The basics of HITECH and how it works with HIPAA

HITECH stands for the Health Information Technology for Economic and Clinical Health Act. It was enacted as part of the American Recovery and Reinvestment Act of 2009 and amended certain provisions of HIPAA. The HITECH Act introduced several changes and enhancements to HIPAA.

What is HITECH?

The HITECH Act works towards the adoption and meaningful use of health information technology (HIT) in the healthcare industry. It promotes the widespread use of electronic health records (EHRs) and other health information exchange systems to improve the quality, efficiency, and safety of patient care. It also introduces several provisions and initiatives to improve healthcare quality, enhance patient safety, and protect the privacy and security of electronic health information. 

Related: The guide to HIPAA compliant text messaging

Who does it apply to?

Covered Entities

The HITECH Act primarily applies to covered entities, which include healthcare providers, health plans, and healthcare clearinghouses. Healthcare providers encompass a wide range of entities, such as hospitals, physicians, clinics, nursing homes, and pharmacies. Health plans refer to insurance companies, HMOs, Medicare, Medicaid, and other organizations that pay for healthcare services. Healthcare clearinghouses process healthcare data like billing services or community health information systems.

Related: What is a covered entity?

Business Associates

The HITECH Act also extends its provisions to business associates of covered entities. Business associates are individuals or organizations that provide services to or on behalf of covered entities involving the use or disclosure of protected health information (PHI). Examples of business associates include medical billing companies, IT service providers, EHR vendors, and legal firms.

Related: How to know if you're a business associate

Subcontractors

The HITECH Act further extends compliance obligations to subcontractors of business associates. Subcontractors are entities that work with business associates to perform specific functions or services that involve PHI.

What are the main provisions?

1. Meaningful use incentives: The HITECH Act established the concept of "meaningful use" of electronic health records. It provides financial incentives to eligible healthcare professionals and organizations that adopt and effectively use certified EHR systems to improve patient care, coordination, and clinical outcomes.
2. EHR certification program: The law mandates the development of a certification program for EHR technology. The Office of the National Coordinator for Health Information Technology (ONC) oversees this program, ensuring that EHR systems meet standards for functionality, interoperability, and security.
3. Health information exchange (HIE): The HITECH Act encourages the establishment of Health Information Exchanges, which facilitate the secure sharing of electronic health information between healthcare organizations. This promotes care coordination, reduces medical errors, and enhances patient access to their health data.
4. Privacy and security enhancements: These enhancements strengthen the privacy and security protections for electronic health information. It expands the scope of the HIPAA Privacy and Security Rules and introduces new requirements for breach notification, patient consent, and business associate agreements.
5. Penalties for non-compliance: The HITECH Act increased the penalties for HIPAA violations and introduced a tiered system for determining penalty amounts based on the level of culpability. It also established a formal auditing program to ensure compliance with HIPAA regulations.
6. Workforce training and education: The HITECH Act also promotes workforce training and education programs to enhance the skills of healthcare professionals in using health information technology effectively and securely.

Related: What are the penalties for HIPAA violations?

HITECH and HIPAA

The HITECH Act builds upon and modifies certain aspects of HIPAA, particularly in relation to the privacy and security of electronic health information. It enhances privacy protections, expands the definition of HIPAA-covered entities to include business associates, and introduces provisions for breach notification and increased penalties for non-compliance. 

Covered entities and business associates must comply with the HIPAA regulations and the additional provisions introduced by the HITECH Act. This includes implementing appropriate administrative, physical, and technical safeguards to protect PHI, conducting risk assessments, implementing breach notification procedures, and ensuring the secure exchange of health information.

Related: HIPAA Compliant Email: The Definitive Guide