We thank Dr. Gordon for his time and insightful comments made in response to our recently published editorial entitled “The Mobile Technology Era: Potential Benefits and the Challenging Quest to Ensure Patient Privacy and Confidentiality.” The information provided in his Letter to the Editor regarding the Health Information Technology for Economic and Clinical Health Act complements our article and adds valuable information.
We would like to elaborate on the historical evolution of the Health Information Technology for Economic and Clinical Health Act, and clarify the fact that monetary penalties implemented by this Act were not “created by the Health Information Technology for Economic and Clinical Health Act,” but instead they amended the already established penalties stated in the Enforcement Rule of the Health Insurance Portability and Accountability Act of 1996.
The Privacy and Security Rules of the Health Insurance Portability and Accountability Act set the standards and regulations regarding private health information, its storage, and electronic transfer. At that time, there were no formal provisions to ensure compliance of these rules. Shortly after these rules were finalized, on April 17, 2003, the first installment of what would later be known as the Health Insurance Portability and Accountability Act Enforcement Rule was created.1 The Enforcement Rule was finalized on February 16, 2006. The Enforcement Rule adopted new provisions relating to the imposition of civil monetary penalties and gave authority to the secretary of the Department of Health and Human Services to impose on any person who violates a Health Insurance Portability and Accountability Act provision or rule a penalty no more than $100 for each such violation, except that the total amount imposed on the person for all violations of an identical requirement or prohibition during a calendar year may not exceed $25,000.2 As is evident, these initial monetary penalties were not significant.
In February of 2009, Congress passed the American Recovery and Reinvestment Act of 2009. Four days later, President Barack Obama signed it into a law. This Act was a direct response to the economic crisis, and one of the three main goals was to foster unprecedented levels of accountability and transparency in government spending.3 As Dr. Gordon clearly explains in his letter, the government is of the opinion that electronic health information will be part of the solution to decrease health care expenditure.4
The American Recovery and Reinvestment Act is composed of two divisions, A and B. Title XIII (Division A) “Health Information Technology” and Title IV (Division B) “Medicare and Medicaid Health Information Technology; Miscellaneous Medicare Provisions” are together known as the Health Information Technology for Economic and Clinical Health Act, or the “HITECH Act.” Subtitle D of this Act pertains to the privacy of health information. As Dr. Gordon mentioned, it is stated here that security provisions and penalties will also apply to business associates (e.g., office staff in the management departments, administrative jobs) of covered entities (e.g., health plans, health care clearinghouses, and health care providers). Another important provision of this Act is the requirement by law to notify each individual whose unsecured protected health information has been, or is reasonably believed by the covered entity to have been, accessed, acquired, or disclosed as a result of such breach. Entities involved in a breach in which the unsecured protected information of more than 500 individuals is acquired or disclosed are at risk of public scrutiny in the Web site of the Department of Health and Human Services. Perhaps the most significant changes come in the area of enforcement. New provisions under the Health Information Technology for Economic and Clinical Health Act amended some of the Health Insurance Portability and Accountability Act’s enforcement regulations, establishing four new categories of violations to reflect increasing levels of culpability. These four corresponding tiers of penalty amounts significantly increased the minimum penalty amount for each violation, including a maximum penalty amount of $1.5 million for all violations of an identical provision.5,6
It is encouraging to see a significant number of our colleagues interested in this new and developing field of health information technology. As plastic surgeons, we develop our creativity and problem-solving skills in a way that separates us from other medical specialties. We should be at the forefront in innovation and design of infrastructure to revolutionize the way we store and exchange health information. I am thrilled to see other plastic surgeons such as Dr. Dumanian (Northwestern University Feinberg School of Medicine) investing time and effort in developing new ways to take advantage of mobile technology and implementing it. His recently released apps, Hipaa Cat and My Doctor Note, are great examples of the available potential.
We would like to propose the development of a health information technology committee (i.e., HI-Tech Committee) within our Society (American Society of Plastic Surgeons) with the goal of joining those with similar interests and expertise to assist in the design and implementation of new technology that enhances patient-physician communication and improves the quality of health care services provided. This committee could also serve to keep the specialty up-to-date and compliant with new provisions, rules, standards, and requirements. With the government emphasis in promoting electronic health information, I foresee a range of situations in the near future that will require problem-solving skills and innovative solutions to implement and achieve these goals that we should be involved in.
The authors have no financial interest to declare in relation to the content of this communication.
Jose R. Rodriguez-Feliz, M.D.
Malcolm Z. Roth, M.D.
Albany Medical Center
1. Department of Health and Human Services. . Civil money penalties: Procedures for investigations, imposition of penalties, and hearings. Fed Regist. 2003;68(74):18902–18906 Available at: http://www.hhs.gov/ocr/privacy/hipaa/administrative/privacyrule/moneypenalties.pdf
. Accessed January 16, 2013
2. U.S. Department of Health and Human Services. . Health Information Privacy. Enforcement Rule—Final Rule. Available at: http://www.hhs.gov/ocr/privacy/hipaa/administrative/enforcementrule/enforcementfinalrule.htm
Accessed January 15, 2013
3. Recovery.gov. . The Recovery Act. Available at: http://www.recovery.gov/About/Pages/The_Act.aspx
. Accessed January 21, 2013
4. Gordon CR. The mobile technology era: HITECH and expectations for the future (Letter). Plast Reconstr Surg. 2013;132:319e–320e
5. U.S. Department of Health and Human Services. Health Information Privacy. . HITECH Act Enforcement Interim Final Rule. Available at: http://www.hhs.gov/ocr/privacy/hipaa/administrative/enforcementrule/hitechenforcementifr.html
. Accessed January 15, 2013
6. . One Hundred Eleventh Congress of the United States of America. Available at: http://www.gpo.gov/fdsys/pkg/BILLS-111hr1enr/pdf/BILLS-111hr1enr.pdf
. Accessed January 16, 2013
Letters to the Editor, discussing material recently published in the Journal, are welcome. They will have the best chance of acceptance if they are received within 8 weeks of an article’s publication. Letters to the Editor may be published with a response from the authors of the article being discussed. Discussions beyond the initial letter and response will not be published. Letters submitted pertaining to published Discussions of articles will not be printed. Letters to the Editor are not usually peer reviewed, but the Journal may invite replies from the authors of the original publication. All Letters are published at the discretion of the Editor.
Letters submitted should pose a specific question that clarifies a point that either was not made in the article or was unclear, and therefore a response from the corresponding author of the article is requested. Authors will be listed in the order in which they appear in the submission. Letters should be submitted electronically via PRS’ enkwell, at www.editorialmanager.com/prs/.
We reserve the right to edit Letters to meet requirements of space and format. Any financial interests relevant to the content of the correspondence must be disclosed. Submission of a Letter constitutes permission for the American Society of Plastic Surgeons and its licensees and asignees to publish it in the Journal and in any other form or medium.
The views, opinions, and conclusions expressed in the Letters to the Editor represent the personal opinions of the individual writers and not those of the publisher, the Editorial Board, or the sponsors of the Journal. Any stated views, opinions, and conclusions do not reflect the policy of any of the sponsoring organizations or of the institutions with which the writer is affiliated, and the publisher, the Editorial Board, and the sponsoring organizations assume no responsibility for the content of such correspondence.
The Journal requests that individuals submit no more than five (5) letters to Plastic and Reconstructive Surgery in a calendar year.