Healthcare legislation is created to improve access to care and depends on the use of the information technologies that we have available at the point of care. Our electronic health records (EHRs) are connected to the Internet. From that perspective, we must be concerned with protected health information (PHI) so that it is secure when used or shared with other healthcare providers. Two important pieces of legislation enacted to protect PHI include the Health Insurance Portability and Accountability Act (HIPAA) of 1996 and the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009. “It is important to be aware that the HITECH Act and HIPAA are separate and independent laws. However, because some provisions of HITECH strengthened existing HIPAA standards and mandated breach notifications, HITECH is often (incorrectly) regarded as part of HIPAA” (HIPAA Journal, 2023).
Definition: Protected health information (PHI) is defined as individually identifiable health information that is transmitted or maintained in any form or medium (electronic, oral, or paper) by a covered entity or its business associates, excluding certain educational and employment records (National Institutes of Health, 2007b)
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law requiring the creation of national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge (Centers for Disease Control and Prevention, 2022b). HIPAA privacy and security rules grew out of two statutes in the 1970s that addressed the concerns for confidential patient information: first the Comprehensive Alcohol Abuse and Alcoholism Prevention, Treatment, and Rehabilitation Act of 1970 and then the Drug Abuse Prevention, Treatment, and Rehabilitation Act of 1972 (Health & Human Services, 1994). Protecting the identities of people seeking treatment for addiction was a catalyst for our “current need to know” policies that define many of our information security strategies. HIPAA was signed into law in 1996 to protect the health insurance coverage of people when they change or lose their employment. In addition, HIPAA created standards for electronic healthcare transactions and national identifiers for healthcare providers, insurers, and employers (HealthIT, 2021b).
I. HIPAA Privacy and Security Standards
HIPAA Privacy Rule: Establishes national standards to protect individuals’ medical records and other personal health information. It applies to health plans, healthcare clearinghouses, and healthcare providers that conduct certain healthcare transactions electronically. The rule applies safeguards to protect the privacy of personal health information and sets limits and conditions on the uses and disclosures of such information without patient authorization. The rule also gives patients rights over their own health information, including the right to examine and obtain a copy of their records and request corrections (Health Information Management Systems Society, 2021).
HIPAA Security Rule: Sets national standards for protecting the confidentiality, integrity, and availability of electronically protected health information. Compliance with the Security Rule was required as of April 20, 2005. The rule addresses the technical and non-technical safeguards that “covered entities” must have to secure an individual’s electronic health information. Before HIPAA, there were no generally accepted requirements or security standards for protecting health information (Health Information Management Systems Society, 2021).
II. Covered Entities
Protecting electronic patient information requires a definition of who is required to follow HIPAA privacy and security requirements. Under HIPAA, only a covered entity is required to be HIPAA-compliant and responsible for data breaches. For example, if a clearinghouse processes or facilitates the processing of health information from nonstandard or standard formats into standard or nonstandard formats, this qualifies them as a covered entity. Private group healthcare benefit plans and insurers that provide or pay for the cost of medical care qualify these groups as a covered entity. An exception is if the benefit plan has less than 50 participants and is self-administered, it is not a covered entity. Supplemental Medicare policies and health maintenance organizations (HMOs) are covered entities. Considering these definitions, health insurance companies, HMOs, employer-sponsored health plans, Medicare, Medicaid, military, and veteran’s health programs are covered entities. Health Data Clearinghouses, doctors, clinics, psychologists, dentists, chiropractors, nursing homes, and pharmacies are covered entities. Suppose a covered entity uses the services of a third party, such as a Cloud Service Provider. In that case, they must have a written business associates agreement (BAA) contract that establishes what this third party has been engaged to do, and the BAA must require compliance with HIPAA regulations. Some other examples are a third party that helps with health plan claims processing, utilization review consultants, and independent medical transcriptionist services for physicians (CMS, 2021b).
Before HIPAA became law in 1996, there was no accepted standard for protecting health information. CMS outlined the policies and procedures needed to protect patient information. Security is one of the primary concerns organizations have in protecting patient health information (PHI), and sharing it with other organizations in health information exchanges. Three security safeguards are used to secure an organization’s protected health data: administrative, physical, and technical.
- Administrative safeguards demonstrate appropriate written policies, procedures, and job descriptions, including sanctions for violations, so staff are aware and can be properly trained.
- Physical safeguards define user access, training, disaster planning, backup, facility inventory, safeguards for unauthorized physical access or tampering, and contingency plans.
- Technical safeguards include unique user-identified password policies, user access allowed, automatic log-off, email policies, encryption, and data transmission protocols.
