Medical record security is improving under HITECH Act.
By Kent Matthies
January 20, 2010 | Guest Commentary | “It is estimated that 60% of the computer systems containing patient medical records currently in use within the United States are not in compliance with the industry standards for security, audit trails, and electronic signatures,” states industry expert David Nettleton, FDA Compliance Specialist, of Computer System Validation.
With the Health Information Technology for Economic and Clinical Heath Act (HITECH Act) signed into law by President Obama last February, can health care organizations afford to be in that 60% group? The intent of the act is to use IT to improve health care quality and save money, while also strengthening privacy and security laws to protect the health information from misuse. The act provides both incentives for adopting meaningful electronic health records (EHRs) and penalties for not adopting EHRs. Furthermore, the HITECH Act now gives Health and Human Services (HHS) the ability to impose stiffer penalties for Health Insurance Portability and Accountability Act (HIPAA) violations.
The HITECH Act provides for $19 billion in grants and loan funding for incentives for the use of health information technology (HIT). Funds are intended for HIT infrastructure, training, implementation of best practices, and so on. Doctors and hospitals that have plans in place by 2011 are eligible for bonus payments under Medicare and Medicaid programs (bonuses will start to be phased out in 2014). Starting in 2015, health care providers that have not implemented an EHR could see their Medicare payments reduced by one percent, with the amount increasing to five percent by 2018.
The HITECH Act also finally puts some teeth behind HIPAA by providing strong notification of breach language and HHS can impose stiff penalties for HIT violations. Before the act, HIPAA violations could not exceed $100 per violation or $25,000 for all violations of the same provision. Now, violations can range up to $50,000 per violation or $1.5 million for all violations of the same provision. Civil penalties can only be barred by the health care provider if the health care provider corrects unknown violations of HIPAA regulations within 30 days of discovery.
So, although health care providers need to get on the band wagon, they should not do so blindly. The EHR must demonstrate meaningful use that supports compliance with federal and state regulations. Although not yet finalized, meaningful use requires an EHR to be considered certified. That is, it must include patient demographic and clinical health data and have the ability to support clinical decisions, support order entry, record data relevant to health care quality, and exchange and integrate electronic data from other sources. On top of this, the EHR is expected to include electronic prescriptions and must be able to submit clinical quality measures to HHS.
The onus lies on the health care provider, not the software vendor, to ensure compliance with the HITECH Act when implementing an EHR. Health care providers should look for three key aspects from software vendors when researching an EHR:
• The vendor has standard operating procedures (SOP) that provide specific instructions governing both how the company operates and how the software development process is conducted. These SOPs ensure software development is not compromised. The vendor needs to prove the software is designed, developed, and tested using a disciplined, controlled, and fully documented quality assurance methodology.
• The vendor uses a Software Development Life Cycle (SDLC) and documentation process that addresses the requirements of HIPAA and other federal and state regulations such as Title 21 of the Code of Federal Regulations Part 11 and 201 CMR 17.00. These documents will prove that the guidelines and rules for the storage, copying, access, release, auditing, and validation of health information are being followed.
• The software itself contains specific software features, based on current industry standards which address HIPAA & Part 11 requirements, such as patient confidentiality measures, data integrity checks, data security, audit trails, and electronic signatures that include valid statements of intent.
Organizations that are using or are planning to use EHRs should be among the 40% who are compliant. With new standards coming into legislation each year, no health care company needs to experience the ramifications that occur when using software that does not support compliance.
Kent Matthies is a Project Manager with SageKey Software, a Canadian company which specializes in building custom software for the medical industry. He can be reached at firstname.lastname@example.org.