Dear Healthcare Providers,
I hope this letter finds you well. Last year, The Health Information Technology for Economic and Clinical Health Act (HITECH) became law. The HITECH Act will reimburse eligible professionals up to $44,000 under Medicare and up to $64,000 for purchasing and implementing a qualified EHR system. As you know, XLEMR is making every effort to ensure our software will support the yet to be defined requirements for meaningful use certification.
However, the HITECH Act also expands the scope of HIPAA in terms of penalties, compliance, and enforcement. Until recently, HIPAA has been laxly enforced. The HITECH Act significantly increases the risk exposure of non-compliance. We strongly recommend you being allocating resources for full HIPAA security rule compliance. Even if you do not wish to participate in HITECH, you still must comply. Please take a moment to review the changes outlined below:
HITECH Stage 1 objective - Ensure adequate privacy and security protections for personal health information (1):
• Goal - Ensure privacy and security protections through operating policies, procedures, and technologies.
• Measures - Conduct or review a security risk analysis, and implement security updates as necessary. (2)
• Full HIPAA security rule compliance not required for stage 1 . Stage 3 may require full security rule compliance. (3)
Expanded HIPAA requirements under HITECH:
• Mandatory penalties up to $250,000 with repeat violations up to $1.5 Million imposed for “willful neglect.” (4)
• Penalties may extend to business associates. (5)
• State Attorney Generals may sue providers on behalf of state residents. Previously, only the Office of Civil Rights was allowed to sue providers. (6)
• HHS is required to conduct periodic audits of covered entities and business associates. Previously, no audits were required. (7)
• Imposes data breach notification requirements for unauthorized uses and disclosures of unsecured PHI. A breach of more than 500 records requires providers to notify HHS. Provider’s name will be posted on HHS website. Local media may need to be notified. (8)
Please feel free to contact me if you have any questions about the changes to HIPAA law or how this might affect your practice. Again, we strongly recommend you begin working towards full security rule compliance. We would like to offer our consulting services and solutions to help you achieve compliance. Please let us know how we can assist you.
1. Interim Final Rule CMS-0033-P pg 1858
2. ibid pg 1870
3. ibid pg 1858
4. HITECH ACT, DIVISION A: TITLE XIII, Subtitle D, Part 1, 13410
5. HITECH ACT, DIVISION A: TITLE XIII, Subtitle D, Part 1, 13401
6. HITECH ACT, DIVISION A: TITLE XIII, Subtitle D, Part 1, 13410
7. HITECH ACT, DIVISION A: TITLE XIII, Subtitle D, Part 1, 13411
8. HITECH ACT, DIVISION A: TITLE XIII, Subtitle D, Part 1, 13402