2012 Software

Top EMR Software


HITECH Act and HIPAA



The American Recovery and Reinvestment Act of 2009 includes the Health Information Technology for Economic and Clinical Health (HITECH) Act.

The HITECH Act provides Medicare and Medicaid monetary incentives for hospitals and physicians to adopt electronic health records (EHRs) and also provides grants for the development of a health information exchange (HIE). These incentives and grants were created to stimulate health care providers to adopt technology necessary to improve the efficiency of patient healthcare.

HITECH Act provides over $30 billion for healthcare infrastructure and the adoption of electronic health records (EHR). According to the Act, physicians are eligible to receive up to $44,000 per physician from Medicare for "meaningful use" of a certified EHR system starting in 2012.

ARRA describes "improvements" to existing HIPAA law, covered entities, business associates and others will be subject to more rigorous standards when it comes to protected health information (PHI) The HITECH Act expands the scope of the HIPAA Privacy and Security Rules and increases the penalties for HIPAA violations.

Specificially, the HITECH Act addresses five main areas of the HIPAA regulations:

Applies the same HIPAA privacy and security requirements (and penalties) for covered entities to business associates

Establishes mandatory federal privacy and security breach reporting requirements for HIPAA covered entities and business associates

Creates new privacy requirements for HIPAA covered entities and business associates, including new accounting disclosure requirements and restrictions on sales and marketing

Establishes new criminal and civil penalties for HIPAA non-compliance and new enforcement methods

Mandates that the new security requirements must be incorporated into all Business Associate contracts



Data Security: Encryption & Destruction

Here are some of the more commonly-asked questions over time pertaining to HIPAA compliance:

HIPAA data security compliance spans computer hard drives, media and paper documents. Each must have it's own plan to maintain data lifecycle privacy from encryption, retention and retirement (destruction). Some healthcare entities choose to do their data destruction in-house while others will outsource this to various data destruction companies that also other governmental agencies.

To meet HIPAA regulations, all computer hard drives must be NIST-certified and use AES hardware encryption with two-key access to read/write data on the hard drive.

Data Destruction

High-Security Paper Shredding
To meet HIPAA regulations, all HIPPA-compliant paper shredders must be designated High Security, which means they are NSA and DoD approved to produce "unreconstructible" paper segments.

Hard Disk Destruction
To meet HIPAA regulations, all hard drives and media disks that will be taken out of use must first be degaussed and then "destroyed" as per NSA and DoD certification. Hard drive destruction involves physical bending, mangling, and breaking of the drive units so that the disks inside cannot possibly be spun up or read from.

There are hard disk "Destroyer" products available on the market that meet HIPPA regulations for data destruction compliance.