HITECH in Healthcare

creating a healthcare app

The Health Information Technology for Economic and Clinical Health (HITECH) Act is one part of the American Recovery and Reinvestment Act (ARRA), a piece of legislation designed to stimulate the economy. Additionally, its goal was to improve the management and protection of healthcare documents.

Since its inception in 2009, there have been a number of modifications, many of which include detailed explanations of what a violation of HITECH looks like and the penalties for those violations.

What Is HITECH in Healthcare?

HITECH in healthcare stands for Health Information Technology for Economic and Clinical Health. It aptly describes the original intent of the legislation, which was to create jobs and help to spread the use of technology in hospitals and other healthcare settings to manage patient records.

Before the inception of HITECH, only about 10 percent of healthcare facilities maintained patient records electronically. Instead, most had files packed full of medical records going back decades, all of which could be easily accessed by anyone behind the counter.

It was easy for professionals to get busy and leave files on desks, grab the wrong file when intaking a patient, or file a new document in the wrong file and thus put those records and the information they contained at risk.

With the implementation of healthcare technology, medical providers were able to access records via computer, input their notes directly into that file, making them immediately accessible (and legible!) to patients and the next provider to care for the patient within the healthcare complex.

How Has the HITECH Act Impacted Healthcare?

HITECH has helped to improve accountability when it comes to managing patient files. Computers can monitor who accesses which files and when as well as what actions were taken on those files, making it easier to identify those who were transferring files carelessly or otherwise exposing them or putting them at risk.

In response, four penalty tiers have been introduced along with specific minimum and maximum fines per violation. Currently, those penalty tiers include the following:

  • Tier 1: Lack of Knowledge
    These violations are incurred due to inexperience or lack of understanding of how a system works or what should be protected. Penalties are the least severe, ranging from a minimum of $120 to $30,113 per violation with a max penalty limit per year of $30,133.
  • Tier 2: Reasonable Cause
    These violations may have occurred because the individual or organization thought they had cause for sharing the information. Fines range from the minimum $1,205 to $60,226, with a max annual penalty limit of $120,452.
  • Tier 3: Willful Neglect
    Purposefully breaking privacy protection of patients or blocking them from access to files is punishable with a minimum fine of $12,045 and a max penalty of $60,226 per violation, with a max annual penalty list of $301,130.
  • Tier 4: Willful Neglect Not Corrected Within 30 Days
    Should the willful neglect go uncorrected for more than a month, penalties get severe. Minimum penalties per violation go to $60,226 and maximum penalties can be more than $1.8 million, with an annual penalty limit of $1,806,757.

HITECH Violation Support

If you are facing fines and litigation due to an alleged HITECH violation, reach out to Florida Healthcare Law Firm for assistance today.

Critical Steps to Help Avoid Cybersecurity Attacks

hipaa securityBy: Gary Salman, Guest Contributor

Ransomware attacks are impacting the healthcare community’s HIPAA security at a staggering rate. If a practice has data stolen from their network and they did not report the breach to The Office of Civil Rights (OCR), they could be subject to massive fines for the lack of reporting. Specific steps must be followed to determine if ePHI (electronic protected health information) was compromised. This often involves hiring a forensics company and working with a Cybersecurity company to harden the practice’s infrastructure. When you are the victim of an attack once, you will mostly likely be a victim again because of vulnerabilities in your network that enabled the attack vector (or payload) to infiltrate your system. You cannot simply restore your data and hope for the best.Continue reading

PHI Breach Penalty Dollars Rolling in for Healthcare Enforcement

PHI Breach

PHI BreachBy: Dave Davidson

It has been a busy autumn for the enforcement of health care privacy rights.  Recent activities range from settling the claim for the largest HIPAA violation in US history, to penalties imposed for filming TV shows, to actions initiated by state governments.  All of these actions confirm the serious position taken by regulators nationwide to protect the privacy of protected health information (PHI).

The Big One

On October 15, 2018, Anthem, Inc., an independent licensee of Blue Cross, paid $16 million to settle its claim with the HHS Office of Civil Rights (OCR), for a breach that compromised the PHI of 79 million people.  This was the largest reported breach in history.  The PHI breach occurred in 2015, when hackers initiated a “spearfishing” attack via fraudulent emails.  The government found that Anthem lacked appropriate information system procedures to identify and respond to security breaches, and minimum access controls to stop these kinds of attacks.

In addition to the financial penalty, Anthem agreed to a corrective action plan, in which it agreed to perform a risk analysis, and incorporate the results of the analysis into its existing processes, in order to achieve a “reasonable and appropriate level” of HIPAA compliance.

