LNCtips.com: The Lowdown on HITECH
As a Registered Nurse, you already know the ins and outs of HIPAA, the Health Insurance Portability and Accountability Act. But as a new legal nurse consultant, did you know that there's a HIPAA amendment that could affect your practice as an LNC? The Health Information Technology for Economic and Clinical Health (HITECH) Act imposes some requirements and hefty fines for certain law firms and their employees as well as independent contractors and experts who do business with these firms.
Before we talk about HITECH, let's define a few terms:
Covered Entities. Covered entities are healthcare clearinghouses (information processors), health plans (insurance companies, HMOs, etc.) and healthcare providers (doctors, hospitals, clinics, nursing homes, etc. if they transmit information in electronic format).
Business Associates. This is how you may be affected. Business associates are those who work for or provide services to a covered entity. If you provide services to a law firm that defends hospitals, physicians, or other covered entities, then HITECH applies to you.
The HITECH Act encourages covered entities to store medical information electronically. Physicians, hospitals and other healthcare providers are being urged to adopt electronic medical records with both a carrot and a stick from the federal government. Covered entities will be given a monetary incentive to convert to electronic medical records quickly and will face reductions in their Medicare and Medicaid reimbursement if they do not. In addition, HITECH strengthens HIPAA enforcement and imposes fines up to $1.5 million for those who violate HIPAA's privacy requirements. HITECH also requires that entities either encypt protected health care information or destroy it so that unauthorized individuals cannot read or decipher it.
How will this affect you as a legal nurse consultant?
If you work in a defense law firm, expect training on security awareness, particularly about storage and transmission of electronic medical records. It's part of the HITECH administrative safeguards.
If you work in a covered entity or as a business associate to a covered entity, expect to use encryption and decryption of electronic medical records, including those sent by email and those uploaded to/downloaded from the internet. Encryption and decryption are required as part of HITECH's technical safeguards. You will probably have to rely on encryption software from your law firm or covered entity; most internet programs that upload and download large files don't offer free encryption or aren't as secure as they should be.
If you're an expert or an independent contractor working for the defense, expect to sign a business associate agreement specifying that you will follow HIPAA/HITECH safeguards for protected health information and that you will report any security incidences.
But what if you work for a plaintiff law firm? Plaintiff firms often draft authorizations for medical records and those authorizations must be HIPAA compliant. However, according to Amy Fehn, co-author of HIPAA security and privacy workbooks who assisted me with this topic, most HIPAA regulations don't apply to plaintiff firms. Plaintiff firms don't represent covered entities and therefore are not business associates for HIPAA purposes.
However, as an LNC working for the plaintiff, you should still act in the plaintiff's best interests and that may mean following the same privacy protection measures as those of covered entities and business associates. In addition, your work with attorneys and the Code of Ethics and Conduct of the American Association of Legal Nurse Consultants require you to protect the patient's privacy and confidentiality.