HIPAA/HITECH/HITRUST Compliance

While HIPAA gets all of the attention in the healthcare industry, it’s important to understand what’s specifically mandated by HITECH — especially considering that HITECH requires you not to just safeguard Protected Health Information (PHI), but to digitize it and electronically share it with patients and doctors as well. Businesses also need to understand the way HITECH changes and amplifies HIPAA requirements, and come up with file encryption and email compliance solutions that can address both sets of requirements.

HITECH Compliance Basics

HITECH, or the Health Information Technology for Economic and Clinical Health Act, is a 2009 law created to encourage organizations to “promote the adoption and meaningful use” of Electronic Health Records (EHR). HITECH imposes incentives for digitizing medical records and using them to improve the quality of healthcare, as well as penalties for failing to make sufficient use of EHR.

The HITECH Act also toughened penalties and altered enforcement of HIPAA violations, creating four levels of violations with increasing penalties, up to a maximum fine of $1.5 million. Because of HITECH, entities are subject to penalties even if they didn’t know a violation occurred, although those violations are in the lowest category. HITECH also allows organizations to escape penalties if violations are not due to neglect, and are corrected within 30 days.

HITECH Compliance Goals

The ultimate goal of HITECH is to promote the use of secure, interoperable EHR throughout the U.S. To do that, it has three phases of meaningful use, requiring increasing deployment of EHR, along with quality and security safeguards.

Stage 1 rules vary somewhat depending on the professional or organization; covered healthcare professionals must meet 15 core objectives, 5 out of 10 “menu” objectives and 6 Clinical Quality Measures (CQMs). Hospitals have 15 core, 5 menu and 15 CQMs. Providers will be excused from meeting inapplicable standards — for example, chiropractors don’t have to use e-prescribing, since they don’t write prescriptions.

The core objectives include measures to increase medical quality, such as checking drug interactions and recording and charting vital signs, as well as meaningful use goals, such as deploying and securing EHR.

HITECH Stage 2 requires providers to start using EHRs in sophisticated ways. For HITECH compliance, providers need to use EHR or computer resources to:

  • Support at least five clinical decisions
  • Record over 60% of prescriptions, and 30% of both lab and radiology orders
  • Transmit over 50% of prescriptions
  • Transmit care records when patients are transferred
  • Provide patient-specific education to over 10% of patients
  • Compile and verify an accurate list of medications when patients are transferred
  • Give patients online access to their health records
  • Provide patients a way to communicate securely online, and
  • Track immunization and other public health data.

Electronic security is the first goal for phase 2 HITECH compliance. Encryption, security risk analysis and security updates are all specifically mandated to “Protect Patient Health Information.”

HITECH phase 3 is still being ironed out, and the program as a whole continues to evolve. What won’t change, however, is the necessity of using EHR to improve healthcare, and good security to protect patient records.

HITECH and HIPAA Compliance

HITECH requires providers to go through HIPAA certification under the standards of the Omnibus Rule. As mentioned above, HITECH compliance rules have strengthened HIPAA violation penalties, and stage 3 is likely to further strengthen security and risk assessment requirements already imposed by HIPAA.

HITECH has also strengthened the HIPAA breach notification rule. Previous HIPAA compliance requirements only required notification when the covered entity saw a risk of harm to the party whose Protected Health Information (PHI) had been breached. Now, any unsecured PHI requires a notification to the affected parties, HHS and, in some cases the media.

HITECH also expanded HIPAA compliance requirements to cover any business partners who use, store or process PHI. That means billing companies, consultants, and IT technicians working on computers that store EHR are on the hook for upholding the same security and privacy standards.

Add on the PCI compliance rules healthcare organizations face, and it becomes impossible to handle security in a piecemeal fashion — there’s just too much to account for, and too many overlapping areas. Organizations need to adopt an overall security strategy that addresses all their compliance requirements together.

Securing Meaningful Use

Each stage of meaningful use requirements presents new technological challenges and risks. However, healthcare providers should make sure their security meets their technological needs, not just their HITECH compliance requirements. For most organizations, that means going beyond what HITECH requires.

Although stage 1 HITECH compliance doesn’t specifically mandate encryption, as a HIPAA-compliant organization, you should already be using it for all electronic PHI (ePHI), including EHR and patient communications. Encryption scrambles files with a long digital key, making them unreadable to anyone who doesn’t have access to it.

Using file and email encryption also protects you from breach notification requirements, since properly encrypted files count as secured; if a company breaches ePHI but not the keys required to read it, it generally won’t count as a breach, since the files can’t be read. Installing secure programs and spending a few minutes teaching staff to use them could save you from the bad press and hefty fines of a breach.

Stage 1 also requires organizations to review their security and correct any deficiencies, as defined by 41 CFR.308. It’s not enough to write some new policies; organizations also need to correct workers who compromise security, and track access to EHR and other healthcare data. Your system should record every time someone accesses PHI or other protected data, track changes, and store backup copies, and you should have dedicated security staff to monitor for security breaches.

As your organization grows more dependent on EHR to improve health outcomes in Stage 2, you’ll need tools to securely and conveniently share data, and communicate with patients and other healthcare providers. Many providers opt to use healthcare portals to communicate with patients and share EHR. They’re fairly secure, but far from convenient. They require new usernames and passwords, tend to have clunky interfaces, and can’t communicate with each other.

If a patient needs to go to another hospital or provider which uses a different portal, you may have no established way to exchange records, and the patient will have to learn multiple systems. This sort of inconvenience is what makes people give up and just send an unencrypted email attachment, breaking HITECH compliance and defeating the purpose of having a portal in the first place.

As for Stage 3, it’s hard to tell what’s coming next. HIPAA and HITECH compliance rules are probably headed for a big change, which may simplify regulations and replace meaningful use with a different standard. What isn’t going to change, however, is the need for secure tools to encrypt EHR and email, and security best practices to prevent and mitigate leaks.

Ongoing HITECH Compliance and Security

There are a lot of problems technology alone can’t solve. For example, encryption can’t prevent your employees from choosing weak passwords, and automatic logouts can’t stop patients from sneaking a glance at a workstation while it’s logged in. Medical organizations need to combine sound auditing, intelligent technology policies and frequent monitoring and feedback to maintain a culture of security.

HIPAA compliance best practices — particularly physical and administrative safeguards — outline how much there is to do outside of IT security. Physically, organizations need to control access to any area where EHR or other PHI is stored; in a small doctor’s office, that could be as simple as keeping patients out of a few areas where computers are used or old records are stored, but in a large hospital, controlling access may require guards, security keycards and facilities monitoring.

Administrative safeguards under HIPAA compliance rules make organizations responsible for good security among their employees and partners. Your security rules need to be spelled out, both internally and in the Business Associate Agreements (BAAs) you sign with partners, and backed up by frequent training.

HITECH compliance, however, doesn’t stop with your organization and partners. You’re required to secure ePHI sent to another hospital or shared with the patient as well. You can only accomplish this with security tools and policies that are easy enough for any patient to use.

HITECH Compliance Requires Tools Anyone Can Use

As the HITECH Act drives the use of EHR, more patients and healthcare professionals are accessing sensitive healthcare information in the cloud.

Unfortunately, not all of these people care about security, or even understand it. More than ever, organizations need security tools that anyone can use.