HITECH Compliance Checklist

Any businesses with access to Protected Health Information (PHI) should use a HITECH compliance checklist to help ensure they meet the requirements of the Health Information Technology for Economic and Clinical Health Act – an Act passed in 2009 to encourage the adoption and Meaningful Use of EHRs and to better protect PHI maintained on – or transmitted between – health IT systems. 

The passage of HITECH not only incentivized healthcare providers to adopt health information technology, but also set the ball rolling for a technological revolution in healthcare. Prior to the HITECH Act 2009, the rate of EHR adoption throughout the healthcare industry was just 3.2%. By 2017, 86% of office-based physicians and 96% of non-federal acute care hospitals had adopted EHRs. HITECH also led to the expansion of Health Information Exchanges and facilitated increased innovation in the healthcare industry.

However, the objective to increase adoption of health information technology also raised concerns about the security of healthcare data stored on EHRs and shared between HIPAA Covered Entities and Business Associates. Consequently, HITECH contained a number of regulations that strengthened existing HIPAA privacy and security provisions, expanded the reach of HIPAA to Business Associates, and empowered the HHS´ Office for Civil Rights (OCR) to enforce HIPAA more effectively.

The HITECH Act also contained a new Breach Notification Rule which required Covered Entities (and Business Associates via their Covered Entities) to report breaches of unsecured PHI. This Rule also applies to vendors of personal health services and their third party service providers. Tougher financial penalties were introduced for business that failed to comply with HIPAA and HITECH – either by failing to protect PHI from unauthorized uses and disclosures or by failing to report a breach of unsecured PHI.

What is HITECH Compliance?

In order to answer the question “What is HITECH compliance” it is necessary to take a step back and look at the objectives of HITECH. HITECH was enacted as part of the American Recovery and Reinvestment Act in 2009 with the purpose of encouraging the use of technology in the healthcare industry. Its initial goal was an electronic health record for each person in the United States by 2014 to facilitate the development of a nationwide Health Information Exchange.

In order to encourage the healthcare industry to adopt technology, the Meaningful Use program was developed. This program incentivizes healthcare providers to implement EHRs and similar tools, but concerns were raised about the integrity of electronically-stored PHI while it was at rest and while in transit. Consequently, three new measures were introduced:

  • The legal requirement for Business Associates to comply with the HIPAA. It later became necessary for Covered Entities to conduct due diligence on Business Associates.
  • The legal requirement for healthcare providers to conduct HIPAA Security Rule risk assessments in order to be eligible for Meaningful Use incentive payments.
  • The legal requirement for all parties to comply with the Breach Notification Rule. Financial penalties were also introduced for the failure to report a breach of unsecured PHI.

Consequently, all businesses with access to PHI need to ensure they are compliant with the HITECH measures by having formal Business Associate Agreements in place when PHI is shared between a Covered Entity and a Business Associate – or between a vendor of personal health records and their third party service provider – ensure Security Rule risk assessments are conducted regularly, and develop policies and procedures to report breaches of unsecured PHI to HHS´ Office for Civil Rights or to the Federal Trade Commission (for non-HIPAA breaches).

HITECH Compliance Checklist

In order to support compliance, all business subject to HITECH´s regulations should compile a HITECH compliance checklist. The HITECH compliance checklist should be based on a series of risk assessments to determine the entities´ vulnerabilities and the threats to electronically-stored PHI, regardless of whether the entities are eligible for Meaningful Use incentive payments.

It is also important for a HITECH compliance checklist to include the policies and procedures for attending to patients´ right of access requests – especially those relating to accounting of disclosures, as it is important for both Covered Entities and Business Associates to comply with the patients´ enhanced rights granted by HITECH.

Furthermore, it is  necessary for Covered Entities and Business Associates to integrate the relevant areas of HITECH into their mandatory HIPAA training. This should include an explanation of the Breach Notification Rule, the exclusions to the Rule (i.e. when it is not necessary to report an unauthorized disclosure of PHI), and the financial penalties for failing to report a breach.

One very important change to how breaches are handled is that OCR no longer has the burden of proof that a breach of PHI has occurred following an unauthorized disclosure. A breach is assumed to have occurred unless it can be proven by the Covered Entity or Business Associate there is a low probability that the integrity of the disclosed PHI has been compromised.

Other Elements of the HITECH Act

Although Subtitle 4 of the Health Information Technology for Economic and Clinical Health Act was the only element of the Act to relate directly to HIPAA, other elements of the HITECH Act were influential in later amendments to HIPAA – the first three Subtitles in particular that related to the establishment of the Office of the National Coordinator for Health Information Technology (ONCHIT).

ONCHIT was given the responsibility of implementing an information security program to ensure the privacy, safety and integrity of PHI. The program developed into the Physical, Technical and Administrative Safeguards that “proactively classify and protect data from unauthorized access, transfer and use” and that were added to the HIPAA Security Rule in the Final Omnibus Rule 2013.

The remaining elements of the HITECH ACT related to the establishment of the Meaningful Use program, Medicare incentives and Medicaid incentives. As mentioned above, these included the necessity for healthcare providers to conduct HIPAA Security Rule risk assessments, and also led to further research on the benefits and risks of information technology in the healthcare industry.

FAQs

Is there a standard HITECH compliance checklist for businesses to use?

Because each business has its own security risks – and its own policies and procedures to mitigate the security risks – there is no one-size-fits-all HITECH compliance checklist. Businesses should review the HITECH Act and the changes made to HIPAA via Final Omnibus Rule and develop their own individual checklists based on the results of a risk analysis.

Why are some breaches reported to OCR and others to the FTC?

The HHS´ Office for Civil Rights (OCR) only has jurisdiction to enforce HIPAA-related laws. Consequently, only HIPAA-Covered Entities and Business Associates are required to report breaches of unsecured PHI to OCR. All other businesses – such as PHS vendors and their third party service providers – must report breaches of unsecured PHI to the Federal Trade Commission (FTC).

What is the burden of proof in the Breach Notification Rule?

Under the Breach Notification Rule, Covered Entities (and Business Associates via their Covered Entities) have the burden of demonstrating that all required notifications have been provided to OCR or that a use or disclosure of unsecured protected health information did not constitute a breach. Also, documentation for all breaches – whether notified or not – has to be retained for six years.

Have there been changes to the HITECH Act since 2009?

Yes. In 2021, an amendment to the HITECH Act enabled the HHS´ Office for Civil Rights to use its discretion in issuing fines and enforcing Corrective Action Plans if a data breach occurred despite a Covered Entity or Business Associate implementing a recognized security framework compatible with the provisions of the HIPAA Security Rule.

Can a Covered Entity be a Business Associate for another Covered Entity?

Covered Entities can disclose PHI to other Covered Entities without a Business Associate Agreement for healthcare, payments, and operations purposes. For all other purposes that “help the Covered Entity carry out its health care functions” a Business Associate Agreement is required before PHI can be disclosed to another Covered Entity.