Answer to Question 1
HITECH, passed in 2009 as part of the stimulus, further defines compliance with HIPAA's privacy and security requirements. It also expands HIPAA standards that help electronic exchange of health information. It establishes incentives for adopting electronic health records (EHRs). It increases penalties for noncompliance and requires encryption. HITECH is also intended to implement a national health technology infrastructure, which could lead to the extension of telemedicine.
On August 3, 2009, the Department of Health and Human Services (HHS) took enforcement of HIPAA's security rule out of the hands of the Centers for Medicare and Medicaid Services and put the Office for Civil Rights (OCR) in charge. This change reflects the growing seriousness of the HHS and others about enforcing federal privacy and security mandates for health information. HITECH requires HIPAA to implement new breach regulations, encourages the use of EHRs, increases civil and criminal penalties for violations of the privacy rule, prohibits sales of health information without the consent of the patient, and tightens other HIPAA restrictions on disclosures of health information. Perhaps the most important thing that HITECH does is extend HIPAA privacy protections to businesses that work with HIPAA-covered entities. If a covered entity does not follow HIPAA's privacy rule, it is almost entirely excluded from receiving monetary incentives for introducing EHRs. HITECH defines a breach as unauthorized acquisition, access, use or disclosure of protected health information which compromises the security or privacy of such information.
In 2009, criminal prosecutions under HIPAA increased. Two hospital employees in Florida were indicted for theft of patient records to use in a fraud scheme that included credit card fraud. In Arkansas, three health care workers pleaded guilty to violating HIPAA's privacy rule. Civil prosecutions are also increasing. CVS Pharmacy paid a 2.25 million settlement and had to change the way it disposed of patient information. In February 2011, the first civil money penalty for HIPAA violations was imposed. Cignet Health of Prince Georges County in Maryland had to pay 4.3 million for violating 41 patient's rights by not allowing them their medical records and for failing to either cooperate with the investigation or produce the records for the OCR. The amount of the penalty is partly due to the violations and partly due to the increased penalties under HITECH.
HITECH requires that breaches of the security of health information be reported to each individual affected. If the breach involves fewer than 500 people, it can be reported to the people involved and to HHS yearly. However, breaches involving 500 people or more must be reported to the HHS and are published on the HHS's Web site. February 22, 2010, was the compliance deadline. One recent page of breach notifications on the HHS's Web site listed well over 100 entities, each with breaches affecting 500 or more people. Some effected 40,000, 60,000, or 130,000 individual's personal health information. The breaches involved theft of laptops, unauthorized access to servers, and improper disposal of paper records and e-mails, and the simple loss of records.
Answer to Question 2
Any three of the following: patient safety, increased health costs, increasingly mobile society, availability of banking and other transactions to consumers via Internet, increased specialization (patients use multiple doctors, so records aren't in any one place), new methods of diagnostic and preventive medicine that require the ability to store EHR data.
DNA is biological information
Hubble Telescope in 2009
Common Health Problems in Community-Dwelling Older Adults
Cross-sectional data showing that the amount of effort spent on personal health care increases with
Access to Health Plus Mastering Health
Old Age and Health