Introduction
Despite tangible progress made throughout the last few decades, the healthcare system of the United States of America is still facing numerous challenges. Recently, there has been a vivid discussion as to how modern technology may aid in enhancing the system and making meaningful changes. So far, there have been attempts to address the issues of insurance, patients’ privacy and security, storing, processing, and accessing information. The role of technology in health care has undergone an exponential extension, and the latest legislation reflects these trends. This essay will discuss HIPAA and HITECH regulations, their impact on the health care system of the US, software implementation, and implications for both facilities and vendors.
The Impact of HIPAA and HITECH Regulations
HIPAA stands for Health Insurance Portability and Accountability Act, and in the legal history of the US, the passing of this law in 1996 continued the overall tendency of protecting privacy that started in the 1970s. For the first time, health records were considered sensitive information, and a set of standardized electronic healthcare transaction codes was created. Despite the inherent value of the idea, the policy generated much controversy, and the opponents deemed it unacceptable that patient consent to disclosing information was often unnecessary (Solove, 2013). Over the years, the implementation of the HIPAA Act had its difficulties, but there is no doubt that it had and keeps having an impact on patient rights, privacy, use, and disclosure of information.
As for the future of the HIPAA Act, it is projected that enforcement will become ubiquitous and standardized with each medical facility obliged to conduct Risk Analysis, Risk Mitigation, and policy revision. The Office for Civil Rights of the Department of Health and Human Services imposed Corrective Action Plans that provide comprehensive musters for Risk Analysis and Risk Mitigation plans with which entities have to comply (Parghi, 2017). The HIPAA Act is a federal law, and normally, it preempts state laws in the case of a contradiction.
The HITECH Act (The Health Information Technology for Economic and Clinical Health Act) was implemented in 2009 as part of the American Recovery and Reinvestment Act of 2009 (ARRA). The act was passed to encourage broader use of electronic health records (EHR) and support technology in the healthcare system. Nine years have passed since the passing, and one may already observe some positive outcomes. As Wenn reports in his article (2018), the use of technology has been on the rise with the share of hospitals using recommended software and hardware amounting to 96%.
Implementation and Ongoing Use of Software Systems
Undoubtedly, compliance is a continuous process, and merely having policies in place is not sufficient for making meaningful changes. The most essential and challenging task is settling on HIPAA-compliant and HIPAA-compliance software. Ever since the passing of the ACT 23 years ago, there has been some confusion around these two terms, for both medical facilities and vendors seem to be using these terms interchangeably.
HIPAA-compliant software helps a facility fulfill a specific duty under the Act, for instance, secure data transfer. HIPAA-compliance software, however, guides a business through its endeavors to meet the requirements. Both types are essential, and a medical facility should be thoughtful and cautious when approaching vendors. Ideally, a Compliance Tracking System should be centralized so that each patient’s data is readily accessible and yet, reasonably protected. A system should be sensitive to so-called incidents – a person’s unauthorized attempts to access, use, disclose, or delete information.
Implications for Software and Hardware Vendors
With the passing of the HIPAA Act, the definition of a business associate was expanded, encompassing entities that create, acquire, maintain, and transfer PHI (protected health information). In accordance with the expansion, some software and hardware vendors gained the status of business associates and had had to comply with the HIPAA Act since 2013 (Clark & Bilimoria, 2013). The general rule is as follows: if a vendor provides services on behalf of a medical facility, they take full responsibility under the Act, and the failure to comply is seen as a violation. However, if an organization merely uses software and hardware, thus, governing their course of action, the vendor is an independent entity and not exactly the subject to the HIPAA Act.
Infrastructure and Organizational Standards
Making a medical facility compliant with the HIPAA Act is a process that should involve every member of the staff and requires heightened awareness and consciousness from the managing board. The first step towards compliance would be choosing privacy and security officers; a small practice could do with the same person fulfilling both roles. The second step is risk assessment in which a medical facility hires a specialist to check the system for vulnerabilities or does this independently, following HHS guidelines (Hsieh, 2014). Risk assessment is not a one-time procedure: ideally, it should be conducted every two-three years. Lastly, staff training is necessary: every employee should become familiar with software and hardware and instructed on safe use.
Conclusion
Throughout the last twenty years, policymakers of the United States have been taking into account the current needs of the healthcare system and making a conscious effort to address the most pressing issues. Such endeavors led to the passing of two interconnected acts – the 1996 HIPAA Act and the 2009 HITECH Act. Since its emergence, the healthcare system has seen a definite increase in the use of electronic health records. In practice, compliance gives rise to new responsibilities such as risk assessment and staff training. Vendors are also to be cautious and aware of the legislation to avoid misconduct and legal issues.
References
Clark, L. W., & Bilimoria, N. M. (2013). How HIPAA final rules affect health information technology vendors. Web.
Hsieh, R. (2014). Improving HIPAA enforcement and protecting patient privacy in a digital healthcare environment. Loyola University Chicago Law Journal, 46(1), 175-223.
Parghi, I. (2017). Where is the future of HIPAA enforcement headed? Web.
Solove, D. J. (2013). HIPAA turns 10: Analyzing the past, present, and future impact. Web.
Wenn, Z. (2018). Is the HITECH Act working? A summary of its effect on healthcare. Web.