The HITECH ActThe HITECH Act

Privacy and SecurityPrivacy and Security

What is the HITECH Act?What is the HITECH Act?

On February 17, 2009 the On February 17, 2009 the American Recovery and American Recovery and Reinvestment Act of 2009 Reinvestment Act of 2009 (ARRA, sometimes referred to (ARRA, sometimes referred to as “the stimulus”) included as “the stimulus”) included provisions making significant provisions making significant improvement in the privacy and improvement in the privacy and security standards for health security standards for health information was signed into law information was signed into law by the federal government. by the federal government.

What is the HITECH Act?What is the HITECH Act?

Included in this law is $19.2 Included in this law is $19.2 Billion which is intended to be Billion which is intended to be used to increase the use of used to increase the use of Electronic Health Records Electronic Health Records (EHR) by physicians and (EHR) by physicians and hospitals; this portion of the bill hospitals; this portion of the bill is called, the Health Information is called, the Health Information Technology for Economic and Technology for Economic and Clinical Health Act, or HITECH Clinical Health Act, or HITECH Act. Act.

HITECH Act is directed atHITECH Act is directed at

Protected health Protected health information that is information that is not secured by a not secured by a technology technology standard that standard that renders protected renders protected health information health information unusable, unusable, unreadable or unreadable or indecipherable to indecipherable to unauthorized unauthorized individuals. individuals.

Entities subject to Entities subject to the Health the Health Insurance Insurance Portability and Portability and Accountability Act Accountability Act of 1996 (HIPAA) of 1996 (HIPAA) that access, that access, maintain, retain, maintain, retain, modify, record, modify, record, store, destroy, or store, destroy, or otherwise hold, otherwise hold, use, or disclose use, or disclose unsecured unsecured protected health protected health information. information.

HITECH ActHITECH Act

Require patients be notified of Require patients be notified of any unauthorized acquisition, any unauthorized acquisition, access, use or disclosure of access, use or disclosure of their unsecured protected health their unsecured protected health information. information.

Why did the government pass Why did the government pass the law?the law?

Paper information increase the Paper information increase the risk of unauthorized accessed risk of unauthorized accessed due to human factor risksdue to human factor risks leaving information on deskleaving information on desk leaving information on printer/faxleaving information on printer/fax out where information can be out where information can be

viewed by cleaning peopleviewed by cleaning people dumpster incidentsdumpster incidents unlocked file cabinets/drawersunlocked file cabinets/drawers shared working areas shared working areas

Why did the government pass Why did the government pass the law?the law?

The HITECH Act defines a breach The HITECH Act defines a breach as an unauthorized acquisition, as an unauthorized acquisition, access, use or disclosure of access, use or disclosure of protection which compromises the protection which compromises the security or privacy of such security or privacy of such information. information.

Medical privacy breaches continue to be Medical privacy breaches continue to be a serious problem for healthcare. Some a serious problem for healthcare. Some of the most highly respected healthcare of the most highly respected healthcare organizations in the country still suffer organizations in the country still suffer data breaches, and new breaches make data breaches, and new breaches make headlines regularly. headlines regularly.

Why did the government pass Why did the government pass the law?the law?

Improve patient careImprove patient care Increase patient safety Increase patient safety Simplify compliance in Simplify compliance in

the US healthcare the US healthcare systemsystem

Help cut costs in the Help cut costs in the long termlong term

Minimize errorsMinimize errors Increase productivityIncrease productivity Increase Increase

administrative administrative efficiency efficiency

Doctors get quicker Doctors get quicker access to patient’s access to patient’s informationinformation

Patient information Patient information can be shared can be shared between specialists, between specialists, primary doctors, primary doctors, nurses on staffnurses on staff

Quicker and more Quicker and more accurate diagnosisaccurate diagnosis

Better care and higher Better care and higher satisfaction satisfaction

Research indicates that utilizing EHR would serve to:

Securing EHRSecuring EHR

EncryptionEncryption is the use of an is the use of an

algorithmic process algorithmic process to transform data to transform data into a form in which into a form in which there is a low there is a low probability of probability of assigning meaning assigning meaning to the data unless to the data unless an individual uses an individual uses a certain process a certain process or has a key or has a key

Destruction Destruction secure information secure information

found in paper or found in paper or electronic format electronic format

paper or other paper or other hard copy media hard copy media must be must be shredded or shredded or destroyed destroyed

Electronic media Electronic media is to be cleared, is to be cleared, purged or purged or destroyed.destroyed.

