HITECH Compliance Checklist
Any businesses subject to HIPAA compliance are advised to use a HITECH compliance checklist to help ensure they meet the requirements of the Health Information Technology for Economic and Clinical Health Act – an Act passed in 2009 to facilitate the adoption and Meaningful Use of EHRs and to better protect PHI maintained on, or transmitted between, health IT systems.
The passage of HITECH not only incentivized healthcare providers to adopt health information technology, but also set the ball rolling for a technological revolution in healthcare. Prior to the HITECH Act 2009, the rate of EHR adoption throughout the healthcare industry was just 3.2%. By 2017, 86% of office-based physicians and 96% of non-federal acute care hospitals had adopted EHRs. HITECH also led to the expansion of Health Information Exchanges and facilitated innovation in the healthcare industry.
However, the objective to increase adoption of health information technology also raised concerns about the security of healthcare data stored on EHRs and shared between HIPAA covered entities and business associates. HITECH contains a number of provisions that strengthen existing HIPAA privacy and security standards, expand the reach of HIPAA to business associates, and empower the HHS´ Office for Civil Rights (OCR) to enforce HIPAA more effectively.
Among the changes to the privacy standards, patients´ rights were extended so they could request electronic copies of PHI maintained in designated record sets, request an accounting of disclosures, and request restrictions on certain disclosures (for example, restricting a disclosure to a health plan when treatment has been paid for privately). These changes, and new restrictions on the sale of PHI and the use of PHI for fundraising and marketing, were introduced via the Final Omnibus Rule in 2013.
Get The FREE HITECH & HIPAA Checklist
Includes The 20 Ways The Hitech Act Affected HIPAA
Delivered via email so please ensure you enter your email address correctly.
Your Privacy Respected
HIPAA Journal Privacy Policy
The HITECH Act also contained a new Breach Notification Rule which requires covered entities (and business associates via covered entities) to report breaches of unsecured PHI. This Rule also applies to vendors of personal health services and their third party service providers. Tougher financial penalties were introduced for businesses that failed to comply with HIPAA and HITECH – either by failing to protect PHI from unauthorized uses and disclosures or by failing to report a breach of unsecured PHI.
What is HITECH Compliance?
In order to answer the question “What is HITECH compliance” it is necessary to take a step back and look at the objectives of HITECH. HITECH was enacted as part of the American Recovery and Reinvestment Act in 2009 with the purpose of encouraging the use of technology in the healthcare industry. Its initial goal was an electronic health record for each person in the United States by 2014 to facilitate the development of a nationwide Health Information Exchange.
In order to encourage the healthcare industry to adopt technology, the Meaningful Use program was developed. This program incentivizes healthcare providers to implement EHRs and similar tools, but concerns were raised about the integrity of electronically-stored PHI while it was at rest and while in transit. To address these concerns three new measures were introduced:
- The legal requirement for business associates to comply with the HIPAA. It later became necessary for covered entities to conduct due diligence on business associates.
- The legal requirement for healthcare providers to conduct HIPAA Security Rule risk assessments in order to be eligible for Meaningful Use incentive payments.
- The legal requirement for all parties to comply with the Breach Notification Rule. Financial penalties were also introduced for the failure to report a breach of unsecured PHI.
All businesses with access to PHI need to ensure they are compliant with the HITECH measures by having formal Business Associate Agreements in place when PHI is shared between a covered entity and a business associate – or between a vendor of personal health records and their third party service provider – ensure Security Rule risk assessments are conducted regularly, and develop policies and procedures to report breaches of unsecured PHI to HHS´ Office for Civil Rights or to the Federal Trade Commission (for non-HIPAA breaches).
HITECH Compliance Checklist
In order to support compliance, all business subject to HITECH´s regulations should compile a HITECH compliance checklist. The HITECH compliance checklist should be based on a series of risk assessments to determine the entities´ vulnerabilities and the threats to electronically-stored PHI, regardless of whether the entities are eligible for Meaningful Use incentive payments.
It is also important for a HITECH compliance checklist to include the policies and procedures for attending to patients´ right of access requests – especially those relating to accounting of disclosures, as it is important for both covered entities and business associates to comply with the patients´ enhanced rights granted by HITECH.
In addition, it is necessary for covered entities and business associates to integrate the relevant areas of HITECH into their mandatory HIPAA training. This should include an explanation of the Breach Notification Rule, the exclusions to the Rule (i.e. when it is not necessary to report an unauthorized disclosure of PHI), and the financial penalties for failing to report a breach.
One very important change to how breaches are handled is that OCR no longer has the burden of proof that a breach of PHI has occurred following an unauthorized disclosure. A breach is assumed to have occurred unless it can be proven by the covered entity or business associate there is a low probability that the integrity of the disclosed PHI has been compromised.
FAQs
Is there a standard HITECH compliance checklist for businesses to use?
Because each business has its own security risks – and its own policies and procedures to mitigate the security risks – there is no one-size-fits-all HITECH compliance checklist. Businesses should review the HITECH Act and the changes made to HIPAA via Final Omnibus Rule and develop their own individual checklists based on the results of a risk analysis.
Why are some breaches reported to OCR and others to the FTC?
The HHS´ Office for Civil Rights (OCR) only has the authority to enforce HIPAA-related laws and only HIPAA-covered entities and business associates are required to report breaches of unsecured PHI to OCR. All other businesses – such as PHS vendors and their third party service providers – must report breaches of unsecured PHI to the Federal Trade Commission (FTC).
What is the burden of proof in the Breach Notification Rule?
Under the Breach Notification Rule, covered entities (and business associates via covered entities) have the burden of demonstrating that all required notifications have been provided to OCR or that a use or disclosure of unsecured protected health information did not constitute a breach. Also, documentation for all breaches – whether notified or not – has to be retained for six years.
Have there been changes to the HITECH Act since 2009?
Yes. In 2021, an amendment to the HITECH Act enabled the HHS´ Office for Civil Rights to use its discretion in issuing fines and enforcing Corrective Action Plans if a data breach occurred despite a covered entity or business associate implementing a recognized security framework compatible with the provisions of the HIPAA Security Rule.
Can a covered entity be a business associate for another covered entity?
Covered entities can disclose PHI to other covered entities without a Business Associate Agreement for healthcare, payments, and operations purposes. For all other purposes that “help the covered entity carry out its health care functions” a Business Associate Agreement is required before PHI can be disclosed to another covered entity.
