Formulated in 1996 and implemented in 2003, the Health Insurance Portability and Accountability Act (HIPAA) serves to improve the efficiency and effectiveness of the United States healthcare system by not only establishing standards for electronic transmission of health information and ensuring the security of health care information but also instituting principles aimed at protecting the privacy of client-specific medical records and other personal health information (PHI). The Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009, on its part, serves as the enforcement arm of HIPAA by establishing various penalties and consequences for breaches to the health information of individuals (Agris, 2014; Barlow, 2015). This paper discusses some underlying issues related to the two acts.
Several safeguards can be put in place to reduce fear among individuals who oppose identifiable health data collection, with the most common being to limit access to such information through the use of computer passwords and authorization codes. When the information is in hard copy, it is important to implement mechanisms that ensure the PHI is secured in a locked office or file cabinet that cannot be accessed by unauthorized personnel. Another safeguard entails training professionals to lock computer screens when they are away from their desks to reduce unauthorized access (McKinney, 2009).
The benefits of confidential health data collection far outweigh the risks as such data are often used by public health agencies to identify disease trends and develop ways to address risks to public health or safety (Barlow, 2015). Consequently, the collection of such information serves a greater public good in terms of facilitating health care professionals to have an adequate understanding of disease patterns and other healthcare-associated issues.
The purpose of HITECH, in my view, is to reinforce the application of HIPAA by not only establishing criminal and civil monetary penalties for breaches to PHI but also instituting obligatory federal security violation reporting requirements for loss of patient or client privacy. The HITECH Act, according to Hecker and Edwards (2014), also provides funding for compliance audits with the view to ensuring that all covered entities (health care providers, health plans, or health care clearinghouses) undertake to protect the privacy and confidentiality of clients’ health information.
The new notification requirements contained in the HITECH Act include (1) providing notice without unreasonable delay and no later than 60 days after a breach of a client’s health information is discovered, (2) notifying prominent media outlets in a jurisdiction if the PHI of more than 500 clients in one state is breached, and (3) notifying the HHS immediately if the PHI of more than 500 clients is breached and via the annual log of events if the breach affects less than 500 clients (Agris, 2014). These notification requirements, in my view, are not sufficient as they do not address the factors that lead to the breach.
The possible HIPAA violations that could occur with portable PHI include unauthorized access to private health information, losing unencrypted data, a lapse in notifications, employee error, and willful neglect. The strategies that should be put in place to minimize the occurrence of these violations include encrypting data, training employees and ensuring adherence to the organization’s security policies and procedures, and destroying the device to ensure that important health information cannot be retrieved (Hecker & Edwards, 2014).
Lastly, to comply with HIPAA, covered entities are required to (1) ensure the protection of the privacy and security of health information (2) provide clients with predetermined rights and privileges concerning their health information, and (3) have a formal business associate contractual agreement or another arrangement with the business associate stating their terms of reference and how the business associate will comply with the rule requiring the protection of the privacy and security of PHI (Agris, 2014).
Overall, this paper has provided important information and insights on HIPAA and HITECH. Drawing from the discussion, it can be concluded that the two acts are of immense importance in protecting the privacy and confidentiality of health information.
References
Agris, J.L. (2014). Extending the minimum necessary standard to uses and disclosures for treatment. Journal of Law, Medicine & Ethics, 42(2), 263-267.
Barlow, R.D. (2015). Horizon-scanning around HIPAA, HITECH. Health Management Technology, 36(6), 8-11. Web.
Hecker, L.L., & Edwards, A.B. (2014). The impact of HIPAA and HITECH: New standards for confidentiality, security, and documentation for marriage and family therapists. American Journal of Family Therapy, 42(2), 95-113.
McKinney, M. (2009). HIPAA and HITECH: Tighter control of patient data. H&HN: Hospitals & Health Networks, 83(6), 50-52. Web.