When the Health Information Technology for Economic and Clinical Health (HITECH) became law in 2009, legislators envisioned it as both a much-needed technological and economic poke for the healthcare industry. Economic incentives built into the law were supposed to help move hospitals from paper to electronic records.
It did that, in spades. The Office of the National Coordinator for Health Information Technology (ONC) reported in 2016 that the adoption of electronic health records (EHR) in hospitals went from nearly-nothing to almost everyone. But at what cost to the industry?
In this past year, a dramatic increase in enforcement settlements under HIPAA has occurred, new threats to the privacy and security of patient information seem to pop up daily, and further changes in the rules are expected based on the HITECH Act, according to HIPAA expert Jim Sheldon-Dean, who details the current state of HIPAA compliance in his talk for ProfEdOnDemand, “HIPAA Planning for 2018: Focusing on Issues and Planning Compliance Activities.”
Hospitals Going Electronic
Basic EHR use went from 9.4 percent in 2008 to 83.8 percent by the end of 2015, while certified EHR use went from 71.9 percent in 2011 to 96 percent by the end of 2015, ONC discovered. Adoption was swift at small, rural and critical access hospitals, though adoption at children’s (15 percent in 2015) and psychiatric hospitals (55 percent in 2015) was slower. Change was particularly swift in states that had low EHR use in 2008, such as Wyoming, South Dakota and Montana.
“Trends in EHR adoption show increasing use of advanced functionality,” the report added. “In 2015, 8 out of 10 hospitals (84%) adopted EHRs with advanced levels of functionality above Basic EHRs without Clinician Notes; this refers to the adoption of Comprehensive EHRs (40%) and Basic EHRs with Clinician Notes (44 %).”
But adoption of EHR meant different things in different settings, noted Healthcare Analytics News. Many providers used electronic records essentially as a word processing program without much thought for how the records would be shared.
“The concept was brilliant,” Morey Menacker, vice president of New Jersey’s Hackensack Meridian Health’s physician division told Healthcare Analytics News. “The problem is, it was an unregulated process, meaning that all you needed to do was show that you were moving to an [EHR] in order to be able to get compensated.”
HITECH Wall of Shame
In August, the Department of Health and Human Services (HHS) finally moved to tone down what’s known as HIPAA’s Breach Reporting Tool required under the HITECH Act—the so-called “wall of shame”—a legislatively mandated reporting of healthcare data breaches that has been criticized as unnecessarily punitive. And HHS listened.
Rep. Michael Burgess (R-Texas), who is a physician, told FierceHealthcare that the website reporting went too far. “I am supportive of efforts to protect patient information,” Burgess said. “However, I remain concerned by (the Office for Civil Rights’) usage of the Breach Portal and the public exposure of victims. I am interested in pursuing solutions that hold hospital systems accountable for maintaining patient privacy without defaming systems that may fall victim to large-scale ransomware attacks, such as WannaCry.”
Updates, reported the Journal of AHIMA, included:
- Enhanced functionality showing breaches under investigation and reported within the last 2 years
- An archive of all older breaches and information about how they were resolved
- Better site navigation
- Tips for consumers
“HHS heard from the public that we needed to focus more on the most recent breaches and clarify when entities have taken action to resolve the issues that might have led to their breaches,” said then-HHS Secretary Tom Price, in July. “To that end, we have taken steps to make this website, which features only larger breaches, a more positive, relevant source of information for concerned consumers.”
Now that chips have appeared in HITECH, and we’ve entered a new age of regulatory détente, what’s next for hospitals under this important piece of legislation?
An Expert in the Field Explores What’s Next For HITECH and HIPAA
In Sheldon-Deal’s audio conference for compliance directors, CEOs, CFOs, privacy officers, security officers, HIPAA officers and health information managers addresses the recent focus on audits and enforcement activities, how to be prepared for enforcement actions and what new rules are on the horizon, including more anticipated changes to the HITECH Act.