue for software developers in the healthcare space, as a number of high profile data breaches compromised millions of patient records across the country.
If you’re developing an eHealth or mobile health app, it is vital that you determine whether your software could be subject to the requirements of HIPAA for medical software applications. Failure to do so could subject you to thousands or even millions of dollars of liability if the use of your application results in an unauthorized disclosure of health information that is protected under HIPAA. Here’s how to tell whether HIPAA applies to you, and how to know if your software is HIPAA compliant.
Does HIPAA apply to me?
Before you start worrying about compliance with the security and privacy requirements of HIPAA, you should determine whether they can be applied to you and your organization. Both the HIPAA privacy rule and the HIPAA security rule apply to all covered entities under HIPAA, such as health plans, healthcare clearinghouses and healthcare providers. The website for Centers Medicade & Medicaid Service offers a Covered Entity Guidance Tool that can help you determine whether your organization is a covered entity.
HIPAA was expanded in 2009 with the introduction of the HITECH Act and again in 2013 with the HIPAA omnibus rule which clarified the responsibilities of business associates of covered entities when it comes to managing privacy and security of patient records. Further guidance was issued in 2016 indicating that cloud service providers would also be covered by the HIPAA privacy, security and breach notification rules.
Software developers in the healthcare space need to tread carefully here – the original regulations of HIPAA that deal with covered entities probably won’t apply to most organizations creating eHealth or mobile health products, but if your app will manage protected health information and share it with any covered entities, such as health plans or doctors, then HIPAA applies to you and you must comply.
If your software collects protected health information from patients but does not share it with a doctor or another covered entity at any point, the HIPAA rules won’t apply to you and you don’t need to worry about compliance.
Required safeguards for software HIPAA compliance
The available data indicates that while theft of computing hardware was the primary cause of healthcare data breaches in 2017, the greatest vulnerability that was exploited was health IT networks. For software developers, the HIPAA security rule is the most likely potential source of compliance issues. The rule mandates three types of safeguards that protect patient data – administrative, physical, and technical. In creating these safeguards, software developers must establish a secure application where authorized personnel have access to the required patient information while unauthorized persons do not. Patient information must also be protected from alteration or destruction.
Administrative safeguards ensure that software administrators who make have access to the data are acting responsibly. If your software stores medical data, anyone with access to that data must be authorized and trained on the ethical and legal requirements of that access. Administrative safeguards include:
Security management process
Information access management
Workforce training and management
Physical safeguards help to mitigate data breaches by ensuring that only authorized users can access the facilities and machines where protected health information is stored. Physical safeguards include managed policies for:
Facility access and control
Workstation and device security
Technical safeguards present the greatest challenge for software developers building HIPAA-compliant products, as software bugs represent the best opportunity for data attacks against your organization. HIPAA does not detail exactly what firewalls, anti-malware devices or encryption tools should be used to secure your software against a data breach, but it does indicate the need for several types of controls:
Vice President Joe Biden recently took the stage at Health Datapalooza in Washington, D.C. to discuss where healthcare technology currently stands, and he didn’t hold back. Among other things, he chastised the industry for poor health IT system interoperability and the resulting difficulties it causes providers and patients. “We have to ask ourselves, why are we not progressing more rapidly?” Biden lamented.
Biden’s criticism is only the latest high-profile commentary about the unfulfilled promise of information technology in healthcare. AMA leaders and individual physicians have been grousing about it for years. We’ve seen technology increase efficiency, reduce costs and improve productivity in every other industry – but why not healthcare?
Ironically, seven years after the passage of the HITECH Act of 2009, doctors are less productive than they were before, and IT is the culprit. Rather than enabling a better, more streamlined workflow, IT has become a burden.
The drag that IT is placing on healthcare providers is a principal reason why U.S. Health and Human Services (HHS) Secretary Sylvia Burwell announced with great fanfare at the HIMSS16 conference an “interoperability pledge,” which vendors and providers alike are encouraged to take. Its purpose in part is “to help consumers easily and securely access their electronic health information, direct it to any desired location, learn how their information can be shared and used, and be assured that this information will be effectively and safely used to benefit their health and that of their community.”
