EHRs at the Crossroads: The HITECH Act Meets HIPAA

The high cost of implementing and maintaining electronic health records (EHRs) has been a major barrier to EHR adoption in most U.S. hospitals and physician practices. But as President Barack Obama and Congress push to expand EHR use through financial incentives in the American Recovery and Reinvestment Act (ARRA), otherwise known as the federal stimulus bill, healthcare facilities and physicians stand on the brink of change. The president and Congress view adoption of health information technology (HIT) and EHR use as means to reduce waste and inefficiency in the provision of healthcare, improve the quality of healthcare, and curb preventable medical error. Accordingly, the stimulus bill appropriates approximately $19 billion to spur HIT adoption, a measure that is expected to significantly boost EHR use in healthcare institutions and physician office practices over the next eight years.

On February 17, 2009, the Health Information Technology for Economic and Clinical Health (HITECH) Act, administered by the Office of the National Coordinator for Health Information Technology in the U.S. Department of Health and Human Services (HHS), was enacted as Title XIII of ARRA. The act provides Medicare and Medicaid reimbursement bonuses to hospitals, long-term care facilities, home health entities, ambulatory care centers, physician group practices, individual physicians, laboratories, and clinics, among other eligible healthcare providers that use EHRs.

But as EHR use increases and incidents of healthcare information privacy breaches continue, concern exists that the wealth of personal information contained in EHRs—and the ease with which they may be accessed and shared—makes EHRs easy targets for security and privacy breaches and identity theft. To keep pace with these risks, legal mandates provided in the HITECH Act strengthen the health information privacy and security regulations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and plug perceived gaps in the HIPAA regulations. Additionally, in an effort to thwart medical identity theft, the Federal Trade Commission (FTC) issued regulations that require most healthcare providers to take preventive measures.

For reference, see [Speaking of the...