The Industry’s Only SaaS-Delivered Enterprise DLP

Our unique approach to DLP allows for quick deployment and on-demand scalability, while providing full data visibility and no-compromise protection.

No-Compromise Data Protection is:

  • Cloud-Delivered
  • Cross Platform
  • Flexible Controls

Digital Guardian's Blog

What is HITECH Compliance? Understanding and Meeting HITECH Requirements

by Nate Lord on Tuesday September 29, 2020

Contact Us
Free Demo

Learn about the requirements for HITECH compliance and how to meet them in Data Protection 101, our series on the fundamentals of information security.

A Definition of HITECH Compliance

The Health Information Technology for Economic and Clinical Health Act (HITECH Act) was signed into law as part of the American Recovery and Reinvestment Act (ARRA) bill in 2009. The HITECH Act was created to drive the adoption and “meaningful use” of electronic health records (EHR) technology by U.S.-based healthcare providers and their business associates. Meaningful use means healthcare providers need to show that they are using certified EHR technology in a way that can be measured in both quantity and quality.

The HITECH Act also set the stage for stricter enforcement of the Privacy and Security Rules of HIPAA by mandating security audits of all healthcare providers. These audits are used to investigate and determine whether providers meet minimum specified standards and are therefore in compliance with the HIPAA’s Privacy Rule and Security Rule.

HITECH Provides Security and Privacy Benefits for Patients

The HITECH Act brings several benefits to healthcare patients through its requirements for EHR technology and its provisions for enforcement of the HIPAA Privacy and Security Rules. One benefit is the requirement that patients must be given access to their protected health information (PHI) electronically. A second benefit is the requirement that patients must be notified of any data breaches related to patients’ PHI, and any breaches affecting 500 or more patients must be reported to the United States Department of Health and Human Services (HHS). The HITECH Act also outlines stiff penalties – as high as $250,000 for first incidents and $1.5 million for repeat incidents – for companies found to be in “willful neglect” of HIPAA/HITECH requirements.

The HITECH Act allots $25.9 billion to expand healthcare IT and meet these requirements, meaning that healthcare companies also have economic incentive to improve IT security and reap the benefits of EHR technology.

Go Deeper


Business Benefits of Meaningful Use of EHR Technology states “The provisions of the HITECH Act are specifically designed to work together to provide the necessary assistance and technical support to providers, enable coordination and alignment within and among states, establish connectivity to the public health community in case of emergencies, and assure the workforce is properly trained and equipped to be meaningful users of EHRs.” The plan for meaningful use rests on the following policy priorities:

  • Improvement of efficiency, safety, quality, and reduction of health disparities
  • Getting the attention of families and patients and keeping them involved in their health
  • Improvement of care coordination
  • Improvement of public health
  • Ensuring sufficient security and privacy protection for PHI

HITECH and HIPAA are separate laws, but in certain ways they reinforce each other. One example is that any technology standards and technologies that were created under HITECH cannot compromise HIPAA’s security and privacy laws. In addition, hospitals and physicians have to perform a security risk assessment for HIPAA, if they attest to meaningful use as required by HITECH.

Best Practices for HITECH Compliance

There are several key factors to keep in mind regarding HITECH:

  1. Train employees and business partners on HITECH requirements to ensure organizational adherence to “meaningful use” of EHR technology and privacy/security rules.
  2. Implement an information security program to ensure the privacy, safety, and integrity of PHI, such as data protection solutions that proactively classify and protect data from unauthorized access, transfer, or use.
  3. Practice the principle of least privilege to limit employee or partner access to private information on an as-needed basis.
  4. Because the HITECH Act requires compliance audits of healthcare providers, it is important that providers review all of their internal practices and policies to be sure they are in compliance and implement security solutions that help to maintain compliance while offering adequate protection for PHI and other sensitive data.

There are many facets of the HITECH Act that are crucial to secure medical practices. Chief among them is more rigorous HIPAA enforcement with higher penalties for violations and patient/government notification of data breaches. HITECH’s funding for EHR adoption, combined with the convenience and efficiency provided by EHR technologies, means that healthcare businesses now have serious incentives for transitioning to electronic records as well as penalties for failing to do so.

Tags: Data Protection 101

Nate Lord

Nate Lord is the former editor of Data Insider and is currently an account manager covering the southeast, Great Lakes, and Latin America regions at Digital Guardian. He has over 7 years of experience in the information security industry, working at Veracode prior to joining Digital Guardian in 2014. Nate enjoys learning about the complex problems facing information security professionals and collaborating with Digital Guardian customers to help solve them.