4 ways the HITECH Act changed HIPAA Compliance


The Health Information Technology for Economic and Clinical Health Act (HITECH Act) was created to incentivize the implementation of electronic health records (EHR) and supporting technology. This digitization of protected health information stored and transmitted between doctors, hospitals, insurance companies and other entities has driven the efficiency and safety of patient information sharing. Subtitle D of the HITECH Act also expanded the scope of privacy and security protections available under HIPAA compliance by increasing the potential legal liability for non-compliance and providing for more stringent enforcement. Below are four main areas that the HITECH Act specifically addressed:

1. Willful Neglect

HITECH requires the U.S. Department of Health and Human Services (HHS) to investigate breaches and complaints to determine if an organization is in willful violation of Privacy and Security mandates and requires penalties for “willful neglect.” Willful neglect is widely defined, but in a nutshell, any failure to be able to present documentation covering all applicable regulatory controls as evidence of continued Privacy and Security compliance at the request of the auditor can be deemed willful neglect.

2. Electronic Health Records Access

The HITECH Act added further patient protections, requiring providers with EHR systems to provide the patient or their designated third-party their ePHI in an electronic format upon request, provided that information is readily producible in that format. HITECH also protected patients from marketing by prohibiting the sale of PHI except in limited circumstances.

3. Business Associates and Business Associate Agreements

The HITECH Act required business associates of HIPAA covered entities to enter into a business associate agreement (BAA) with HIPAA-covered entities and agree not to disclose PHI other than for reasons permitted by the HIPAA Privacy Rule. They were also required to agree to adhere to certain provisions of the HIPAA Security Rule, including the implementation of administrative, physical, and technical controls to safeguard the confidentiality, integrity, and availability of PHI. The definition of business associate was also expanded to include all persons who receive PHI and subcontractors of business associates. Business associates are now also directly accountable for HIPAA violations and can be penalized financially for violating HIPAA Rules. Many smaller healthcare providers today do not have adequate Business Associate Agreements in place to ensure that their service providers are meeting contractual obligations, such as managing adherence to regulatory controls and providing the necessary documentation to prove historical compliance. 

4. Incident Response

Another main focus of the HITECH Act was breach notification. What do you need to do as a provider when you experience a breach? The HITECH Act tells you what to do, who to communicate to, and more. We always think of breaches in the form of getting hacked or some other malicious activity but breaches due to human error happen all the time. For example, a staff member transposed numbers and accidentally faxed a patient record to Smart Kids Daycare, a letter comes back opened after being mailed to the wrong address, or a phone or tablet is lost. These things happen every day, and the government expects you to have a documented plan of action (Incident Response Plan) in place and execute it when these things happen. The document should define procedures like what happens immediately upon discovery of a breach, what persons or entities are notified, the recovery plan to be followed if necessary, the remediation and forensic steps taken after discovery. Was the data on the mobile device protected by AV or EDR, was it encrypted, and can you remotely wipe the device? Historical record of adherence to all applicable controls must be provided to satisfy HITECH Breach Notification mandates. This is especially important in the event of an incident, and we speak to its importance more in the article about why you shouldn’t ignore HIPPA Compliance.

Contact Us

That was a lot of information to digest, and this was the Cliff Notes version! Though this may have answered some questions for Covered Entities or Business Associates under the specific provisions outlined in the HITECH Act, it may very well have raised a whole lot of others. If you have questions about business associate agreements, incident response plans, or anything related to compliance, visit our website and schedule a consultation. We would be happy to answer any questions.

Mundell Phillips is the CEO and Principal Security Engineer with Nutech Solutions. Prior to Nutech, his work experiences include over 15 years technical and managerial roles in the private and public information technology and cybersecurity sectors. Mundell has led the design and implementation of several disaster recovery, security and compliance remediation projects for the proverbial alphabet soup of Government agencies (DOD, VA, DOJ, DOT, etc.). He has now committed his knowledge and experience to tailoring those same solutions to local ambulatory services providers and others under regulatory compliance mandates, with special focus on those serving our underserved communities in the greater DMV.