What is the HITECH Act?

HITECH Act Definition

The HITECH Act of 2009, or Health Information Technology for Economic and Clinical Health Act, is part of the American Recovery and Reinvestment Act (ARRA) – an economic stimulus package introduced during the Obama administration.

ARRA had the objectives of promoting economic recovery by preserving and creating jobs, assisting those most impacted by the recession, investing in infrastructure such as transportation and environmental protection that would provide long-term benefits, and stabilizing state and local government budgets.

A further objective helps define the purpose of the HITECH Act of 2009 – to provide investments needed to increase economic efficiency by spurring technological advances in science and health. To reach its objective, the HITECH Act had five goals.

What are the Goals of the HITECH Act?

The five HITECH Act goals have been described as the five goals of the US healthcare system – improve quality, safety, and efficiency; engage patients in their care; increase coordination of care; improve the health status of the population; and ensure privacy and security.

Please see the HIPAA Journal Privacy Policy

To achieve these goals, HITECH incentivized the adoption and use of health information technology, enabled patients to take a proactive interest in their health, paved the way for the expansion of Health Information Exchanges, and strengthened the privacy and security provisions of the Health Information Portability and Accountability Act of 1996 (HIPAA).

HITECH strengthened HIPAA in a number of ways. Most importantly, the reach of the HIPAA Security Rule was extended to Business Associates of Covered Entities, who also had to comply with the documentation requirements of the Privacy Rule and the new Breach Notification Rule (explained below).

Tougher penalties for HIPAA compliance failures were also introduced to add an extra incentive for healthcare organizations and their business associates to comply with the HIPAA Privacy and Security Rules and to fund increased enforcement action by the Department of Health and Human Services Office for Civil Rights.

Why is the HITECH Act Important?

Prior to the introduction of the HITECH Act in 2008, only 10% of hospitals had adopted EHRs. In order to advance healthcare, improve efficiency and care coordination, and make it easier for health information to be shared between Covered Entities, there needed to be an increase in EHR adoption and use.

While many healthcare providers wanted to transition to EHRs from paper records, the cost was prohibitively expensive. The HITECH Act introduced incentives to encourage hospitals and other healthcare providers to make the change. Had the Act not been passed, many healthcare providers would still be using paper records.

Please see the HIPAA Journal Privacy Policy

The HITECH Act also helped to ensure healthcare organizations and their business associates were complying with the HIPAA Privacy and Security Rules, were implementing safeguards to keep health information private and confidential, restricting uses and disclosures of health information and were honoring their obligation to provide patients with copies of their medical records on request.

The Act did not make compliance with HIPAA mandatory as that was already a requirement, but it introduced a new requirement for Covered Entities and Business Associates to report data breaches – which ultimately enabled the Department of Human Services´ Office for Civil Rights to step up enforcement action against non-compliant organizations.

HITECH Act Summary

The HITECH Act encouraged healthcare providers to adopt electronic health records and improve privacy and security protections for healthcare data. This was achieved through financial incentives for adopting EHRs and increased penalties for violations of the HIPAA Privacy and Security Rules.

The HITECH Act contains four subtitles (A-D). Subtitle A concerns the promotion of health information technology and is split into two parts. Part 1 is concerned with improving healthcare quality, safety, and efficiency. Part 2 is concerned with the application and use of health information technology standards and reports.

Subtitle B covers testing of health information technology, Subtitle C covers grants and loans funding, and Subtitle D covers privacy and security of electronic health information. Subtitle D is also split into two parts. Part 1 is concerned with improving privacy and security of health IT and PHI and part 2 covers the relationship between the HITECH Act and other laws.

HITECH Act Compliance Date

The HITECH Act introduced a number of challenges for Covered Entities, Business Associates, and enforcement agencies such HHS´ Office for Civil Rights and the Federal Trade Commission – which, under HITECH, was required to issue companion breach notification regulations for vendors of personal health apps and other organizations not covered by HIPAA.

Consequently, the compliance dates for HITECH were staggered. Some HITECH Act provisions – such as the authority for State Attorney generals to bring a civil action – were effective upon enactment (February 2009), while other provisions had effective dates 60 and 180 days after the passage of HITECH or by the end of the year.