Considering organizational requirements, they must include the use of Business Associates Agreements (BAAs) that identify and control the amount of access a vendor could have to protected health information (CMS, 2016). However, with the increased adoption of EHRs to gather patient health information, there is also an increased vulnerability to data breaches. HIPAA administrative, technical, and physical safeguards must be implemented to keep protected health information (PHI) confidential, private, and secure (HealthIT, 2017).
Inside the healthcare organization, security training for all staff accessing the information system is critical to protecting health information. The threats to information security can be intentional or unintentional. The threat source is either internal or external to the organization. Intentional exposure of patient information without authorization can result from a hacker or a disgruntled employee using malicious software – malware. Intentional destruction of data or network disruption can result from various forms of malware, including viruses, Trojan Horses, spyware, worms, Ransomware, and rootkits. Organizations must provide, at a minimum, annual security training so that the health information systems that staff are using are less likely to be compromised (Conn, 2016). In addition, the appropriate password complexity and security must be enforced for each user of the system. The security precautions to prevent an internal breach include not sharing passwords and not downloading information or unauthorized software from insecure or forbidden sites.
The U.S. Department of Health and Human Services (2019) provides security resources for healthcare organizations and providers. The first step is to create an organizational culture committed to HIPAA privacy and security requirements. Next, it is important to perform a security risk analysis by reviewing policies, procedures, and staff activities related to the HIPAA Security Rule, then document the risk analysis processes. Developing an action plan that helps manage and mitigate the risks identified in the analysis is also important.
The Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH), which was part of the American Recovery and Reinvestment Act of 2009 (ARRA), provided the Department of Health and Human Services (HHS) the authority to create programs that would improve quality, safety, and efficiency in the exchange of health information (U.S. Department of Health and Human Services, 2017). HITECH expanded the adoption of health information technology, such as EHRs, by providing funding through incentive payments authorized by Medicare and Medicaid. This funding was provided to hospitals and clinicians who could demonstrate the “meaningful use” of EHRs by integrating clinical quality measures in patient care (U.S. Department of Health and Human Services, 2017).
Definition: Meaningful use is defined as “the use of certified electronic health record by healthcare providers to improve the safety, efficiency, and quality of care. It includes the:
Use of certified EHR technology in a meaningful manner (e.g., e-prescribing).
Use of certified EHR technology in a manner that provides for electronic exchange of health information to improve the quality of care.
Use of certified EHR technology to submit clinical quality measures (CQM) and other measures.” (Henricks, 2011)
HITECH not only encouraged the adoption of Certified EHRs but also removed loopholes in HIPAA by making the language describing HIPAA Rules more robust (HealthIT, 2015; HIPAA Journal, 2023). For example:
Prior to the HITECH Act of 2009, there was no enforcement of a written business associates agreement (BAA), and covered entities could avoid sanctions in the event of a breach of PHI by a Business Associate by claiming they did not know the Business Associate was not HIPAA-compliant. Since Business Associates could not be fined directly for HIPAA violations, many failed to meet the standards demanded by HIPAA and were placing millions of health records at risk. (HIPAA Journal, 2023)
From 2011 through 2016, the EHR incentives were available to eligible care providers who met the criteria defined by Medicare and Medicaid (Burke, 2010). The Medicare incentives were available to hospitals that received payments under the Inpatient Prospective Payment System (IPPS), critical access hospitals, and Medicare advantage. The eligible professionals were medical or osteopathy doctors, dental surgeons, podiatrists, doctors of optometry, and chiropractors. Medicaid incentives were available to acute care, critical access, children’s, and cancer hospitals in which Medicaid patients comprised at least 10% of their patient volume. Eligible professionals are physicians, nurse practitioners, certified nurse-midwives, dentists, and physician assistants working in a federally qualified health center or rural health clinic (Centers for Medicare & Medicaid Services [CMS], 2010).
To be eligible for the incentive payments, the participants must demonstrate the meaningful use of the certified EHR to improve the quality of healthcare by achieving clinical quality measures to meet meaningful use objectives. The Meaningful Use Incentive Program included privacy and security requirements that PHI would be protected from unauthorized access and that the patients would have access to their medical information (HealthIT, 2015).
According to the HIPAA Journal (2023):
In April 2018, CMS renamed the Meaningful Use incentive program the Promoting Interoperability Program. The change moved the program’s focus beyond the requirements of Meaningful Use to the interoperability of EHRs to improve data collection and submission, and patient access to health information.
EHR Interoperability enables better workflows and reduced ambiguity and allows data transfer among EHR systems and health care stakeholders. Ultimately, an interoperable environment improves healthcare delivery by making the right data available at the right time to the right people.
Review fact sheet (CMS, 2021c): Medicare Promoting Interoperability 2021