Health Information Technology for Economic and Clinical Health - HITECH Act

HITECH Act Definition

The HITECH Act – or Health Information Technology for Economic and Clinical Health Act – is part of an economic stimulus package introduced during the Obama administration: The American Recovery and Reinvestment Act of 2009 (ARRA). The Act was signed into law by President Barack Obama on February 17, 2009.

What are the Goals of the HITECH Act?

The HITECH Act was created to promote and expand the adoption of health information technology, specifically, the use of electronic health records (EHRs) by healthcare providers.

The Act also removed loopholes in the Health Information Portability and Accountability Act of 1996 (HIPAA) by tightening up the language of HIPAA.

This helped to ensure that business associates of HIPAA covered entities were complying with HIPAA Rules and notifications were sent to affected individuals when health information was compromised.

Tougher penalties for HIPAA compliance failures were also introduced to add an extra incentive for healthcare organizations and their business associates to comply with the HIPAA Privacy and Security Rules.

Why is the HITECH Act Important?

Prior to the introduction of the HITECH Act in 2008, only 10% of hospitals had adopted EHRs. In order to advance healthcare, improve efficiency and care coordination, and make it easier for health information to be shared between different covered entities, electronic health records needed to be adopted.

While many healthcare providers wanted to transition to EHRs from paper records, the cost of making such a change was prohibitively expensive. The HITECH Act introduced incentives to encourage hospitals and other healthcare providers to make the change. Had the Act not been passed, many healthcare providers would still be using paper records. The Act increased the rate of adoption of EHRs from 3.2% in 2008 to 14.2% in 2015. By 2017, 86% of office-based physicians had adopted an EHR and 96% of non-federal acute care hospitals has implemented certified health IT.

The HITECH Act also helped to ensure healthcare organizations and their business associates were complying with the HIPAA Privacy and Security Rules, were implementing safeguards to keep health information private and confidential, restricting uses and disclosures of health information and were honoring their obligation to provide patients with copies of their medical records on request.

The Act did not make compliance with HIPAA mandatory as that was already a requirement, but it did make sure that entities found not to be in compliance could be issued with a substantial fine.

HITECH Act Summary

The HITECH Act encouraged healthcare providers to adopt electronic health records and improved privacy and security protections for healthcare data.

This was achieved through financial incentives for adopting EHRs and increased penalties for violations of the HIPAA Privacy and Security Rules.

The HITECH Act contains four subtitles (A-D). Subtitle A concerns the promotion of health information technology and is split into two parts. Part 1 is concerned with improving healthcare quality, safety, and efficiency. Part 2 is concerned with the application and use of health information technology standards and reports.

Subtitle B covers testing of health information technology, Subtitle C covers grants and loans funding, and Subtitle D covers privacy and security of electronic health information. Subtitle D is also split into two parts. Part 1 is concerned with improving privacy and security of health IT and PHI and part 2 covers the relationship between the HITECH Act and other laws.

HITECH Act Compliance Date

Compliance with the requirements of the HITECH Act became enforceable on November 30, 2009, 12 months following the Act being signed into law. The requirements of HITECH were incorporated into HIPAA in the Final Omnibus Rule, which brought HIPAA and HITECH together into the same legislation. The HIPAA Omnibus Final Rule was published on Jan. 25, 2013 and had a compliance date of September 23, 2013.

The Meaningful Use Program

The Department of Health & Human Services (HHS) was given a budget in excess of $25 billion to achieve its goals. The HHS used some of that budget to fund the Meaningful Use program – A program that incentivized care providers to adopt certified EHRs by offering monetary incentives. Certified EHRs are those that have been certified as meeting defined standards by an authorized testing and certification body.

Certified EHRs had to be used in a meaningful way, such as for issuing electronic prescriptions and for the exchange of electronic health information to improve quality of care. The program aimed to improve coordination of care, improve efficiency, reduce costs, ensure privacy and security, improve population and public health, and engage patients and their caregivers more in their own healthcare.

The financial incentives were significant and increased with each year of the program and new requirements were introduced at each of the three stages of the Meaningful Use program. The failure to meet the requirements of each stage resulted in a financial penalty: A reduction of reimbursements for Medicare and Medicaid.

In order to qualify for federal funds, care providers not only had to adopt EHRs but also demonstrate meaningful use of certified EHRs. They had to demonstrate they had achieved the minimum core objectives in each stage in addition to a set number of menu objectives. It was also necessary to demonstrate compliance with the HIPAA Security and Privacy Rules by conducting risk assessments.

The Legal Requirement for Business Associates to be HIPAA Compliant

When HIPAA was originally passed in 1996, business associates of HIPAA covered entities had a “contractual obligation” to comply with HIPAA. As there was no enforcement of that obligation, and covered entities could avoid sanctions (in the event of a breach of PHI by a business associate) by saying they did not know their business associate was not HIPAA-compliant. Since business associates could not be fined directly for HIPAA violations, many failed to meet the standards demanded by HIPAA and were placing millions of health records at risk.

The HITECH Act applied the HIPAA Security and Privacy Rules to business associates and gave them the same legal requirements to protect PHI, detect breaches, and report violations of HIPAA to their covered entities. Business associates were also subject to mandatory HIPAA audits and civil and criminal penalties could be issued directly to business associates for the failure to comply with HIPAA Rules.