The U.S. Department of Health and Human Services (DHHS) identifies two methods for rendering “secured”:

consistent with National Institute of Standards and Technology (NIST) standards

Securing EHRSecuring EHR

Data at rest (i.e., data that resides in Data at rest (i.e., data that resides in databases, file systems, and other databases, file systems, and other structured storage methods)structured storage methods)

Data in motion (i.e., data that is Data in motion (i.e., data that is moving through a network, including moving through a network, including wireless transmission)wireless transmission)

Data disposed (i.e., discarded paper Data disposed (i.e., discarded paper records or recycled electronic media)records or recycled electronic media)

Data in use (i.e., data in the process Data in use (i.e., data in the process of being created, retrieved, updated, of being created, retrieved, updated, or deleted) or deleted)

What does the HITECH ACT What does the HITECH ACT mean to physicians and hospitals?mean to physicians and hospitals?

Up to $44,000 in total incentives per Up to $44,000 in total incentives per physician under Medicare for physician under Medicare for “meaningful use” of EHR. “meaningful use” of EHR.

Physicians reimbursed by Medicaid Physicians reimbursed by Medicaid can receive up to $63,500 based on can receive up to $63,500 based on state-defined guidelines. state-defined guidelines.

Hospitals with high Medicare and Hospitals with high Medicare and Medicaid volumes could receive up Medicaid volumes could receive up to $11 million. to $11 million.

These incentives will be paid out These incentives will be paid out over a 4 to 5 year period beginning over a 4 to 5 year period beginning in 2011. in 2011.

How do physicians or hospitals How do physicians or hospitals qualify for HITECH Act qualify for HITECH Act

Incentives?Incentives?

Use a “certified” EHRUse a “certified” EHR the act does not specify what “certification” will mean or the act does not specify what “certification” will mean or

who will provide certification. who will provide certification. Demonstrate “meaningful use” of an EHR Demonstrate “meaningful use” of an EHR

includes communication with patients and families (e.g. includes communication with patients and families (e.g. appointment reminders, access to lab results, etc.). appointment reminders, access to lab results, etc.).

EHR must:EHR must: use e-prescribinguse e-prescribing

EHR must allow physicians to prescribe over the Internet EHR must allow physicians to prescribe over the Internet electronically exchange information electronically exchange information

exchanges of clinical information with labs, hospitals, providers, exchanges of clinical information with labs, hospitals, providers, and payers across the country (including Medicare and and payers across the country (including Medicare and Medicaid) Medicaid)

submitsubmit clinical quality measuresclinical quality measures a set of payer-specific quality measures a set of payer-specific quality measures

Specific requirements have not been issued yet, we do know that physicians must:

What happens if HITECH Act isn’t What happens if HITECH Act isn’t adopted by physicians or adopted by physicians or

hospitals? hospitals?

After 2015, After 2015, further financial further financial incentives will incentives will not be available not be available and penalties and penalties will kick in. will kick in.

There will be a There will be a 1% reduction in 1% reduction in Medicare fees Medicare fees per year, up to per year, up to 3% by 2017. 3% by 2017.

SummarySummary What?What?

Intended to be used to increase the use of Electronic Health Records (EHR) by Intended to be used to increase the use of Electronic Health Records (EHR) by physicians and hospitals..physicians and hospitals..

Why?Why? risk of unauthorized accessedrisk of unauthorized accessed Medical privacy breachesMedical privacy breaches Patient information can be shared between specialists, primary doctors, nurses on Patient information can be shared between specialists, primary doctors, nurses on

staffstaff Quicker and more accurate diagnosisQuicker and more accurate diagnosis Improve patient careImprove patient care Increase patient safety Increase patient safety Simplify compliance in the US healthcare system…..Simplify compliance in the US healthcare system…..

Securing EHRSecuring EHR Data at rest Data at rest Data in motion Data in motion Data disposed Data disposed Data in useData in use MethodsMethods

EncryptionEncryption DestructionDestruction

Physicians and HospitalsPhysicians and Hospitals Incentives Incentives Qualifications Qualifications ConsequencesConsequences

HITECH Act is clearly an ideal opportunity for physicians and hospitals that HITECH Act is clearly an ideal opportunity for physicians and hospitals that use EHRs effectively to be rewarded and to stimulate adoption for those use EHRs effectively to be rewarded and to stimulate adoption for those who aren’t currently using EHRs. who aren’t currently using EHRs.