This call resonates because the promise of better healthcare through technology has been broken. Technology has changed the way we communicate, the way we shop, the way we watch TV, the way we drive, and the way we interact with our homes. As an industry, healthcare is lagging way behind. The consequences are drastic. In order for us to deliver the kind of holistic care that will truly improve people’s health, it’s time not only to talk about the potential, but to make it a reality for users and providers across the healthcare continuum.
Here’s the reality: we have today what 10 years ago was called a supercomputer in front of physicians – a device that knows virtually everything about the patient – but it isn’t helping out in ways that we take for granted in our everyday lives when we shop online, use Google Maps or order an Uber.
It isn’t that doctors aren’t skilled, intelligent or capable enough—it is that the demands being placed on them are too great.
Time and documentation demands mean that something has to give. As many physicians have pointed out over the years of the HITECH Act’s implementation, the thing that normally “gives” is facetime with patients: actual, hands-on delivery of care and attention. Instead, they are driven to input data for documentation, follow prompts on EHR interfaces, ensure their record-keeping practices will facilitate correct coding for billing, as well as tip-toeing around HIPAA and the explosion of security and privacy vulnerabilities opened up by the shift to digital.
The reality of modern medicine—and especially the rate at which it evolves, grows, and becomes outdated—means that doctors need what most every other industry has already integrated: more brains. Not simply in the form of EHRs for record-sharing, or voice-to-text applications as a substitute for transcriptionists, but as memory-supplements, or second brains.
As a species, humans are also evolving away from memory as a critical element of intelligence, because we now have devices—“smart” devices—always on, always on us, and always connected to the ultimate resources of facts and data.
Our smart devices—phones, tablets, etc.—are gateways to the whole of human knowledge: indexes of information, directories of images, libraries question and answer exchanges. In effect, we are increasingly able and willing to offload “thinking” onto these devices.
Supplement or Supplant?
Depending on the context and application, this trend is both helpful and potentially harmful. For those prone to critical thinking and equipped with analytical skills, offloading some elements of memory to these devices is a question of efficiency. Even better, the more they practice using it, the more effective they become at integrating devices into their cognitive tasks. In others (those less prone to think critically), it is a shortcut that reduces cognitive function altogether: rather than a cognitive extension, the devices act as substitutes for thinking. Similarly, increasing over-reliance on the internet and search engines further diminishes already deficient analytical skills.
The standard roadmap for a medical education entails a lot of memorization—of anatomy, of diseases, of incredible volumes of data to facilitate better clinical performance. It isn’t memorization simply for the sake of recitation, though; it is the foundation for critical thinking in a clinical context. As such, medical professionals ought to be leading candidates for integrating smart devices not as crutches, but as amplifiers of cognition.
So far, that has been far from the dominant trend.
Enter the Machine
Integrating computers as tools is one thing, and even that has proven an uphill battle for physicians: the time and learning curve involved in integrating EHRs alone has proven to be a recurring complaint across the stages of Meaningful Use and implementation.
Patient engagement—another of the myriad buzzwords proliferating the healthcare industry lately—is another challenge. Some patients are bigger critics of the new, digitally-driven workflows than the most Luddite physicians. On the other hand, some patients are at the bleeding edge of digital integration, and find both care providers and the technology itself moving too slowly.
Last fall, the provisions governing Business Associate Agreements under the HITECH law went into effect. Many covered entities used templates and models offered by professional societies and the Department of Health and Human Services, but it’s becoming increasingly clear that the “model” agreements were simply a stopgap measure, and that organizations that use BAAs need to conduct ongoing reviews of the documents and customize the language to meet the individual needs of their company.
The need for ongoing reviews to business associate agreements stems from an increased focus on compliance, and audits from the Office of Civil Rights (OCR) in DHHS. In the past, HIPAA compliance audits were limited to specifically covered entities, such as doctors’ offices and hospitals. Using HIPPA-compliant providers like healthcare fax companies to transmit protected data on their encrypted servers has been the best way for health care professionals to avoid audit issues.
However, the provisions of HITECH allow for audits of subcontractors as well, ensuring that they too are complying with the privacy and security policies of the act. Essentially, then, a business associate agreement serves as an agreement by the subcontractor that it will adhere to the rules and standards of HIPAA — and they understand the consequences of noncompliance.
