As part of our compliance series, we go over the history of HIPAA and how it relates to IT managed services.
HIPAA, the Health Insurance Portability and Accountability Act of 1996, was created with the main goals of protecting healthcare information, extending healthcare coverage to employees with pre-existing medical conditions, increasing efficiency, and eliminating abuse of the healthcare system. In an effort to reduce waste and simplify health insurance, the act encouraged the healthcare industry to digitize patient medical records.
All health care providers, health care clearinghouses, and health plans are required to comply with HIPAA and all organizations that store protected health information (PHI) are required to complete a risk analysis.
The Privacy Rule, which was established in 2003, provided protection of identifying personal health information. The regulation provided instructions on how PHI can be disclosed and what permission is needed from patients.
The Security Rule of 2005 outlined three categories of security safeguards that all organizations that store PHI must abide by. They include:
Administrative: Must have policies and procedures in place to protect PHI and follow HIPAA
Technical: PHI is protected when transmitted electronically over open networks
Physical: Physical access to areas of data storage
In 2006, the Enforcement Rule gave the Department of Health the authority to investigate organizations for failure to comply with the Privacy Rule. If an organization is found to have a breach due to not following the regulations outlined in the Security Rule, the Department of Health can issue a fine. Also, the Enforcement Rule gave individuals the ability to pursue civil action against covered entities if their information was disclosed and caused them “serious harm.”
The Health Information Technology for Economic and Clinical Health Act (HITECH) was established in 2009 to incentivize more healthcare organizations to use Electronic Health Records (EHR). This Act also introduced the Meaningful Use Incentive Program. In 2011, this program offered incentive payments from Centers for Medicare & Medicaid Services (CMS) to eligible professionals, hospitals, and critical access hospitals for upgrading, adopting, or implementing meaningful use of certified EHR technology (CEHRT).
CMS states that this program consists of three stages:
Stage 1 set the foundation for the EHR Incentive Programs by establishing requirements for the electronic capture of clinical data, including providing patients with electronic copies of health information.
Stage 2 expanded upon the Stage 1 criteria with a focus on advancing clinical processes and ensuring that the meaningful use of EHRs supported the aims and priorities of the National Quality Strategy. Stage 2 criteria encouraged the use of CEHRT for continuous quality improvement at the point of care and the exchange of information in the most structured format possible.
In October 2015, CMS released a final rule that modified Stage 2 to ease reporting requirements and align with other quality reporting programs. The final rule also established Stage 3 in 2017 and beyond, which focuses on using CEHRT to improve health outcomes.
The latest rule enacted in 2013 is the HIPAA Final Omnibus Rule. It provides greater protection to a patient’s PHI. It is also part of the American Recovery and Reinvestment Act of 2009, and implements stronger provisions to HITECH. This rule expands patients’ rights, and requires business associates (people or organizations that conduct business with covered entities) to provide notice of a breach no later than 60 days after discovery of unsecured PHI or breach.
The Medicaid Access and CHIP Reauthorization Act (MACRA) was passed into law in 2015 and allows physicians to participate in one of two Quality Payment Programs (QPP) - either the Merit-based Incentive Payment System (MIPS) or the Advanced Alternative Payment Model (AAPM). Under MIPS, the Advancing Care Information (ACI) performance category replaced Meaningful Use. ACI performance is comprised of three categories: base score, performance score, and bonus score. The base score makes up 50% of the total score and includes a Security Risk Analysis.
We understand that protecting PHI is vital to the healthcare industry, and as healthcare grows further into the digital age it becomes more difficult for professionals and entities to understand how to run their business under these regulations. As a business associate, we are HIPAA compliant and can provide the tech and consulting services you need to stay compliant. We offer comprehensive HIPAA Security Risk Assessments to help organizations maintain their compliance with HIPAA .