The requirement for Business Associates to comply with HIPAA was scheduled to take effect in February 2010; but, as with many provisions of Subtitle D, some HITECH Act compliance dates were delayed until the publication of the HIPAA Final Omnibus Rule in 2013. Consequently, there is no single HITECH Act compliance date.

The Meaningful Use Program

The Department of Health & Human Services (HHS) was given a budget in excess of $25 billion to achieve the goals of the HITECH Act. The HHS used some of that budget to fund the Meaningful Use program – a program that incentivized care providers to adopt certified EHRs by offering monetary incentives. Certified EHRs are those that have been certified as meeting defined standards by an authorized testing and certification body.

Certified EHRs had to be used in a meaningful way, such as for issuing electronic prescriptions and for the exchange of electronic health information to improve quality of care. The program aimed to improve coordination of care, improve efficiency, reduce costs, ensure privacy and security, improve population and public health, and engage patients and their caregivers more in their own healthcare.

The financial incentives were initially significant and increased with each year of the program as new requirements were introduced at each of the three stages of the Meaningful Use program. However, from 2015 onwards, Medicare-eligible professionals that did not comply with the HITECH EHR requirements saw the reimbursement of Medicare claims penalized by 1%. In 2017, the penalty for failing to demonstrate the adoption and use of a certified EHR increased to 3%.

How the HITECH Act of 2009 Forced Business Associates to be HIPAA Compliant

Under the original HIPAA Privacy and Security Rules, Business Associates of HIPAA Covered Entities had a “contractual obligation” to comply with HIPAA.  Prior to the HITECH Act of 2009, there was no enforcement of that obligation, and Covered Entities could avoid sanctions in the event of a breach of PHI by a Business Associate by claiming they did not know the Business Associate was not HIPAA-compliant. Since Business Associates could not be fined directly for HIPAA violations, many failed to meet the standards demanded by HIPAA and were placing millions of health records at risk.

The HITECH Act of 2009 applied the HIPAA Security and Privacy Rules to Business Associates and made them directly liable for their own compliance with HIPAA. Business Associates now had to sign a Business Associate Agreement with the Covered Entity on whose behalf they were processing PHI and had the same legal requirements as the Covered Entity to protect PHI and prevent data breaches. Business Associates were also required to report data breaches to their Covered Entities.

The HIPAA Final Omnibus Rule of 2013 took Business Associates´ compliance requirements a stage further. Following the enactment of the Final Omnibus Rule, Business Associates were also subject to HIPAA audits and civil and criminal penalties could be issued directly to Business Associates for the failure to comply with HIPAA Rules regardless of whether a data breach had occurred or not.

Tougher Penalties for HIPAA Violations

Prior to the introduction of the HITECH Act, as well as Covered Entities avoiding sanctions by claiming their Business Associates were unaware that they were violating HIPAA, the financial penalties HHS´ Office for Civil Rights could impose were little more than a slap on the wrist ($100 for each violation up to a maximum fine of $25,000).

Tougher penalties were introduced for HIPAA violations in the HITECH Act and the penalties were split into different tiers based on different levels of culpability. The maximum financial penalty for a HIPAA violation was increased to $1.5 million per violation category, per year. Since 2016, HIPAA violation fines have been adjusted annually to account for inflation; and, of 2022, the maximum financial penalty per violation is now $1,806,757.

Penalty Tier Level of Culpability Minimum Penalty per Violation Maximum Penalty per Violation Annual Penalty Limit
Tier 1 Lack of Knowledge $120 $30,113 $30,133
Tier 2 Reasonable Cause $1,205 $60,226 $120,452
Tier 3 Willful Neglect $12,045 $60,226 $301,130
Tier 4 Willful Neglect not Corrected within 30 days $60,226 $1,806757 $1,806,757

The HSS can retain a proportion of HIPAA penalties to fund its enforcement efforts. With a much-enhanced income source, HHS was able to dedicate more resources to investigating the cause of data breaches and, in 2011, the HHS launched the first phase of its HIPAA compliance audit program. The second phase of ‘desk audits’ – paperwork checks – on covered entities was concluded in 2016, paving the way for a permanent audit program.

Amendment to HITECH Act 2021

In 2018, the Department for Health and Human services published a Request for Information with the objectives of exploring ways to reduce the administrative burden of HIPAA compliance and improve data sharing for better healthcare coordination. Many Covered Entities and Business Associates responded by requesting a safe harbor from enforcement action in the event of a data breach if they had complied with the safeguards of the Security Rule.