Some argue that the notion of business associate agreements is outdated, given that HITECH holds all subcontractors who have access to HIPAA-protected data to the same privacy and security standards as the covered entity itself, even without the written agreement. The law still states, though, that covered entities must negotiate and maintain compliant BAAs with the companies that have access to their data — even those that may not directly have access to the data.
The simple fact that the OCR is conducting audits of business associate agreements and the companies covered by the agreements, highlights the importance of maintaining up-to-date and comprehensive agreements — meaning that the “boilerplate” agreement that you signed to meet the basic compliance standards may not be enough at this point.
Considerations for Review
Since it’s been a year since the new provisions went into effect, it’s very likely that your BAAs are reasonably up-to-date, and in compliance with the laws. That being said, if you used a template, or you only made minor changes to existing agreements, it’s best to review the agreements you have on file to ensure they comply with current law.
Many experts agree that BAAs should be reviewed at least once a year or more often if they expire, or if there are significant changes to the business relationship.
When reviewing your business associate agreements, there are a few key points to pay close attention to:
It has only been about two generations since traveling medicine shows were common forums for medical information. Phony research and medical claims were used to back up the sale of all kinds of dubious medicines. Potential patients had no real method to determine what was true or false, let alone know what their real medical issues were.
Healthcare has come a long way since those times, but similar to the lack of knowing the compositions of past medical concoctions and what ailed them, today’s digital age patients still don’t know what is in their medical records. They need transparency, not secret hospital –vendor contracts and data blocking, like the practices being questioned by the New York Times. One patient, Regina Holliday resorts to using art to bring awareness to the lack of patient’s access to their own medical records.
There are many reasons patients want access. Second opinions, convenience, instant access in a medical emergency and right of ownership—I paid for them, I own them. Other reasons patients need to view their records is for accuracy and validity. Inaccurate record keeping has even caused the EHRI Institute to cite incorrect or missing data in EHRs and other health IT systems as the second highest safety concern in its annual survey, outlining the Top Ten Safety Concerns for Healthcare Organizations in 2015.
Healthcare system executives, from CIOs to CEOs are very aware of the increasing requirements from patients asking for their records and the various state and federal laws that come into play. However, they are also aware that by making it too easy for patients to access records they risk liability and HIPAA issues. They also don’t want to provide documents that can easily enable cost comparisons or raise questions about charges.
Riding the wave of interest in accessing personal medical records are organizations like Get My Health Data. Org. The organization was founded in June 2015 as a collaborative effort among leading consumer organizations, healthcare experts, former policy makers and technology organizations that believe consumer access to digital health information is an essential cornerstone for better health and better care, coordinated by the National Partnership for Women & Families, a non-profit consumer organization. On July 4 it launched #DataIndependenceDay to create awareness for the HIPAA law which states that patients must be granted access to their health information with very few exceptions. An update to those laws that was finalized in 2013 extends these rights to electronic health records.
Despite the introduction of personal health records (PHRs), Blue Button technology and product introductions from blue chip technology leaders, such as Microsoft and Google, there has been no significant, unifying technology to ignite pent up demand for their medical records by consumers. This lack luster interest and ongoing interoperability issues might be the unifying force to drive many consumers to consider Personal Health Information Exchanges (PHIEs) as an alternative to EHRs and Health Information Exchanges (HIEs) that unnecessarily duplicate data and risk HIPAA violations.
Will PHIEs Ignite the Patient Record Access Movement?
Frost & Sullivan, in its research report, “Moving beyond the Limitations of Fragmented Solutions Empowering Patients with Integrated, Mobile On-Demand Access to the Health Information Continuum”, identifies personal health information exchange (PHIEs). They are described as providing individual patients, physicians, and the full spectrum of ancillary providers with immediate, real-time access to medical records regardless of where they are stored by using an open API.
The PHIE can provide access to the entirety of an individual patient record, regardless of the number of sources or EHR systems in which the patient data resides. This technology is made possible through fully interoperable integration servers that can access any EHR system with available APIs and portray the integrated data in a viewable, secure and encrypted format on a mobile device.
