The Industry’s Only SaaS-Delivered Enterprise DLP

Our unique approach to DLP allows for quick deployment and on-demand scalability, while providing full data visibility and no-compromise protection.

No-Compromise Data Protection is:

  • Cloud-Delivered
  • Cross Platform
  • Flexible Controls
DATAINSIDER

Digital Guardian's Blog

What is HITECH Compliance? Understanding and Meeting HITECH Requirements

by Juliana de Groot on Monday July 19, 2021

Contact Us
Free Demo
Chat

Learn about the requirements for HITECH compliance and how to meet them in Data Protection 101, our series on the fundamentals of information security.

A Definition of HITECH Compliance

The Health Information Technology for Economic and Clinical Health Act (HITECH Act) was signed into law as part of the American Recovery and Reinvestment Act (ARRA) bill in 2009. The HITECH Act was created to drive the adoption and “meaningful use” of electronic health records (EHR) technology by U.S.-based healthcare providers and their business associates. Meaningful use means healthcare providers need to show that they are using certified EHR technology in a way that can be measured in both quantity and quality.

The HITECH Act also set the stage for stricter enforcement of the Privacy and Security Rules of HIPAA by mandating security audits of all healthcare providers. These audits are used to investigate and determine whether providers meet minimum specified standards and are therefore in compliance with the HIPAA’s Privacy Rule and Security Rule.

HITECH's 3 Meaningful Use Phases

Implementation of provisions in HITECH are covered in three parts or “meaningful use phases.” These components specifically guide organizations covered by the legislation to come into compliance and be eligible for the incentives included in the program.
Below is a brief description of each meaningful use phase:

Phase One: The first installment deals with the capture and sharing of private data by a covered entity. Specifically, there are dozens of requirements and objectives to meet. These objectives are split into multiple categories:

  • Core objectives (things like e-prescribing and Computerized Provider Order Entry (CPOE))
  • Menu objectives (for instance, submitting electronic data to proper locations)
  • Clinical quality (electronic blood pressure monitoring, weight screening)

Phase Two: In order to begin consideration for this meaningful use phase, all requirements of phase one must be met. Many of the rules in the second stage were combined with some from phase one. Initially, covered entities were required to meet phase two objectives beginning in 2014. In this phase, there is a slight difference between hospitals and professionals. There are two categories for both types of organization (core objectives and menu objectives) totaling 19 individual measures for hospitals and 20 for professionals.

Phase Three: The most up-to-date phase is the third. It also has the fewest number of measures to take for covered entities (8 for both eligible professionals and hospitals). The Centers for Medicare and Medicaid Services (CMS) has detailed requirements of each objective in PDF documents for both professionals and hospitals.

These 8 requirements include:

  • Protect electronic protected health information (ePHI)
  • Generate prescriptions electronically
  • Implement clinical decision support (CDS)
  • “Use computerized provider order entry (CPOE) for medication, laboratory, and diagnostic imaging orders.”
  • Timely patient access to electronic files
  • Coordination of Care
  • Health Information Exchange
  • Public Health Reporting

Note: Each compliance objective in the official CMS PDFs include links for even more information about each individual objective.

HITECH Provides Security and Privacy Benefits for Patients

The HITECH Act brings several benefits to healthcare patients through its requirements for EHR technology and its provisions for enforcement of the HIPAA Privacy and Security Rules. One benefit is the requirement that patients must be given access to their protected health information (PHI) electronically. A second benefit is the requirement that patients must be notified of any data breaches related to patients’ PHI, and any breaches affecting 500 or more patients must be reported to the United States Department of Health and Human Services (HHS). The HITECH Act also outlines stiff penalties – as high as $250,000 for first incidents and $1.5 million for repeat incidents – for companies found to be in “willful neglect” of HIPAA/HITECH requirements.

The HITECH Act allots $25.9 billion to expand healthcare IT and meet these requirements, meaning that healthcare companies also have economic incentive to improve IT security and reap the benefits of EHR technology.

