A major thrust of the Health Information Technology for Economic and Clinical Health (HITECH) Act has been to provide incentives for EHR adoption and to accelerate the flow of protected health information (PHI) between providers, patients and other stakeholders to deliver more coordinated, efficient care.In the rush to figure out how to exchange patient information, less attention had been paid to ensuring that the proper controls were in place to make sure the exchange of this information is appropriate, complies with complex and ever-changing regulations, and mitigates the significant risks to hospitals and health systems.
Privacy and Security Regulations
- While some of these critical issues where skimmed over in the initial push for rapid EHR adoption, the government is now addressing them and implementing strict privacy and security regulations. For example, the final Omnibus rule published by the U.S. Department of Health & Human Services (HHS) in January 2013 expands patients' rights and increases provider penalties to a maximum of $1.5 million per violation in a given year.
- In addition to the final Omnibus rule, healthcare organizations will need to address the anticipated changes to the accounting of disclosures (AOD) rules which are likely to reinforce the need to ensure that all access and disclosures across the healthcare enterprise are compliant and properly tracked and reported..
As the stakes are now higher for providers, so are the reported incidents of breaches. Since August of 2009, over 500 breaches each affecting at least 500 patients have been reported to the HHS Office for Civil Rights (OCR) impacting over 21 million patient records -- and the number of major breaches of PHI has grown to epic proportions, increasing more than 21% from 2011 to 2012.