HITECH Act 42 for Covered Entities: Best Practices to Stay Compliant

Conduct Risk Assessments

Start with a documented security risk analysis tailored to your environment and the electronic protected health information (ePHI) you create, receive, maintain, or transmit. Define scope, catalog systems and data flows, and identify threats, vulnerabilities, likelihood, and impact.

• Inventory where ePHI lives, who accesses it, and how it moves across networks and vendors.
• Evaluate administrative, physical, and technical safeguards; record gaps in a risk register.
• Prioritize remediation with risk ratings, owners, timelines, and measurable outcomes.
• Track residual risk, document risk acceptance when justified, and reassess after changes.

Maintain evidence for compliance audit documentation, including methodologies, findings, decisions, and proof of implemented controls.

Implement Workforce Training

Provide role-based, recurring training so every workforce member understands HITECH Act 42 expectations and daily responsibilities for protecting ePHI. Combine onboarding, periodic refreshers, and just-in-time microlearning tied to real workflows.

• Cover secure handling of ePHI, device hygiene, phishing and social engineering, and incident reporting.
• Include access management protocols, password and MFA practices, and remote work safeguards.
• Measure effectiveness with quizzes, simulated phishing, and corrective coaching; retain attendance and results.

Enforce Access Controls

Design access management protocols around least privilege and need-to-know. Standardize how you grant, review, adjust, and revoke access across applications, endpoints, and cloud services.

• Use unique IDs, multi-factor authentication, and strong password policies with automated lockouts.
• Implement role-based access, separation of duties, and time-bound elevated access with approvals.
• Log access and changes; run periodic access recertifications and remove dormant or terminated accounts promptly.
• Secure endpoints and mobile devices with encryption, auto-lock, and remote wipe capabilities.

Develop Incident Response Plans

Create a tested plan that guides you from detection through recovery and post-incident learning. Define severity levels, decision trees, and roles for leadership, privacy, security, legal, and communications.

• Prepare playbooks for common events such as ransomware, lost or stolen devices, and misdirected email.
• Establish intake channels, evidence preservation, containment steps, and forensics support.
• Address breach notification requirements, including timelines, content elements, and stakeholder coordination.
• Conduct tabletop exercises at least annually and update procedures based on lessons learned.

Establish Business Associate Agreements

Vet vendors that create, receive, maintain, or transmit ePHI and ensure business associate compliance through robust agreements and oversight. Maintain a complete inventory of business associates and subcontractors.

• Execute Business Associate Agreements that define permitted uses, safeguards, breach reporting, and subcontractor flow-down obligations.
• Set minimum security controls, right-to-audit clauses, and termination provisions for non-compliance.
• Perform third-party risk assessments before onboarding and periodically thereafter; document due diligence and monitoring.

Apply Data Encryption

Adopt data encryption standards that render ePHI unreadable to unauthorized parties. Implement encryption for data in transit and at rest across endpoints, servers, backups, and cloud services.

• Use strong, modern protocols (for example, TLS for transmission and established AES-based methods at rest).
• Manage encryption keys securely with rotation, separation of duties, and hardware or managed key services.
• Encrypt mobile devices, removable media, and local caches; apply email encryption or secure portals for sensitive exchanges.
• Document exceptions, compensating controls, and periodic validation of cipher configurations.

Maintain Comprehensive Documentation

Treat documentation as operational proof of compliance and as a guide for staff. Keep policies, procedures, standards, and playbooks current, version-controlled, and mapped to HITECH Act 42 requirements.

• Retain compliance audit documentation: risk analyses, remediation plans, training records, access reviews, incident reports, and vendor assessments.
• Maintain an evidence repository with screenshots, logs, tickets, and approvals that show controls are working as intended.
• Schedule periodic internal audits and management reviews; record findings and corrective actions.

By embedding risk assessments, training, access controls, incident readiness, vendor governance, encryption, and thorough documentation, you create a repeatable compliance program that protects ePHI and demonstrates HITECH Act 42 diligence.

FAQs.

What are the key compliance requirements under HITECH Act 42?

Core requirements include completing a documented security risk analysis, implementing administrative/physical/technical safeguards, enforcing access management protocols, training your workforce, maintaining business associate compliance with executed agreements, following breach notification requirements, applying appropriate encryption, and keeping comprehensive, review-ready compliance audit documentation.

How often should risk assessments be conducted?

Perform a full risk assessment at least annually and whenever significant changes occur—such as new systems, migrations, mergers, or material incidents. Update your risk register continuously, verify remediation progress, and validate controls after each change.

What are the penalties for HITECH non-compliance?

Penalties are tiered by level of culpability and can involve substantial civil monetary fines per violation up to annual caps, mandatory corrective action plans, and ongoing monitoring. Indirect costs—legal fees, operational disruption, and reputational harm—often exceed the fines themselves.

How should breaches be reported according to HITECH Act 42?

Activate your incident response plan, investigate to confirm whether unsecured ePHI was compromised, and document your analysis. Provide timely notifications to affected individuals and the appropriate federal authorities, and in certain large-scale events, to the media as required. Notices should explain what happened, the types of data involved, steps individuals can take, your containment and remediation actions, and contact information, with all actions preserved for compliance audit documentation.