The Health Information Technology for Economic and Clinical Health Act (HITECH Act) was signed into law as part of the American Recovery and Reinvestment Act (ARRA) in 2009.
The HITECH Act encourages the meaningful use of electronic health records (EHRs) by healthcare providers and their business associates.
Prior to the HITECH Act, healthcare organizations in the United States operated under the Health Insurance Portability and Accountability Act (HIPAA), which was designed to protect protected health information (PHI), improve health insurance affordability, and simplify hospital administration.
However, after 13 years in operation, it was obvious that HIPAA had some issues. Namely, the lack of encouragement to use EHRs and no real requirement for business associates of covered entities to protect sensitive information. These two issues are what led Congress to pass the HITECH Act in 2009.
The HITECH Act also tried to anticipate risks associated with the exchange of electronic protected health information (ePHI). It did this by introducing stronger enforcement measures for noncompliance with the HIPAA Security Rule and HIPAA Privacy Rule for covered entities and their business associates by mandating security audits of healthcare providers.
These audits determine whether a provider meets the minimum specified standards to be HIPAA compliant.
These stricter measures, along with a few other changes that you can read about below, closed the loopholes that allowed some entities to avoid complying with HIPAA rules.
Today, all healthcare providers and other covered entities must meet HITECH compliance requirements.
How to Comply With HIPAA
To comply with HITECH, you need to understand HIPAA compliance requirements. HIPAA compliance is defined under a set of rules, namely the HIPAA Privacy Rule, and HIPAA Security Rule, HIPAA Enforcement Rule.
In our opinion, the most important rule to understand is the HIPAA Privacy rule which outlines how protected health information (PHI) can be used and disclosed. The other rules are designed to support the Privacy Rule.
We'll outline the rule below but if you need more information, read our full post on the HIPAA Privacy Rule here.
PHI includes information, including demographic data, that relates to:
- An individual's past, present or future physical or mental health or condition
- The provision of health care to the individual
- The past, present or future payment for the provision of health care to the individual
In effect, this means data that can be used to identify an individual or where there is reasonable proof that it could be used to. This means any common identifiers such as name, address, birth date, and Social Security Number fall under PHI.
HIPAA also recognizes covered entities range from small providers to large, multi-national healthcare organizations and have therefore built-in flexibility and scalability into the Privacy Rule to allow entities to analyze their needs and implement solutions appropriate for their environment, size, and resources.
There are still requirements that all HIPAA covered entities must comply with:
- Privacy policies and procedures: Covered entities must develop and implement written privacy policies and procedures that are consistent with the Privacy Rule
- Privacy personnel: Covered entities must designate a privacy official responsible for developing and implementing its privacy policies and procedures, and a contact person or contact office responsible for receiving complaints and providing information about privacy practices.
- Workforce training and management: All workforce members must be trained on the covered entity's privacy policies and procedures, as necessary and appropriate for them to carry out their functions.
- Mitigation: Covered entities must attempt to mitigate any harmful effect it learns was caused by use or disclosure of PHI by its workforce or business associates in violation of its privacy policies and procedures or the Privacy Rule.
- Data safeguards: Covered entities must maintain reasonable and appropriate administrative, technical, and physical safeguards to prevent intentional or unintentional use or disclosures of PHI.
- Data security: Patients have a right to have their PHI protected and secured. Their medical records, medical history, and other relevant information cannot be shared, altered, or destroyed unless in accordance with HIPAA guidelines.
- Complaints: Covered entities must have procedures for individuals to complain about its compliance with its privacy policies and procedures and the Privacy Rule. Among other things, entities must identify where individuals can submit complaints and advise complainants that they can submit their complaints to the Secretary of HHS.
- Retaliation and waiver: Covered entities cannot retaliate against a person for exercising rights provided by the Privacy Rule, for assisting an HHS investigation or other appropriate authority, or for opposing an act or practice that the person believes violates the Privacy Rule.
- Documentation and record retention: Covered entities must maintain, until six years after the later of the date of creation or last effective date, its privacy policies and procedures, its privacy practice notices, disposition of complaints, and other actions, activities, and designations that the Privacy Rule requires to be documented.
- Risk analysis and management: HIPAA-covered entities must perform a risk analysis on a regular basis as part of their cybersecurity risk management strategy.
What Problems Did HIPAA Have?
While HIPAA regulation laid the groundwork for PHI protection and healthcare improvements, it wasn't comprehensive enough and didn't account for the impact that technology would have on the healthcare system:
- Technological advancement: HIPAA was created in 1996 before there was a meaningful use of EHR systems in the healthcare industry. The risk and impact of data breaches were lower, which meant that by 2009 it was insufficient in regulating electronic privacy and security measures.
