Editor's note: Senior editor Dom Nicastro covers the government health information data regulations for HealthLeaders Media and its parent company, HCPro, Inc. In a guest column this week, he writes about how the HITECH act is impacting state-level HIPAA compliance.
HITECH brings to light how much of a better job the healthcare industry must do to protect the privacy of its patients. Take one look at the Office for Civil Rights (OCR) breach notification website—you'll find 166 reasons why this is true.
That website is great to have: It is a public list where healthcare organizations can share lessons learned, analyze numbers and trends, and get a good look at which facilities are making big mistakes, some of which affect millions of patients.
But what's the real take-home when Congress writes a law like HITECH? A law that revamps the HIPAA privacy rules, calls for increased penalties and public scrutiny for violations, and extends the legal power of state attorneys to pursue cases for violators?
Is the goal to instill fear of non-compliance? Is it nabbing a posterchild such as Rite Aid, which paid $1 million to settle potential HIPAA violations? Is it keeping entities on their toes for the HITECH-required periodic audits?
Those are certainly pluses.
But since HITECH was signed into law in February 17, 2009, the best example of how it's actually worked for the better may be in Connecticut. There, new HITECH powers unleashed a trickle-down effect that ultimately may help that state better comply with HIPAA.
It began back in July, when Connecticut's state attorney general office announced it had reached a settlement with Health Net and its affiliates over the failure last year to secure the private medical records of 1.5 million policyholders and for the insurers' delay in reporting the breach.
The settlement imposed a $250,000 fine on the company for HIPAA and HITECH violations, and requires the insurers to adopt rigorous security and notification measures.
But how does that make other entities better off?
Last month, the Connecticut Insurance Department issued a bulletin that calls for state insurers to notify affected individuals and the state's insurance commissioner of a breach of patient information no later than five calendar days after its discovery.
If HITECH hadn't granted new powers to state attorneys general to pursue lawsuits regarding HIPAA, Connecticut AG Richard Blumenthal would not have gone after Health Net, and that case may never have come to the forefront. And without it, the state's insurance department may never have tightened its belt regarding breach notification.
Dawn McDaniel, a spokesperson for the Connecticut Insurance Department, told HealthLeaders Media in an e-mail that the bulletin is in response to "some recent data breaches, which were not reported in what we believe to be a timely manner."
Though neither OCR nor Connecticut officials would say that the breach notification change in Connecticut is a direct effect of HITECH, OCR did praise Blumenthal's actions. In an e-mail to HealthLeaders Media, an OCR spokesperson called it an illustration of the strong partnership between federal and state regulators envisioned in the HITECH act.
"The Office for Civil Rights at HHS views the actions of the Connecticut state attorney general in the Health Net matter as demonstrating the effective federal-state partnership to HIPAA compliance as envisioned by the HITECH Act," he wrote. "These actions can provide greater protections for the residents of Connecticut, and serve to stimulate a more robust culture of compliance among organizations responsible for protected health information."
The spokesman called the actual breach notification changes in Connecticut a matter "within state jurisdiction and— independent of new HITECH authorities and HIPAA requirements."
Technically, yes. But it's hard to argue that the changes are not at least a residual effect of a HITECH-granted power.
Dom Nicastro is a contributing writer. He edits the Medical Records Briefings newsletter and manages the HIPAA Update Blog.