What is HITECH?

The Health Information Technology for Economic and Clinical Health Act or HITECH was signed into law by President Barack Obama in 2009 as part of the American Recovery and Reinvestment Act of 2009. It was created to promote the use of electronic health records (EHRs) by healthcare providers.

An EHR is a digital version of a patient record that enables healthcare providers and organizations involved in a patient’s care to share the patient’s health information. This health information exchange improves healthcare quality, coordination, diagnostics and treatment. 

The Act introduced financial incentives to encourage healthcare providers to switch to EHRs. Consequently, EHR adoption rose, and by 2017, 86% of office-based physicians were using an EHR system

HITECH also plugs the loopholes in the Health Insurance Portability and Accountability Act (HIPAA). It ensures that HIPAA-covered entities and business associates comply with HIPAA Privacy and Security Rules to safeguard patients’ health information. It also specifies the penalties for non-compliance.

What is the Difference Between HITECH and HIPAA?

There are subtle differences between HIPAA and HITECH. Both Acts protect patients’ ePHI. However, they differ concerning patients’ rights. 

HIPAA Title I is concerned with health insurance portability, so it does not relate toHITECH. HIPAA Title II, however, includes security controls for electronic health records, and other forms of patients’ electronic protected health information (ePHI). It thus has a strong relationship with the HITECH Act.

Before HITECH, patients could access their ePHI. Under HITECH, patients have the right to request access reports to understand who accessed and viewed their ePHI and if they were authorized to do so.

Who Regulates HITECH?

The Office of Civil Rights (OCR) within the U.S. Department of Health and Human Services (HHS) enforces the data breach notification requirements in HITECH. The OCR generally prefers to resolve violations through non-punitive measures.

The state attorneys general also have independent enforcement powers and can bring a civil action in federal court against HITECH violators. Fines are levied in a tier-based fashion, depending on how egregious the violations are. Victims can receive compensation for these fines.

How is HITECH Enforced?

HITECH mandates are formulated as two rules:

  1.       Enforcement Rule: It specifies more stringent enforcement provisions to extend the HIPAA framework.
  2.       Breach Notification Rule: It specifies that if an ePHI is exposed, the organization responsible for that data must inform the people involved.

HIPAA’s technologically neutral nature had created confusion about how best to protect ePHI. It also imposed very mild financial penalties for violations. HITECH strengthened the HIPAA Privacy Rule and Security Rule in this respect.

HITECH established stricter breach notification rules – including increased financial penalties – for the business associates of covered entities. Before HITECH, business associates did not have a legal obligation to maintain the integrity of PHI. 

After HITECH, both covered entities and business associates are legally obligated to comply with HIPAA and HITECH. HITECH also makes business associates directly accountable for HIPAA violations and binds them to report any data breaches to their covered entities.

The HHS has imposed staggering penalties for egregious HIPAA/HITECH compliance failures. For instance, in 2017, it imposed a fine of $4.34 million for multiple inadvertent HIPAA violations against the M.D. Anderson Cancer Center at the University of Texas. Anderson appealed the penalty to the Fifth Circuit Court of Appeals. 

This court criticized HHS and curtailed its authority to punish self-reported HIPAA violations arising from the theft or accidental loss of electronic medical records.

What is a HITECH Subtitle D Audit?

Subtitle D of HITECH covers ePHI privacy and security. The HITECH Subtitle D audit is a self-audit conducted by organizations to assess their preparedness for a data breach.

Along with the Subtitle D audit, there are five other annual audits/assessments required for HITECH compliance:

  •       Security risk assessment
  •       Privacy assessment (for covered entities)
  •       Security standards audit
  •       Asset and device audit
  •       Physical site audit

HHS OCR identifies these audits as elements of an effective compliance program.

How to Be Compliant with HITECH

Healthcare providers or other covered entities and their business associates can achieve and maintain HITECH compliance by following these best practices:

Implement an Information Security Program

An information security program with procedures, controls, and policies is essential for HITECH compliance. Organizations should implement data protection, file encryption, and secure email solutions to protect ePHI from unauthorized access, transfer, or use. They must also regularly review their internal practices to ensure continuous compliance.

Train Employees on HIPAA and HITECH

All healthcare employees and business associates must be trained on HIPAA and HITECH requirements, the Breach Notification Rule and its exclusions, and the financial penalties for failing to report a data breach.

Maintain a HITECH Compliance Checklist

To ensure consistent and continuous compliance, a compliance checklist can be helpful. It should be based on a series of risk assessments to determine existing vulnerabilities and identify any threats to ePHI.

Control Digital and Physical Access to Data

Both digital and physical access to ePHI must be strictly controlled and monitored. The principle of least privilege must be enforced to limit access on an as-needed basis.

Key Takeaways

  • Health Information Technology for Economic and Clinical Health Act or HITECH extends HIPAA’s reach to business associates of healthcare organizations
  • HITECH advises the use of electronic health records (EHRs)
  • It strengthens the civil and criminal enforcement of HIPAA and establishes stronger breach notification rules and criminal penalties
  • HITECH is regulated by the Office of Civil Rights (OCR) within the U.S. Department of Health and Human Services (HHS)
  • HITECH Subtitle D audit is conducted by organizations to self-assess their preparedness for a security breach