As a result of the responses, an amendment to the HITECH Act in 2021 (also known as the HIPAA Safe Harbor law) gives the HHS´ Office for Civil Rights the discretion to refrain from enforcement action, mitigate the degree of a penalty for violating HIPAA, or reduce the length of a Corrective Action Plan if the negligent party has implemented a recognized security framework and operated it for twelve months prior to a data breach or other security-related HIPAA violation.

The HIPAA Breach Notification Rule

An important change brought about from the introduction of the HITECH Act was the development of a new HIPAA Breach Notification Rule. Under the new Breach Notification Rule, Covered Entities are required to issue notifications to affected individuals within sixty days of the discovery of a breach of unsecured protected health information. The definition of “unsecured” was also clarified.

The breach notification letters to patients must be sent via first class mail and must explain the nature of the breach, the types of protected health information that were exposed or compromised, the steps that are being taken to address the breach, and the actions affected individuals can take to reduce the potential for harm.

Breaches of 500 or more records must also be reported to the HHS within 60 days of the discovery of a breach, and smaller breaches within 60 days of the end of the calendar year in which the breach occurred. In addition to reporting the breach to the HHS, a notice of a breach of 500 or more records must be provided to a prominent media outlet serving the state or jurisdiction affected by the breach.

The Breach Notification Rule also requires Business Associates to notify their Covered Entities of a breach or HIPAA violation to allow the Covered Entity to report the incident to the HHS and arrange for individual notices to be sent.

Creation of the HIPAA Wall of Shame

The HITECH Act also called for the HHS’ Office for Civil Rights to start publishing a summary of healthcare data breaches that had been reported by HIPAA Covered Entities and their Business Associates. Starting in October 2009, OCR published breach summaries on its website, which includes the name of the Covered Entity or Business Associate that experienced the breach, the category of breach, the location of breached PHI, and the number of individuals affected.

The OCR breach portal earned the nickname ‘The HIPAA Wall of Shame,’ although the name is perhaps a little unfair as many entities listed have suffered breaches of PHI through no fault of their own.

Access to Electronic Health Records

The HIPAA Privacy Rule gave patients and health plan members a right of access and allowed them to obtain copies of their health information by submitting a formal request. HITECH changed the HIPAA right of access to allow individuals to obtain a copy of their health data in electronic format if they so required. This change made it easier for individuals to share their health data with other healthcare providers.

While it should be a relatively quick and easy process to provide electronic health records in electronic format, the reality was somewhat different. Some electronic health record systems make it difficult for health data to be provided in electronic format. To offset the costs of providing copies of electronic health records, healthcare organizations were permitted to charge a reasonable fee to cover the cost of labor for fulfilling the request.

Uses and Disclosures of Protected Health Information

The HITECH Act also made revisions to permitted uses and disclosures of PHI and tightened up the language of the HIPAA Privacy Rule. Business Associates were prevented from using ePHI for marketing purposes without authorization, patients were given the right to revoke any authorizations they had previously given, and new requirements for accounting for disclosures of PHI and maintaining records of disclosures were introduced, including to whom PHI had been disclosed and for what purpose.

FAQs

How has the enforcement of HIPAA changed since the HITECH Act of 2009?

Surprisingly the percentage of investigations resulting in enforcement action more than halved between 2013 and 2020 – the reason being that OCR intervened earlier in the complaints process and provided technical assistance to HIPAA covered entities, their business associates, and individuals exercising their rights under the Privacy Rule, to resolve the complaints without the need for an investigation.,

How did the burden of proof change under the HIPAA Breach Notification Rule?

Prior to HITECH, when a violation of HIPAA occurred the Department of Health and Human Services had to prove the violation had resulted in the unauthorized disclosure of PHI. The Breach Notification Rule reversed the burden of proof so that when a violation of HIPAA occurs the covered entity or business associate has to prove the violation did not result in the unauthorized disclosure of PHI.,

How has HITECH evolved in recent years?

In April 2018, CMS renamed the Meaningful Use incentive program as the Promoting Operability program. The change moved the focus of the program beyond the requirements of Meaningful Use to the interoperability of EHRs in order to improve data collection and submission, and patient access to health information.,

Is the Promoting Operability program still incentivized?