By leveraging the powerful simplicity of open APIs, PHIE technology can also access medical records in a way that is much more comprehensive than the closed EMR portals commonly used by doctors’ offices. Despite their pervasive use, these portals are cumbersome and expensive for patient’s use. The portals also include the same lack of interoperability that plagues hospital EHR systems.
How many doctors have you seen in your lifetime? Don’t know or remember? You’re not alone – the average American patient will see nearly 19 different doctors during their lifetime. Nineteen different offices. Nineteen different medical charts. Nineteen different phone numbers. Nineteen different calls to track down your records. Now, can you even remember your last five doctors?
The future: Imagine this, you visit your doctor – or any doctor for that matter – and they quickly pull up your medical history. Vaccinations when you were a child? Check. Currently on a hypertensive medication? Check. Pre-disposed to a medical condition? Yep, that’s in there, too. No more arriving 20 minutes early to the doctors’ office to fill out the industry-average seven pages of paper forms. Your records – past and present – are already being reviewed by your trusted provider.
Beyond the sheer convenience, the accuracy and completeness of having your entire medical history available at the fingertips of your provider can impact your well-being and scope of care. Can you accurately remember all procedures you’ve had? And when? Or all the medications you’ve ever taken? With dates? Imagine if you were a senior. Not just daunting, but nearly impossible. Instead of going over just snippets of what you actually remember, your doctor is empowered to holistically review your entire medical history with the potential to make more informed decisions about your health.
Seem like a pipedream? If you were to ask a mere decade ago, most would have agreed. As recently as 2007, 88 percent of physicians were still charting on paper. And those physicians on an EHR system – who were paying a premium – were almost exclusively using a localized, server based platform with no connectivity. For cost perspective, according to HealthIT.gov, the average upfront cost of implementing an EHR is $33,000 per provider plus an on-going fee of $4,000 yearly, a cost-prohibitive amount for most private practices.
Fast forward to 2009 and the passage of the HITECH Act which provided billions of dollars of incentives for providers to implement an electronic health record. In addition to the incentives, new vendors appeared on the market who provided electronic health record platforms completely free-of-charge, allowing providers to reinvest the incentives in their practice as additional staff, new equipment, etc.
Guest post by Michael Simpson is the CEO of Caradigm.
It’s been five years since the HITECH Act was enacted as part of ARRA, and while there’s still a lot of debate about the technical details, rules and timelines involved with electronic health record (EHR) adoption and meaningful use, it’s clear that the focus on EHRs – and incenting hospitals and professionals to use EHRs in a meaningful way – represents a critical, foundational step in transforming health care in this country.
After all, meaningful use targets the right goals – goals that every hospital, health system and healthcare professional supports, including improved quality, safety and efficiency of care; reduced disparities; more engaged patients and families as core members of the care team; improved care coordination and population health; and more secure patient health information.
More important, the stages of meaningful use drive a set of progressively more advanced capabilities that are fundamental to achieving those goals. Digitizing data was the first critical step, and the good news is that according to a recent HHS press release, about 60 percent of all hospitals have adopted an advanced EHR, leaving the paper world behind. The next steps are sharing that data – securely – among providers and patients, reporting on quality to understand and improve it, using clinical decision support at the point of care, and many other capabilities critical to transforming care and outcomes. If providers and professionals meet meaningful use requirements, we should see more transparency, greater efficiency, reduced waste and more healthy people in our communities over time.
Stage 2 Challenges
It’s a long and challenging journey, and while hospitals and health systems are making good progress against Stage 1 requirements, very few are prepared for Stage 2. In fact, according to survey data from the American Hospital Association, fewer than 6 percent of hospitals have met the criteria for Stage 2, and only 10 percent have met the requirement for patients to be able to view, download and transmit their health information online.
Why are providers getting stuck as they try to move to Stage 2? Because as the requirements become more demanding – e.g., using clinical decision support, generating patient lists, protecting patient health information, engaging patients – these organizations need a new set of technology capabilities to meet those requirements. These capabilities leverage and extend the functionality and benefits of the EHR.
Moreover, to reach the ultimate goals targeted by Meaningful Use — improved quality, efficiency, outcomes and population health — providers will need to aim even higher than meeting the requirements of meaningful use stages, strategically using data from EHRs and myriad other systems across the care continuum to enable a new level of capabilities.