What is the HITECH Act and How Does it Relate to HIPAA?

January 28, 2021
HITECH-ACT

Trying to understand all of the complicated rules and regulations your practice needs to follow can sometimes feel like keeping up with the Joneses – but HIPAA isn’t the only compliance rulebook your practice needs to follow, and other laws (both new and old) impact your practice operations and your HIPAA compliance program – enter the HITECH Act. 

Whether it’s your first time visiting our news page (welcome!) or you’re a regular reader (welcome back!) you might’ve seen last week’s article covering the new HIPAA Safe Harbor bill that offers practices reduced HIPAA fines IF they have reasonable security safeguards already in place before a breach. The bill amends the HITECH Act to incorporate this change, but if you aren’t even sure what the HITECH Act really is, let’s take a step back and cover what the Act means for you and where these new changes come into play. 

The What

The ‘Health Information Technology for Economic and Clinical Health’ Act, or HITECH Act (much easier to say), was signed into law way back in 2009 to essentially promote the implementation of health information technology, specifically the use of electronic health records (EHRs), by healthcare providers. Transitioning from paper to electronic records was (and still is) time-consuming and costly, and the HITECH act provided incentives for making the switch – while also ensuring that healthcare organizations along with their business associates remained in line with HIPAA law as they upgraded their systems. 

The Why

So you might be thinking – well doesn’t HIPAA law already promote the secure usage of EHR’s? You’re right (high five!) but the HITECH Act goes one step further and expands the enforcement and strength of HIPAA regulations related to technical requirements within the HIPAA Privacy and Security Rules. Thanks to the HITECH Act, violation tiers were introduced, increasing financial penalties for HIPAA violations and ultimately giving the Office for Civil Rights (OCR) more money in the bank to go after non-compliant covered entities. 

The HITECH act was also designed to answer questions around how to offer the same HIPAA protections to electronic protected health information (ePHI), not just physical PHI, as practices went digital. This included:

  • Solidifying the HIPAA Breach Notification Rule requiring covered entities to provide prompt notification of any breaches. While this might seem like common sense, according to the latest HIPAA audit industry report, 29% of practices are still missing the mark on this requirement (yikes!).
  • Introducing the legal requirement for business associates to comply with HIPAA, not just covered entities (still super important today, and why those business associate agreements are so essential).
  • Incorporating the requirement for healthcare providers to conduct Security Risk Analyses (SRA’s) in order to be eligible for Meaningful Use (now Quality Payment Program) incentive payments.
  • Adding financial penalties for entities who fail to report a breach of PHI.

Where the HIPAA Safe Harbor Bill Fits In

Fast forward to 2021, and all the same needs the HITECH act was introduced to fill still apply. However, the newly signed HIPAA Safe Harbor Bill helps to reinforce the value of these security measures with the new incentives offered and opportunity for reduced fines – and it’s one of the few pieces of new legislation you should actually feel GOOD about!

So whether it’s HIPAA, HITECH, or the brand new Safe Harbor Bill – understanding and complying with each and every one of their requirements is essential to protecting your patients. 

Still not quite sure about what’s required? Don’t sweat it! Schedule a free consult with one of our HIPAA experts today to ensure you’re up to speed.