A closed lock on a keyboardHIPAA

In 1996 the Federal government took on increased regulatory responsibility with the passage of the Health Insurance Portability and Accountability Act (HIPAA). This multifaceted bill was broad in its jurisdiction over  both Medicare and American health care in general, as it sought to provide new federal rules improving continuity  or “portability” of coverage in the large group, small group, and individual health insurance markets, while reinforcing the need to protect the privacy of patient health records.

Combining a group of disparate issues, Title I of HIPAA amended the Public Health Service Act, the  Employee Retirement Income Security Act of 1974 (ERISA), and the Internal Revenue Code of 1986. In doing so,  it strove to regulate the availability and scope of group health plans and many individual health insurance policies, including the protection of health coverage for workers and their families who have lost or changed jobs. Further provisions also limited a group health plan’s ability to restrict coverage for preexisting conditions.

Title II, also known as the Administrative Simplification Provisions, focused on creating a set of national standards for electronic health care transactions and national identifiers for health insurance plans, providers, and  employees alike. Recognizing the value of well-utilized electronic health records in increasing efficiency throughout the health care system, Title II tasked the Department of Health and Human Services (DHHS) with implementing national standards for the use and dissemination of electronic medical data.

Once accomplished, health providers were instructed to comply with HIPAA’s Privacy and Security Acts by  2003 or risk severe financial penalties. As a result, many health care facilities sought help from a variety of for profit HIPAA consultants who were familiar with the complexities of this far-reaching bill and capable of  guaranteeing compliance for a price. This in turn added to the already extensive costs forced onto hospitals and  medical practices as a result of HIPAA’s passage, including the need to reorganize systems and infrastructure to  comply with electronic health data privacy standards and an increase in staffing to address the myriad requirements  of its legislation.


With the passage of the American Recovery and Reinvestment Act of 2009 (ARRA), certain standards governing electronic health care transactions under HIPAA were strengthened and fine-tuned under the Health  Information Technology for Economic and Clinical Health Act (HITECH). Seeking to protect patient privacy and tighten the rules of accountability for the sharing of a patient’s medical information, HITECH will undoubtedly have a dramatic effect on the ways in which medical files are shared in the years to come.

Under HIPAA, a covered entity was able to disclose protected health information (PHI) to a business associate without a patient’s authorization if the business associate provided the covered entity with satisfactory assurance that it would appropriately safeguard the information. These assurances were to be documented in a written contract, often referred to as a business associate agreement (BAA), that met certain regulatory requirements. Prior to HITECH, although a covered entity was required to impose certain requirements on its business associates via contract, business associates were not regulated directly by the DHHS or its Office of Civil Rights (OCR).

However, the introduction of HITECH changed these rules. With an eye toward expanding liability, HITECH requires most of the HIPAA Security Rule requirements directly applicable to business associates as well, including direct regulation by the OCR and enhanced penalties for HIPAA violations. Among other things, after February 17, 2010, HITECH required a business associate to:

  • Implement reasonable and appropriate written policies and procedures
  • Develop a system for identifying breaches and notify covered entities following discovery of a breach of unsecured PHI
  • Mitigate any harms from the inappropriate use or disclosure of PHI
  • Train its workforce
  • Develop a sanctions policy
  • Establish safeguards
  • Develop and implement a complaint system

On January 13, 2010, CMS proposed the adoption of a more specific definition of what was to constitute “meaningful use” of electronic health records (EHRs), while also implementing financial incentive programs through Medicare and Medicaid that would reward or penalize hospitals and physicians for their ability to institute certified EHRs within an established time frame. Such a proposal drew on the strength of the newly passed HITECH Act, which required the Secretary of DHHS to establish such a definition.

CMS proposed that hospitals adopt this new ruling on “meaningful use” in three stages of increasingly technological sophistication. Although most hospitals will only need to meet Stage One requirements for a 90 day  contiguous period during the first year to receive incentive payments, they will in future need to continue to enhance their EHR capability in order to continue to receive incentive payments and avoid penalties beginning in 2015.

These stages include:

Stage One “meaningful use” criteria focuses on electronically capturing health information in a coded format; using that information to track key clinical conditions and communicating that information for care coordination purposes; implementing clinical decision support tools to facilitate disease and medication management, consistent with other provisions of Medicare and Medicaid law; and reporting clinical quality measures and public health information.

Stage Two will encourage the use of health IT for continuous quality improvement at the point of care and the  exchange of information in the most structured format possible, such as the electronic transmission of orders entered using computerized provider order entry (CPOE) and the electronic transmission of diagnostic test results such as blood tests, microbiology, urinalysis, pathology tests, radiology, cardiac imaging, nuclear medicine tests, pulmonary function tests and other such data needed to diagnose and treat disease.

Stage Three will focus on promoting improvements in quality, safety and efficiency, as well as decision support for national high-priority conditions, patient access to self-management tools, access to comprehensive patient data and improving population health.

While many praise this bold step to protect patient privacy, the reality is that the burdens placed on health care facilities as a result of mandated HITECH compliance are a great cause for concern for America’s hospitals. From a financial standpoint, by requiring compliance to the Privacy and Security Provisions the federal government has in effect forced most medical centers to change their methods of operation and taxed their resources to include additional staff, technology, and infrastructure.

Additionally, concomitant regulations have placed greater barriers for medical research and development by disallowing retrospective chart-based surveys and follow-up evaluations. Furthermore, the heavy price for non-compliance has naturally made many medical facilities wary of sharing patient information, regardless of their right to do so, which in turn leads to restricted access to legally shared, anonymous data. It seems the price for privacy is high when it comes to health care.