- Technical loopholes: Business associates of HIPAAcovered entities were able to avoid many of the intended security requirements due to a technical loophole. This meant security standards of third-party vendors with access to personal health information was often lower than what HIPAA intended.
- Lenient penalties: Penalties for HIPAA violations weren't strong enough to alter many organization's information security standards who preferred to pay the fine.
What are the Objectives of the HITECH Act?
The HITECH Act had four main objectives which are outlined in its four subtitles:
- Subtitle A–Promotion of Health Information Technology: Subtitle A deals with the creation of new electronic healthcare infrastructure, including the adoption of healthcare information in an electronic format. The idea is to create a national standard for healthcare quality, safety, and efficiency. Additionally, it deals with how these standards will be adopted, and how the federal government and private entities will coordinate.
- Subtitle B–Testing of Health Information Technology: Subtitle B deals with who can apply for grants and funding to be part of healthcare information technology research and testing. In short, higher education institutions, nonprofit entities, and federal laboratories.
- Subtitle C–Grants and Loans Funding: Subtitle C outlines how grants and loan funds are used, who ensures funds are properly used, and how standards for health information technologies are met.
- Subtitle D–Privacy: Subtitle D outlines improved security and privacy provisions, the relationship between these and other laws, and deals with covered entities' business associates who must now be held to the same regulations and standards as HIPAAcovered entities.
In 2006, nearly 9 out of 10 doctors used paper documents to record patient medical history, past treatment, and other healthcare information.
As of 2017, this trend has reversed with nearly 9 out of 10 doctors using some form of electronic health records.
While this was designed to improve patient outcomes and reduce the cost of care, it also introduced significant security risk in the form of data breaches and data leaks. Not only do these security incidents impact patients, but they also impact healthcare organizations. Healthcare has the highest industry average cost of a data breach at $6.45 million.
This is why the HITECH Act introduced mandatory data breach notification requirements and tougher penalties for accidental or wilful neglect of compliance requirements.
Follow this checklist to implement a HIPAA compliance program.
What are the Six Components of the HITECH Act?
There are six main components of the HITECH Act:
- Meaningful use program
- Business associate HIPAA compliance
- Breach notification rule
- Willful neglect and auditing
- HIPAA compliance updates
- Access to electronic health records
1. Meaningful Use Program
The Meaningful Use Program was created by the Department of Health and Human Services (HHS) to incentivise the adoption of EHRs by providing compensation to healthcare providers for adopting and using them in a meaningful way.
According to the Centers for Disease Control and Prevention (CDC), the concept of meaningful use rests on the five pillars of health outcome policy priorities:
- Improving quality, safety, efficiency, and reducing health disparities
- Engage patients and families in their health
- Improve care coordination
- Improve population and public health
- Ensure adequate privacy and security protection for personal health information
In practice this means:
- e-Prescribing: Patients can receive and order prescription medicine online.
- Healthcare information exchange: Support sending, receiving and incorporating electronic healthcare information.
- Provider to patent exchange: Provide patients with electronic access to their health information.
- Public health and clinical data exchange: Report at least two different public health agencies or clinical data registries for any of the following: Immunization Registries Reporting, Electronic Case Reporting, Public Health Registry Reporting, Clinical Data Registry Reporting, or Syndromic Surveillance Reporting.
As of 2017, healthcare providers who do not comply face a 3% reduction in Medicare and Medicaid fees.
2. Business Associate HIPAA Compliance
Under HIPAA, business associates were supposed to have a contractual obligation to comply with compliance requirements. However, this was easily circumvented by covered entities who could claim they didn't know a business associate wasn't compliant.
This meant that PHI handled by business associates could be at risk, as they had no real need to comply with privacy or security regulations.
The HITECH Act changed this by introducing strict requirements for business associate agreements that made them liable for violations including:
- Failure to meet information security standards
- Failure to report a data breach
- Retaliating against an individual who files a HIPAA complaint
- Failure to cooperate with a complaint or compliance review
3. Breach Notification Rule
The HITECH Act increased security requirements and penalties for noncompliance in an attempt to mitigate this risk. It also introduced mandatory data breach requirements under the Breach Notification Rule.
The Breach Notification Rule requires HIPAA covered entities and business associates to provide notification following a breach of unsecured protected health information.
A breach is, generally, an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information. It is not considered a breach if it can be demonstrated that there is a low probability that the protected health information has been compromised based on a risk assessment of at least the following factors:
- The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;
- The unauthorized person who used the protected health information or to whom the disclosure was made;
- Whether the protected health information was actually acquired or viewed; and
- The extent to which the risk to the protected health information has been mitigated.