Business Benefits of Meaningful Use of EHR Technology (Data Interoperability)

UPMC states “The provisions of the HITECH Act are specifically designed to work together to provide the necessary assistance and technical support to providers, enable coordination and alignment within and among states, establish connectivity to the public health community in case of emergencies, and assure the workforce is properly trained and equipped to be meaningful users of EHRs.” The goals of meaningful use, now referred to as data interoperability, include improving electronic public health reporting and improving patient care. The benefits of data interoperability include:

  • Enabling bi-directional communication between clinical healthcare providers and state public health agencies
  • The standardization of data elements to support seamless data exchange
  • Improving efficiency across the healthcare ecosystem

HITECH and HIPAA are separate laws, but in certain ways they reinforce each other. One example is that any technology standards and technologies that were created under HITECH cannot compromise HIPAA’s security and privacy laws. In addition, hospitals and physicians have to perform a security risk assessment for HIPAA, if they attest to meaningful use as required by HITECH.

Best Practices for HITECH Compliance

There are several key factors to keep in mind regarding HITECH:

  1. Train employees and business partners on HITECH requirements to ensure organizational adherence to “meaningful use” of EHR technology and privacy/security rules.
  2. Implement an information security program to ensure the privacy, safety, and integrity of PHI, such as data protection solutions that proactively classify and protect data from unauthorized access, transfer, or use.
  3. Practice the principle of least privilege to limit employee or partner access to private information on an as-needed basis.
  4. Because the HITECH Act requires compliance audits of healthcare providers, it is important that providers review all of their internal practices and policies to be sure they are in compliance and implement security solutions that help to maintain compliance while offering adequate protection for PHI and other sensitive data.

There are many facets of the HITECH Act that are crucial to secure medical practices. Chief among them is more rigorous HIPAA enforcement with higher penalties for violations and patient/government notification of data breaches. HITECH’s funding for EHR adoption, combined with the convenience and efficiency provided by EHR technologies, means that healthcare businesses now have serious incentives for transitioning to electronic records as well as penalties for failing to do so.

Business Benefits of Meaningful Use of EHR Technology (Data Interoperability)

UPMC states “The provisions of the HITECH Act are specifically designed to work together to provide the necessary assistance and technical support to providers, enable coordination and alignment within and among states, establish connectivity to the public health community in case of emergencies, and assure the workforce is properly trained and equipped to be meaningful users of EHRs.” The goals of meaningful use, now referred to as data interoperability, include improving electronic public health reporting and improving patient care. The benefits of data interoperability include:

  • Enabling bi-directional communication between clinical healthcare providers and state public health agencies
  • The standardization of data elements to support seamless data exchange
  • Improving efficiency across the healthcare ecosystem

HITECH and HIPAA are separate laws, but in certain ways they reinforce each other. One example is that any technology standards and technologies that were created under HITECH cannot compromise HIPAA’s security and privacy laws. In addition, hospitals and physicians have to perform a security risk assessment for HIPAA, if they attest to meaningful use as required by HITECH.

Best Practices for HITECH Compliance

There are several key factors to keep in mind regarding HITECH:

  1. Train employees and business partners on HITECH requirements to ensure organizational adherence to “meaningful use” of EHR technology and privacy/security rules.
  2. Implement an information security program to ensure the privacy, safety, and integrity of PHI, such as data protection solutions that proactively classify and protect data from unauthorized access, transfer, or use.
  3. Practice the principle of least privilege to limit employee or partner access to private information on an as-needed basis.
  4. Because the HITECH Act requires compliance audits of healthcare providers, it is important that providers review all of their internal practices and policies to be sure they are in compliance and implement security solutions that help to maintain compliance while offering adequate protection for PHI and other sensitive data.

There are many facets of the HITECH Act that are crucial to secure medical practices. Chief among them is more rigorous HIPAA enforcement with higher penalties for violations and patient/government notification of data breaches. HITECH’s funding for EHR adoption, combined with the convenience and efficiency provided by EHR technologies, means that healthcare businesses now have serious incentives for transitioning to electronic records as well as penalties for failing to do so.

Tags: Data Protection 101