The History of HITECH/HIPAA: Everything You Need to Know
The Establishment of HIPAA
The Health Insurance Portability and Accountability Act, also known as HIPAA, was established on August 21, 1996. HIPAA was created to promote the portability and accountability of health insurance coverage. Consequently, it has affected the way healthcare organizations handle all facets of information management, including reimbursement, coding, security, patient records, and care management. Every practice in the United States that handles protected health information is required comply with these regulations and those developed after the original announcement.
The Importance of HIPAA Today
HIPAA is an important part of healthcare today because it ensures the implementation of safeguards to protect sensitive personal and health information. HIPAA One is dedicated to understanding every aspect of HIPAA regulation and working with our clients to achieve complete compliance. Every organization that handles ePHI needs to have a compliance plan in place that prioritizes the protection and security of health data and patient privacy.
The Introduction of Privacy and Security Standards
On April 14, 2003, the US Department of Health and Human Services released the first HIPAA privacy rule that defined Protected Health Information (PHI) as “any information held by a covered entity which concerns health status, the provision of healthcare, or payment for healthcare that can be linked to an individual”.
HIPAA Privacy regulation requirements were later introduced to illustrate how PHI was expected to be handled, transferred, received, or shared. Health care providers and organizations, as well as their business associates, were needed to uphold these rules for all forms of PHI.
On April 21, 2005, the HIPAA Security Rule was introduced. This rule directly addresses electronically stored PHI (ePHI) through three security safeguards: physical, administrative, and technical.
- Physical safeguards – Physical measures, policies, and procedures to protect a covered entity’s electronic information systems and related buildings and equipment from natural and environmental hazards, and unauthorized intrusion.
- Administrative safeguards – Policies and procedures designed to manage the selection, development, implementation, and maintenance of security measures.
- Technical safeguards – Policies and procedures for technology and its use that protect ePHI and control access to it.
HIPAA Regulation Enforcement
In March of 2006, the Enforcement Rule was introduced. The Enforcement Rule allowed the Department of Health and Human Services to investigate covered entities reported for failing to comply with HIPAA regulations. In addition to an investigation, the Enforcement Rule allows the Office for Civil Rights to apply civil charges to entities that did not comply.
The Addition of ARRA and HITECH
In 2009, The American Recovery and Reinvestment Act (ARRA) was implemented and within it was a vital addition to HIPAA enforcement, the Health Information Technology for Economic and Clinical Health Act (HITECH). The HITECH act introduced provisions for health information management, that included all breaches of ePHI affecting more than 500 individuals must be reported to the Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR). In addition to the Breach Notification Rule, the HITECH act introduced the Meaningful Use incentive program to encourage healthcare organizations to move their records electronic through implementing an Electronic Health Record (EHR). Today, that incentive program is called Promoting Interoperability.
The Final Omnibus Rule
In March of 2013, the Final Omnibus Rule was introduced and with it many final amendments. The Final Omnibus Rule made clarifications to regulations such as HIPAA and HITECH regarding the application of ePHI, as well as the wording within the acts themselves. The Privacy and Security Rules were also amended to modify the appropriate duration for obtaining a patient’s health information. Previously they were permitted to retain the information for 50 years, but the amendment modified this rule to extend indefinitely. Amendments included specifications for changing work practices in technological advances that were not applicable in 1996, such as mobile devices and telehealth.