Three Things to Know About HITECH Act

A recently published article in Healthcare IT News highlights aspects of the Health Information Technology for Economic and Clinical Health (HITECH) Act that may have escaped your attention.

Titled "Three things you may not know about the HITECH Act...but should", the article hones in on aspects of the rulemaking from the US Department of Health and Human Services that healthcare organizations must follow in determining whether a privacy breach incident meets the requirements to notification.

HITECH is known primarily for the manner in which it motivates healthcare providers to implement electronic health records (EHR) systems. But as more and more of our medical information is going online, the Act also wisely enhanced the privacy and security provisions that are required of healthcare providers and added penalties and enforcement mechanisms for the breach of private healthcare information.

One of the three things you may not know, per this article, is that when your organization experiences a potential privacy incident, that you are required to carry out a "risk assessment" in order to determine the nature of the protected health information (PHI) that was disclosed, and whether it poses a risk of harm to the affected patients.Based on the results of this risk assessment, your organization may or may not be obligated to notify the affected individuals, along with HHS and the media. So this assessment process is very important.

Unfortunately, the risk assessment process is not at as well defined or straightforward as might be hoped. And this gets to one of the 2nd items that you may not know about in HITECH. In carrying out a risk assessment, the goal is to determine whether there is a risk of financial, reputational or other harm to the patients affected. And in this process, not all PHI is created equally, and in fact, you must consider the nature of the information disclosed in a manner that is situationally aware.

For instance, disclosure of a persons name and their medical procedure may not be cause for any risk of harm if the procedure was having a bunion removed. However, if the procedure was for the diagnosis of AIDS, disclosure of this information could result in substantial harm. As a result, it is not just the data types that need to be considered, but the nature of the data and the environment of their release. Not at all straightforward.

And then the 3rd thing that you may not know about HITECH from this article is that its data breach notification provisions don't "preempt" those of each of the states. In fact, if your organization experiences a data breach, you need to assess the requirement to notify and how to notify not just using not just the requirements of HITECH, but also the requirements as stated in state data breach notification laws.

For example, you may find that based on your risk assessment, that HITECH requires notification. But you may also find that in some states, the timeframe for notification is shorter than the 60 days from discovery of incident that is required by HITECH. In other words, you must look at your breach notification requirements both under HITECH as well as under each state law where you have patients that were affected by the incident.

Needless to say, this is a complex process and you would be well advised to document your processes and decisions very carefully. You really don't want to be the target of one of those $1.5MM fines that are beginning to surface.