If a breach has occurred, the public must be notified. The notification method depends on the number of people impacted.
For breaches under 500 people, the covered entity must notify individuals within 60 days with a letter containing:
- A brief description of the breach
- A description of the types of information involved in the breach
- The steps affected individuals can take to protect themselves from potential harm
- A brief description of what the covered entity is doing to investigate the breach, mitigate harm, and prevent further breaches
For breaches involving more than 500 individuals, in addition to the above, covered entities must:
- Notify the Secretary of the HHS without unreasonable delay and in no case later than 60 days following a breach
Finally, for breaches affecting more than 500 individuals in a State of jurisdiction, in addition to the above steps, covered entities must:
- Provide notice to prominent media outlets serving the State or jurisdiction
4. Willful Neglect and Auditing
The HITECH Act also gave the HHS's Office for Civil Rights (OCR) the power to audit HIPAA covered entities and business associates to ensure HIPAA compliance.
Along with the power to audit, they have a tiered violation penalty and fine system:
- Tier A: Penalties for HIPAA violations where the offender didn’t realize they violated the Act and would have handled the matter differently if they had. The result is a $100 fine for each violation, and the total imposed for such violations cannot exceed $25,000 for the calendar year
- Tier B: For violations due to reasonable cause, but not “willful neglect.” The result is a $1,000 penalty for each HIPAA violation, and the fines cannot exceed $100,000 for a calendar year.
- Tier C: For violations due to willful neglect that the organization ultimately corrected. The result is a $10,000 fine for each violation, and fines cannot exceed $250,000 for the calendar year.
- Tier D: For HIPAA violations of willful neglect that the organization did not correct. The result is a $50,000 fine for each violation and the fines cannot exceed $1,500,000 for the calendar year.
The HITECH Act also gives state Attorney Generals the power to leverage fines and seek attorney fees from covered entities on behalf of victims. Courts also have the ability to award costs.
5. HIPAA Compliance Updates
As noted above, the HITECH Act closed HIPAA loopholes and introduced stricter penalties for noncompliance. Prior to HITECH, fines were smaller and many organizations found it cheaper to ignore HIPAA compliance requirements and simply pay fines rather than invest in security.
The Act has since been expanded by the HHS with the HIPAA Omnibus Rule which made modifications to HIPAA in accordance with guidelines set out in 2009 by the HITECH Act.
These guidelines concern the responsibilities of business associates of covered entities. The omnibus rule also increased penalties for HIPAA compliance violations to a maximum of $1.5 million per incident.
6. Access to Electronic Health Records
Prior to the HITECH Act, the HIPAA Privacy Rule gave patients and health plan members a right of access which allowed them to obtain copies of their health information by formal request.
However, with the introduction of EHRs, HITECH changed the right of access to allow individuals to access their health data in electronic if desired. This made it easier for individuals to share their health data with other organizations.
What is the OCR Breach Portal?
The HITECH Act called for the HHS' Office for Civil Rights (OCR) to start publishing a summary of healthcare breaches reported by HIPAA covered entities and their business associates.
As of October 2009, OCR publishes breach summaries on its website which include:
- The name of the covered entity or business associate that experienced the breach
- The category of the breach
- The location of breached PHI
- The number of individuals impacted
Best Practices for HITECH Compliance
There are several factors when thinking through HITECH compliance:
- Teach employees and business partners about HITECH requirements to ensure your organization meets the "meaningful use" requirements of EHR, as well as the Privacy and Security Rules.
- Implement an information security program to ensure the confidentiality, availability, and integrity of PHI, such as attack surface management and vendor risk management tools like UpGuard BreachSight and UpGuard Vendor Risk.
- Use the principle of least privilege, access control, and RBAC to ensure that a limited number of employees and third-party vendors have access to sensitive data on an as-needed basis.
- Review internal policies and procedures to ensure they are in compliance with the HITECH Act by offering adequate protection to PHI and other sensitive information.
- Create a retention policy. A document retention policy outlines the process of identifying, categorizing, maintaining, reviewing, retaining, and destroying documents containing sensitive information.
How UpGuard Can Help With HITECH Compliance
For the assessment of your information security controls, UpGuard BreachSight can monitor your organization for 70+ security controls providing a simple, easy-to-understand cyber security rating and automatically detect leaked credentials and data exposures in S3 buckets, Rsync servers, GitHub repos, and more.
UpGuard Vendor Risk can minimize the amount of time your organization spends assessing related and third-party information security controls by automating vendor questionnaires and providing vendor questionnaire templates.
We can also help you instantly benchmark your current and potential vendors against their industry, so you can see how they stack up.
You can read more about what our customers are saying on Gartner reviews.