DATA SECURITY KNOWLEDGE BASE

What is HITECH Compliance? Understanding and Meeting HITECH Requirements

The Health Information Technology for Economic and Clinical Health Act (HITECH Act) was signed into law as part of the American Recovery and Reinvestment Act (ARRA) bill in 2009. The HITECH Act was created to drive the adoption and “meaningful use” of electronic health records (EHR) technology by U.S.-based healthcare providers and their business associates. Meaningful use means healthcare providers need to show that they are using certified EHR technology in a way that can be measured in both quantity and quality.

The HITECH Act also set the stage for stricter enforcement of the Privacy and Security Rules of HIPAA by mandating security audits of all healthcare providers. These audits are used to investigate and determine whether providers meet minimum specified standards and are therefore in compliance with the HIPAA’s Privacy Rule and Security Rule.

HITECH Provides Security and Privacy Benefits for Patients

The HITECH Act brings several benefits to healthcare patients through its requirements for EHR technology and its provisions for enforcement of the HIPAA Privacy and Security Rules. One benefit is the requirement that patients must be given access to their protected health information (PHI) electronically. A second benefit is the requirement that patients must be notified of any data breaches related to patients’ PHI, and any breaches affecting 500 or more patients must be reported to the United States Department of Health and Human Services (HHS). The HITECH Act also outlines stiff penalties – as high as $250,000 for first incidents and $1.5 million for repeat incidents – for companies found to be in “willful neglect” of HIPAA/HITECH requirements.

The HITECH Act allots $25.9 billion to expand healthcare IT and meet these requirements, meaning that healthcare companies also have economic incentive to improve IT security and reap the benefits of EHR technology.

Business Benefits of Meaningful Use of EHR Technology

HealthIT.gov states “The provisions of the HITECH Act are specifically designed to work together to provide the necessary assistance and technical support to providers, enable coordination and alignment within and among states, establish connectivity to the public health community in case of emergencies, and assure the workforce is properly trained and equipped to be meaningful users of EHRs.” The plan for meaningful use rests on the following policy priorities:

  • Improvement of efficiency, safety, quality, and reduction of health disparities
  • Getting the attention of families and patients and keeping them involved in their health
  • Improvement of care coordination
  • Improvement of public health
  • Ensuring sufficient security and privacy protection for PHI

HITECH and HIPAA are separate laws, but in certain ways they reinforce each other. One example is that any technology standards and technologies that were created under HITECH cannot compromise HIPAA’s security and privacy laws. In addition, hospitals and physicians have to perform a security risk assessment for HIPAA, if they attest to meaningful use as required by HITECH.

Best Practices for HITECH Compliance

There are several key factors to keep in mind regarding HITECH:

  1. Train employees and business partners on HITECH requirements to ensure organizational adherence to “meaningful use” of EHR technology and privacy/security rules.
  2. Implement an information security program to ensure the privacy, safety, and integrity of PHI, such as data protection solutions that proactively classify and protect data from unauthorized access, transfer, or use.
  3. Practice the principle of least privilege to limit employee or partner access to private information on an as-needed basis.
  4. Because the HITECH Act requires compliance audits of healthcare providers, it is important that providers review all of their internal practices and policies to be sure they are in compliance and implement security solutions that help to maintain compliance while offering adequate protection for PHI and other sensitive data.

There are many facets of the HITECH Act that are crucial to secure medical practices. Chief among them is more rigorous HIPAA enforcement with higher penalties for violations and patient/government notification of data breaches. HITECH’s funding for EHR adoption, combined with the convenience and efficiency provided by EHR technologies, means that healthcare businesses now have serious incentives for transitioning to electronic records as well as penalties for failing to do so.