Tougher Penalties for HIPAA Violations

Prior to the introduction of the HITECH Act, as well as covered entities avoiding sanctions by claiming their business associates were unaware that they were violating HIPAA, the sanctions HHS could impose were little more than a slap on the wrist ($100 for each violation up to a maximum fine of $25,000). Tougher penalties were introduced for HIPAA violations and penalties were split into different tiers based on different levels of culpability. The maximum financial penalty for a HIPAA violation was increased to $1.5 million per violation category, per year.

The HITECH Act called for mandatory penalties for HIPAA-covered entities and business associates in cases where there was willful neglect of HIPAA Rules. The HHS was given the authority to determine the level of knowledge that HIPAA Rules were being violated and whether the violations constituted willful neglect of HIPAA Rules.

The consequence of new $1.5 million maximum fine was covered entities and business associates began to take more notice of HIPAA regulations. With such high potential fines, HIPAA compliance could no longer be considered ‘optional’. The penalties could be higher than the cost of complying with HIPAA.

The HSS can retain a proportion of HIPAA penalties to fund its enforcement efforts. With a much-enhanced income source, HHS was able to dedicate more resources to investigating the cause of data breaches and, in 2011, the HHS launched the first phase of its HIPAA compliance audit program. The second phase of ‘desk audits’ – paperwork checks – on covered entities was concluded in 2016, paving the way for a permanent audit program.

The HIPAA Breach Notification Rule

An important change brought about from the introduction of the HITECH Act was the development of a new HIPAA Breach Notification Rule. Under the new Breach Notification Rule, covered entities are required to issue notifications to affected individuals within sixty days of the discovery of a breach of unsecured protected health information.

The breach notification letters to patients must be sent via first class mail and must explain the nature of the breach, the types of protected health information that were exposed or compromised, the steps that are being taken to address the breach, and the actions affected individuals can take to reduce the potential for harm.

Breaches of 500 or more records also need to be reported to the HHS within 60 days of the discovery of a breach, and smaller breaches within 60 days of the end of the calendar year in which the breach occurred. In addition to reporting the breach to the HHS, a notice of a breach of 500 or more records must be provided to a prominent media outlet serving the state or jurisdiction affected by the breach. The Breach Notification Rule also requires business associates to notify their covered entities of a breach or HIPAA violation to allow the covered entity to report the incident to the HHS and arrange for individual notices to be sent.

Creation of the HIPAA Wall of Shame

The HITECH Act also called for the HHS’ Office for Civil Rights to start publishing a summary of healthcare data breaches that had been reported by HIPAA covered entities and their business associates. Starting in October 2009, OCR published breach summaries on its website, which includes the name of the covered entity or business associate that experienced the breach, the category of breach, the location of breached PHI, and the number of individuals affected.

The OCR breach portal earned the nickname ‘The HIPAA Wall of Shame,’ although the name is perhaps a little unfair as many entities listed have suffered breaches of PHI through no fault of their own.

Access to Electronic Health Records

The HIPAA Privacy Rule gave patients and health plan members a right of access and allowed them to obtain copies of their health information by submitting a formal request. Healthcare providers that introduced EHRs were storing health information electronically. HITECH changed the HIPAA right of access to allow individuals to obtain a copy of their health data in electronic format if they so required. This change made it easier for individuals to share their health data with other organizations.

While it should be a relatively quick and easy process to provide electronic health records in electronic format, the reality was somewhat different.

Some electronic health record systems make it difficult for health data to be provided in electronic format. To offset the costs of providing copies of electronic health records, healthcare organizations were permitted to charge a reasonable fee to cover the cost of labor for fulfilling the request.

Uses and Disclosures of Protected Health Information

The HITECH Act also made revisions to permitted uses and disclosures of PHI and tightened up the language of the HIPAA Privacy Rule. Business associates were prevented from using ePHI for marketing purposes without authorization, patients were given the right to revoke any authorizations they had previously given, and new requirements for accounting for disclosures of PHI and maintaining records of disclosures were introduced,including to whom PHI had been disclosed and for what purpose.


How has the enforcement of HIPAA changed since HITECH?

Surprisingly the percentage of investigations resulting in enforcement action more than halved between 2013 and 2020 – the reason being that OCR intervened earlier in the complaints process and provided technical assistance to HIPAA covered entities, their business associates, and individuals exercising their rights under the Privacy Rule, to resolve the complaints without the need for an investigation.

How did the burden of proof change under the HIPAA Breach Notification Rule?

Prior to HITECH, when a violation of HIPAA occurred the Department of Health and Human Services had to prove the violation had resulted in the unauthorized disclosure of PHI. The Breach Notification Rule reversed the burden of proof so that when a violation of HIPAA occurs the covered entity or business associate has to prove the violation did not result in the unauthorized disclosure of PHI.

How has HITECH evolved in recent years?

In April 2018, CMS renamed the Meaningful Use incentive program as the Promoting Operability program. The change moved the focus of the program beyond

the requirements of Meaningful Use to the interoperability of EHRs in order to improve data collection and submission, and patient access to health information.

Is the Promoting Operability program still incentivized?

The Promoting Operability program now forms part of the Medicare Merit-Based Incentive Payment System (MIPS) which also measures the quality of healthcare services, the cost of healthcare services, and efforts to improve healthcare activities. The Promoting Operability category contributes to 25% of the overall MIPS score.

For more information on the HITECH Act, please visit the HHS website, Health Information Privacy web-page


Last Updated on: Monday, November 02, 2020