Health Information Technology, HIPAA, and Need for Risk Analysis

How does HIPAA law apply to health information technology? Know the role of risk analysis to maintain privacy and security of electronic health information.

The term “health information technology” (health IT) is a broad concept that encompasses an array of technologies to store, share, and analyze health information. With an increasing number of providers plunging into the vast pool of HIT, it becomes imperative that you have a clear vision of the association between HIT and HIPAA, along with the need to perform risk analyses.

Related: A Complete Guide To HIPAA Law: How It Keeps Your Privacy Protected

An Overview of Health Information Technology

In its simplest form, health information technology is an amalgamation of health information and IT that aims to improve the quality of healthcare. While this might look like a simple concept, its wings are more diverse than you think.

Let’s explore.

Health IT involves the use of technology to store, share and retrieve health information among various stakeholders. For example, patients, providers, payers, and regulatory bodies. The major benefits of HIT are reduced medical errors, lowered health care costs, increased administrative efficiencies, fewer paper-based records, and wider access to affordable health care. When we say technology, we mean both hardware and software.

What Does Health Information Technology Cover?

HIT covers:

• Electronic health records (EHRs). An EHR is the major domain of health information technology. EHRs store patient’s health information in various electronic systems. People often use the terms EHRs and EMRs (electronic medical records) interchangeably. Some EHRs allow the patients to their access their information through a Patient Portal.Also Read: 5 Security Measures for Safe Patient Portals
• Personal health records (PHRs). PHR and EHR are similar, except that PHR allows the patients to control what kind of information gets into the system. In addition, a PHR may also contain information other than the medical records. For example, food trackers, exercise, and blood pressure.
• E-prescription. An e-prescription is an electronic form of the paper prescription.
• Email. An email between a patient and a healthcare professional (or between two health professionals) for health communication is a part of the HIT.
• Online Document Management. Online acquisition and storage of documents, including web form submissions.
• Communications Technologies. For example: chat systems, secure texting, voice-over-IP.
• Telehealth uses electronic communications and information technologies to enhance the quality of healthcare services. It includes videoconferencing, transmission of still images, patient portals, remote patient monitoring and nursing call centers.Further Reading: 6 Essentials For Privacy and Security in Telehealth
• Mobile health apps. These personal health tools are also a part of health information technology. Some common examples are fitness trackers and medication reminders.
• Online communities. Online communities act as a platform where patients from a diverse background can share their experience about some specific health conditions such as pregnancy, diabetes, and others.

Exploring the Association between Health Information Technology and HIPAA

HIPAA (Health Insurance Portability and Accountability Act) is legislation from 1996 that works to ensure the privacy of health information. Moreover, it also provides security provisions to prevent a patient data breach.

HIPAA Covers Health IT BUT Not Always

Since health IT involves the use, storage, retrieval and transmission of health information, it comes under the purview of HIPAA law. However, many gaps negatively impact the effectiveness of HIPAA. Given below are some instances where HIPAA law may be ineffective.

• First, both the HIPAA Privacy and Security Rules are applicable only to covered entities and their vendors (and those vendors’ vendors). Meaning, any entity that uses protected health information (PHI) but does not a covered entity or contractually working with one is not liable to be punished in the event of a disclosure or misuse of the acquired information. Most notable examples are the researchers who use PHI for research activities.
• Second, the HIPAA Security Rule is applicable only to the electronically stored health information. Thus, the covered entities do not have to implement any security protections for paper-based health records. However, efforts to transfer the information from paper to electronic storage are on the rise.
• Third, numerous surveys conducted by the American Health Information Management Association (AHIMA) show that many covered entities do not fully comply with all the HIPAA requirements. We know this from experience.

Top 5 Queries about Health Information Technology Answered

1. How Much Does It Cost to Install an EHR, the major Domain of Health IT? The cost of purchasing and installing an electronic health record (EHR) ranges from $15,000 to $70,000 per provider.
2. Does EHR Save Time for the Doctors? According to a report from the American Medical Association, the doctors spend more on EHRs (nearly twice) than on the patients.
3. How Many Members are Registered in the EHR Incentive Programs? As of September 2016, more than 599,000 eligible professionals, eligible hospitals, and critical access hospitals were actively registered in the EHR incentive programs.
4. What is the Cost of EHR to A Practice? According to a Medical Group Management Association report, the total health IT-related cost paid by a multi-specialty practice was more than $30,000 in 2015.
5. How are Physicians Responding to EHR Adoption? From 2008 to 2015, office-based physician adoption of any EHRs has more than doubled, from 42% to 87%.

Why HIT Outsourcing is Becoming A Common Practice

As health information is rapidly shifting from paper-based documentation to sophisticated EHRs, hospitals are prioritizing outsourcing. The key factors that fuel HIT outsourcing are:

• Reduced cost. Outsourcing is a cost-effective way to meet the regulatory and industry demands.
• Timely alignment with technological advancements. Not every hospital has enough trained staff who can keep up with the new technology. As a matter of fact, EHRs are getting more and more advanced with every passing day. Thus, it is of paramount importance that the practices do not lag behind.
• Compliance with the regulatory requirements. As HIPAA tightens its grip on the practices, the hospital leaders have few options to adopt EHRs. Undoubtedly, outsourcing ranks first among them.

Risk Analysis in Health Information Technology: What You Should Not Miss

Risk is indispensable to any practice whether it’s a business or health. By the same token, health information technology is also not totally free from risk. A practical and effective risk analysis can go a long way in protecting the sensitive health information.

In fact, a risk analysis presents a unique way to anticipate the potential risk factors, rank the known risks and take preventive actions. In case an unfortunate data breach occurs in the system, there will be planned remedial actions to stop further damages.

To know more about health information technology, and ways to minimize your risk through IT communications outsourcing, talk to the experts.  Sign up for a free consultation.