Secure HIPAA-Compliant Hosted Solution

Our servers are in a telco-class HIPAA compliant data center in Austin, Texas. Features include:

  • FIPS 140-2 encryption standards employed at rest and in transit
  • HIPAA compliant
  • Secure, web-based, hosted solution
  • No hardware to purchase
  • Highly available platform accessible from anywhere with an internet connection
  • Support for all browsers and iOS and Android devices

The Health Information Technology for Economic and Clinical Health Act  (HITECH) is part of the American Recovery and Reinvestment Act of 2009 (ARRA). ARRA contains incentives related to health care information technology in general (e.g. creation of a national health care infrastructure) and contains specific incentives designed to accelerate the adoption of electronic health record (EHR) systems among providers.

Because this legislation anticipates a massive expansion in the exchange of electronic protected health information (ePHI), the HITECH Act Text also widens the scope of privacy and security protections available under HIPAA; it increases the potential legal liability for non-compliance; and it provides for more enforcement.

Enforcement

As mentioned previously, and more or less widely known within the heath care industry, the consensus view is that HIPAA has not been rigorously enforced in the past. Time will tell how the enforcement regime will change post the HITECH Act, but certainly the Act contains language that implies lax enforcement may be ancient history. Under HITECH, mandatory penalties will be imposed for “willful neglect.” Obviously what “willful neglect” means will be determined on a case-by-case basis, but speaking in the parlance of this guide, we believe that a provider with “no story” regarding compliance (or so minimal a story as to portray a cavalier attitude toward compliance) will likely be at significant risk.

Civil penalties for willful neglect are increased under the HITECH Act. These penalties can extend up to $250,000, with repeat/uncorrected violations extending up to $1.5 million. Legislators appear to be sending a clear message that “we are not in Kansas” anymore. Furthermore, under certain conditions HIPAA’s civil and criminal penalties now extend to business associates. Like HIPAA, the HITECH Act does not allow an individual to bring a cause of action against a provider. However, it does allow a state attorney general to bring an action on behalf of his or her residents. Finally, HHS is now required to conduct periodic audits of covered entities and business associates.

Clearly, the legislative intent is to provide for “enhanced enforcement.” To what degree enforcement actually increases on the ground is yet to be determined, but the HITECH Act significantly ups the ante for non-compliance.

 

Business Associates and Business Associate Agreements

The HITECH Act now applies certain HIPAA provisions directly to business associates. Formerly, privacy and security requirements were imposed on business associates via contractual agreements with covered entities. As we have noted elsewhere in this guide, we suspect that many small providers do not have the requisite contracts (aka Business Associate Agreements) in place. In some cases Business Associate Agreements (contracts) exist but may not meet all the requirements of the rules. Under the lax enforcement regime of the past, lack of contractual agreements has apparently not proved problematic for the provider community as a whole. This may soon change.

Under the HITECH Act, business associates are now directly “on the compliance hook” since they are required to comply with the safeguards contained in the HIPAA Security Rule (SR). The HITECH Act does not speak directly to the rationale, but even casual observers understand that a potentially massive expansion in the exchange of ePHI increases the privacy and security concerns of all stakeholders. Most, if not all, software vendors providing EHR systems will clearly qualify as business associates. Requiring vendors to comply directly ensures that more provider/vendor dialog will occur regarding the necessary Business Associate Agreements (contracts), and regarding other compliance issues of mutual interest. The vendors themselves will insist on it.