The Promoting Operability program now forms part of the Medicare Merit-Based Incentive Payment System (MIPS) which also measures the quality of healthcare services, the cost of healthcare services, and efforts to improve healthcare activities. The Promoting Operability category contributes to 25% of the overall MIPS score.

How do the Affordable Care Act and HITECH work together?

The provisions of the HITECH Act that led to more efficient and secure information sharing enabled the expansion of state-run Health Information Exchanges (HIEs) as mandated by the Affordable Care Act. Originally, HIEs were intended to give consumers access to low-cost health insurance and Medicaid. They now also support the provision of coordinated care between providers.

What is HITECH in healthcare?

HITECH in healthcare can mean different things to different people depending on their place in the healthcare ecosystem. For example, for HIPAA Covered Entities, HITECH incentivized the adoption of EHRs. For Business Associates, HITECH in healthcare means they have to comply with the HIPAA Security Rule when working with PHI on behalf of a Covered Entity, while for patients, HITECH in healthcare has mitigated the risk of a data breach and driven innovation in the healthcare industry.

Why was HITECH implemented and what were its results?

Primarily, HITECH was implemented to modernize the healthcare industry and make it more efficient while remaining secure. In terms of results, the Act increased the rate of EHR adoption throughout the healthcare industry from 3.2% in 2008 to 14.2% in 2015. By 2017, 86% of office-based physicians and 96% of non-federal acute care hospitals had adopted EHRs.

What did the HITECH Act do?

The HITECH Act revolutionized the way many healthcare facilities create, use, share, and maintain healthcare data. It made the health service more efficient, improved patient safety, and resulted in better patient outcomes according to a 2016 report to Congress by the National Coordinator for Health Information Technology.

What are the major components of the HITECH Act?

The major components of the HITECH Act are the Meaningful Use program and the provisions that were subsequently integrated into HIPAA. While the first component incentivized the adoption of health information technology, the second component encouraged Covered Entities and Business Associates to use the technology securely.

What is HITECH compliance?

The term HITECH compliance relates to complying with the provisions of HITECH that amended the HIPAA Privacy and Security Rules and complying with the Breach Notification Rule that was implemented as a direct result of HITECH. Consequently, a HITECH violation is also a HIPAA violation – which can result in an OCR investigation, fine, and/or Corrective Order Plan being issued.

How did the HITECH Act modify HIPAA with regards to reporting data breaches?

HITECH introduced the Breach Notification Rule which mandated Covered Entities and Business Associates to report data breaches. Prior to HITECH, HHS´ Office for Civil Rights (OCR) most commonly learned about data breaches via patient complaints. Even then, OCR had to prove harm had occurred due to non-compliance with HIPAA, whereas now the Covered Entities and Business Associates have the burden of proof to show harm has not occurred if not reporting a breach.

With HITECH, what other things were added to HIPAA?

Other than the Breach Notification Rule, the primary measures added to HIPAA by HITECH included strengthened privacy and security provisions, the application of enforcement measures to Business Associates, and a new patient right to obtain an accounting of disclosures so individuals can see who their PHI has been disclosed to and why.

What is the HITECH Act in HIPAA?

It is important to be aware that the HITECH Act and HIPAA are two completely separate and independent laws. However, because some provisions of HITECH strengthened existing HIPAA standards and mandated breach notifications, HITECH is often (incorrectly) regarded as part of HIPAA. You can find out more about the relationship between the two Acts in this article.

What are the subtitles of HITECH?

There are 4 HITECH subtitles:

  • Subtitle A – Promotion of Health Information Technology
  • Subtitle B – Testing of Health Information Technology
  • Subtitle C – Grants and Loans Funding
  • Subtitle D – Privacy

What does the acronym HITECH stand for?

The acronym HITECH stands for Health Information Technology for Economic and Clinical Health. The content of the Act appears in two areas of ARRA – Division A Title XIII (Health Information Technology) and Division B Title IV (Medicare and Medicaid Health Information Technology; Miscellaneous Medicare provisions).

When was HITECH enacted?

Although some provisions were enacted at the time the HITECH Act was passed, the majority of the HITECH regulations were enacted in 2011. However, many HITECH regulations contained in Subtitle D (“Privacy”) were not enacted until 2013 when the Department of Health and Human Services published the HIPAA Final Omnibus Rule. A few provisions remain (for example 42 USC 17939 (c)(2) and (3)) that have still not been enacted.