This settlement is in addition to the $115 million settlement Anthem reached last year with the victims of the breach.Continue reading

Expanding the Reach of your Medical Practice through Telemedicine

“Wherever the art of Medicine is loved, there is also a love of Humanity.” ― Hippocrates

telemedicine lawBy: Shobha Lizaso

The need for healthcare services is growing at an exponential rate throughout the US and across the world while the number of healthcare providers is dwindling in comparison which paves the perfect way for telemedicine. The ease of healthcare access should be standard for all people, but many go without healthcare because of their geographic location or lack of funds. From these circumstances, technology has risen as the new champion for the provision of healthcare; technology is building necessary connections between healthcare providers and patients through telemedicine. The field of telemedicine complements traditional medical care in various ways already, and it is expected to continue to expand through the healthcare industry. Some current uses are as follows:Continue reading

HIPAA Security Basics: Keeping your Medical Web-Based Business Compliant

By: Shobha Lizaso

Medical web-based businesses have been on the rise, while the number of HIPAA enforcement actions by the US Department of Health and Human Services (HHS) has risen exponentially as well. Since the beginning of this year, HHS has announced several large settlements with companies that failed to comply with HIPAA Compliance requirements. For example, in January, HHS announced a $2.2 million settlement with a health insurance company when a breach resulted from a stolen portable USB device containing PHI. Also, In February, HHS announced a penalty of $3.2 million against a medical center for a breach that arose from a theft of an unencrypted laptop containing PHI. This enforcement activity is becoming the norm, so it is best to ensure that your medical website is legally compliant.

If you are handling any PHI on or through your website, you must ensure that your website is up to speed with HIPAA compliance. Here are some recommendations to address the security and privacy of PHI that your website may manage (please note that this is not a comprehensive list):Continue reading

Healthcare Trade Secrets: How to Protect Your Practice’s Trade Secrets

dreamstimemaximum_51887081-flipBy: Shobha Lizaso

“Prevention is better than cure” is a maxim that has reigned in the healthcare industry for thousands of years; however, this phrase echoes through the halls of the legal profession as well.

Healthcare practices often neglect to appreciate the value of their confidential information as assets and the need to protect these assets. Although HIPAA and HITECH compliance aids in maintaining the confidentiality of patient records, it does not protect a provider’s trade secrets.

Trade secrets of a healthcare practice may include any of the following: patient lists, financial information, contract rates, contract terms client lists, collection rates, marketing tactics, pricing/discount information, and methods of doing business. If leaked, this information may be used by competitors to secure advantages over a healthcare practice. For example, patient lists could be used to solicit a practice’s patients or contract rates and terms can be used by a competitor to undercut the rates of a practice.Continue reading

HIPAA Compliance: Docs, You’ve Been Hacked. What’s Next?

HIPAABy: Jacqueline Bain

Healthcare providers have heard the HIPAA disaster stories: a laptop containing patient information is left on the counter at the coffee shop; a thumb drive with patient files goes missing; a rogue employee accesses patient information she has no business accessing; hackers get into a practice’s server and hold the patient information for ransom.

HIPAA is a federal law designed for safe disclosure of patient’s protected health information.  The news headlines showcase giant penalties for violations.  However, Florida healthcare providers should also know that Florida has its own consumer protection statute, called the Florida Information Protection Act.  So while you’re busy worrying about your HIPAA exposure in any of these situations, remember that there is potential State exposure as well.

So what should a healthcare provider do if it believes there has been a hack or some other unauthorized disclosure?  Responses vary based on the situation presented, but below is a good jumping off point:Continue reading

Fall 2014 HIPAA Audits: Is Your Business Ready?


hipaa-audits-imageFile-3-a-7296By: Jackie Bain

Section 13411 of the HITECH Act authorizes and requires the Department of Health & Human Services Office for Civil Rights (“OCR”) to provide for periodic audits to ensure that covered entities and business associates comply with the HIPAA Privacy and Security Rules. OCR conducted its first round of those audits in 2011 and 2012, and has announced that it will begin a second phase.  Unlike the first phase of audits, which were limited to covered entities, both covered entities and business associates are intended to be audited during this second phase.

How will audited businesses be selected?

This fall, OCR will deliver pre-audit surveys to between 550 and 800 covered entities.  OCR is attempting to obtain a fair snapshot of all covered entities, so these pre-audit surveys will be sent to health care providers, health plans, and health clearinghouses. Moreover, the audits will span the gamut of business sizes, from large corporations to solo practitioners. After pre-audit surveys are returned, OCR will randomly select 350 of those covered entities for a full audit.  As a part of these full audits, covered entities will be asked to identify their business associates.  OCR will then select 50 business associates to participate.Continue reading

Federation's Model Telemedicine Policy is Well Timed


Many health policy experts are betting on the expanded role of telemedicine as an essential cost-saving, quality (and access) enhancing tool.  Yet legal and policy issues have dogged the development of useful telemedicine guidelines, making it difficult to know what’s ok and what’s not.  What sort of licensure is required for physicians practicing telemedicine?  When is the physician “practicing medicine” vs. “merely consulting?”  When is a physician patient relationship established?  Is one even necessary?  The newly developed model policy developed by the Federation of State Medical Boards should help guide states in developing specific telemedicine standards.

Continue reading

Phoning It In – Florida's Brand New Telemedicine Law

telemedicine law

??????????By: Jackie Bain

Until recently, the State of Florida has successfully avoided regulating telemedicine to account for advancements in technology. In 2003, the State issued standards for telemedicine prescribing practice for medical doctors and doctors of osteopathy, but has not formally revisited its position in light of increasingly common telemedicine practice in several states – until now.

Florida’s forestalling has officially come to an end.  The State recently enacted new physician standards for telemedicine practice, and the State legislature is presently considering further regulation.  These new standards do not impinge upon the prior standards for telemedicine prescribing practice, but are issued in conjunction to it. Continue reading