How to Comply with the HITECH Act

“HIPAA on steroids” brought dramatic changes to HIPAA Rules by laying out far tougher data security requirements for healthcare organizations as well as their business associates.

What is the HITECH Act

HITECH or the Health Information Technology for Economic and Clinical Health Act, was signed into law as part of the American Recovery and Reinvestment Act in 2009 to encourage healthcare organizations to adopt and use Electronic Health Records (EHR). HITECH utilized both a stick and carrot by offering incentives to organizations to adopt EHR Standards as well as penalties for making insufficient usage of EHR.

The HITECH act foresaw the wide expansion of the exchange of electronically protected healthcare information (ePHI) between doctors, clinics, health insurance companies, and other entities that utilize healthcare information. In order to safeguard ePHI in a digitally oriented healthcare system, HITECH also altered the enforcement of HIPAA in several ways:

HITECH strengthened enforcement of the HIPAA Security and Privacy laws by strengthening penalties for breaches.

HITECH mandated security audits of all healthcare providers to be used to investigate and determine whether providers meet minimum standards to be in compliance with the Privacy and Security rules.

Finally, it created a four-tiered system of HIPAA violations. HITECH also allowed organizations and individuals to suffer penalties even if they were unaware of a violation as well as allowing entities to escape penalties if the violations are found to be unavoidable and not due to negligence on the part of the entity and the violations are corrected within 30 days of discovery.

  • First Tier: The covered entity did not know and could not reasonably know of the breach. Generally, these range to $100 to $50,000 per incident up to $1.5 million in penalties.
  • Second Tier: The covered entity knew or by exercising reasonable diligence would have known of the violation, though they did not act with willful neglect.  Fines for the second tier can range from $1,000 up to $50,000 per incident up to $1.5 million.
  • Third Tier: The covered entity “Acted with willful neglect” and corrected the problems with a 30 day period of the breach. Penalties for the third tier can range from $10,00 - $50,000 per incident up to $1.5 million.
  • Fourth Tier: The covered entity acted with willful neglect and failed to make a timely correction. Fines start at $50,000 per incident up to $1.5 Million.

Additionally, the HITECH act extended the Privacy Rule and Security Rule to apply directly to business associates, such as software providers, billing firms, law firms, and other organizations that help covered entities perform the business and administrative side of their operations, though it was the Omnibus Rule which laid the groundwork for how these rules would be enforced.

Related: What is Protected Health Information.

HITECH Compliance Goals

The overarching goal of HITECH was to encourage and promote the use of secure and portable EHR throughout the United States. In order to achieve this goal, it specified three stages of meaningful use requiring the increasing deployment of EHR along with safeguards to maintain the quality and security of the data.

HITECH required covered entities to undergo HIPAA Compliance training under the standards set by the Security Rule. Additionally, the rule strengthened the Breach notification rule by requiring notification of a PHI breach to all affected parties, regardless of whether the breach could result in harm or not.

As noted above, HITECH expanded HIPAA Compliance requirements 

Best Practices for HITECH and HIPAA Compliance

1: Stay informed. Make sure that employees of your organization are actually knowledgeable of HIPAA, HITECH, and data breach notification laws. How can you ensure they are knowledgeable? Ongoing education and training.

2: Create a security plan. HIPAA requires workplaces to implement various safeguards in order to ensure the security and privacy of PHI. A formal security policy should set in place physical, administrative, and technical safeguards to ensure the privacy, safety, integrity of PHI such as data protection solutions that proactively classify records from unauthorized access or use.

3: Educate your employees, and enforce compliance. Research has demonstrated that employee negligence is the leading risk of a data breach. Security training should be frequent and constantly updated.

4: Limited access to sensitive data. Ensure that PHI can only be accessed by employees who need access to this information for their delegated job responsibilities on an as-needed basis. Furthermore, it is a best practice to be able to log who accesses PHI, when, and what each employee did with the protected data.

5: Perform frequent reviews of your security protocols. Not only is this a requirement of HITECH, but it can also help you identify and eliminate risk prior to a breach actually occurring by correcting vulnerabilities and implementing policies and procedures that can lower your organization risk of a breach.

HITECH is Complex. Accountable makes HITECH Compliance simple

As you can see, The HITECH Act has a lot of moving parts and compliance can feel like it is a moving target.

It’s important to remember that as easy as it is to violate the HITECH act, implementing training and policies to safeguard PHI and your organization from a breach is easier. That is why we created Accountable: a complete solution designed to help you achieve and maintain your organization’s compliance with HITECH. We built it to include you the tools you need to train your employees, manage your vendors, and root out security risks within your organization.

Oh, and it’s free to get started.



Need HIPAA help?

Accountable can help you achieve HIPAA compliance for your company.

More Articles