The Health Information Technology for Economic and Clinical Health Act (HITECH Act) was created in 2009 to stimulate the adoption of electronic health records (EHR) and supporting technology in the United States. The law was signed by then President Obama on Feb. 17, 2009 and was part of the American Recovery and Reinvestment Act of 2009 (ARRA) economic stimulus bill. ARRA contained incentives related to healthcare information technology in general (e.g. creation of a national health care infrastructure) and contains specific incentives designed to accelerate the adoption of EHR systems among providers. HITECH Act of 2009 provides the U.S. Department of Health and Human Services (HHS) with the authority to establish programs to improve health care quality, safety, and efficiency through the promotion of health IT, including electronic health records and private and secure electronic health information exchange.
Below are some key aspects that are driving IT solutions within the healthcare industry:
- Enhanced Health Insurance Portability and Accountability Act (HIPPA) Enforcement
- Expanded Breach Notifications
- Improved EHR Access
- Policing Business Associates
The law also regulates the use and dissemination of PHI in four general areas:
- Patient Confidentiality and Privacy
- Data Security and Safeguards
- Types of Information that Cannot be Released
- Codes for Electronic Data Transmission
The $48 million in fines levied so far against healthcare companies for HIPPA violations is significant as the HHS audit program is self-funded. This creates more audits, fines, and settlements. According to eFax, HHS is increasing its HIPPA enforcement:
Center’s report estimates about 16 million health records were compromised in 2016 — accounting for nearly half of all stolen records that year.
With the increasing attacks on the health industry, you can understand why — as the stats shown here from the Dept. of Health and Human Services’ Office for Civil Rights (responsible for HIPAA compliance) explain — regulators impose steep penalties against covered entities whose noncompliance is determined to have allowed data breaches. Since the OCR began HIPAA enforcement, the agency’s regulators have received 144,000 complaints, resolved 97% of them, and have taken some form of action against 24,617 of the businesses involved.
HIPPA regulations require cloud service providers to ensure that business associates adequately protect PHI. The law goes further to ensure that solutions adhere to security and privacy provisions set forth in HIPPA and HITECH. However, there is no official certification for HIPAA or HITECH Act compliance currently. Currently, Amazon Web Service (AWS) aligns their HIPAA management program with FedRAMP and NIST 800-53, which have higher standards than HIPAA. Microsoft’s Azure cloud services are covered by FedRAMP assessments. It also the responsible entity or agency using the cloud services to maintain compliance with the applicable laws and adequately protect PHI as they build solutions on the cloud infrastructure.