HITECH Compliance Deadline Approaching

The deadline for compliance for the Health Information Technology for Economic and Clinical Health (HITECH) Act is fast-approaching. Health care providers should review their policies and agreements with vendors that handle patient information by Feb. 17. On Feb. 22, the centerpiece of HITECH, the breach-notification requirement, goes into effect.

HITECH was included in last year’s federal stimulus package and aims to update the Health Insurance Portability and Accountability Act (HIPAA) of 1996, which, among other things, paved the way for the switch to more electronic health records.

To address the inherent privacy concerns related to this changeover, HITECH allowed the Department of Health and Human Services to establish the guidelines under which providers like hospitals and doctor’s offices must notify patients of a data breach. In its interim final rule on notification, HHS set a high “harm threshold”: Providers can perform their own risk evaluations and only have to alert patients – and in some cases the local media – if the breach poses some harm to the individuals. Institutions found to be in violation of the law’s data protection provisions may be fined.

There’s no doubt patient privacy should rank among the concerns of any medical practice. Among the myriad organizational data breaches that resulted in the exposure of millions of Americans’ personally identifiable information (PII) or protected health information in 2009 were those involving hospitals, health insurance providers, managed care providers and major pharmacy retailers. The breaches result from any number of scenarios: improper disposal or failure to destroy documents, a lost or stolen laptop or data storage device, and even hackers who infiltrated improperly secured networks among them. Overall, medical industry data breaches affected nearly 3 million confirmed individuals throughout the U.S. in 2009 alone.

The intent of the HITECH Act is to spur health care providers and insurers to improve the way they handle consumers’ personally identifiable information or protected health information (PHI). Any progress on this front is a good thing.