Blog

How to Comply with the HITECH Act

HIPAA
June 24, 2020
“HIPAA on steroids” brought dramatic changes to HIPAA Rules by laying out far tougher data security requirements for healthcare organizations as well as their business associates.

How to Comply with the HITECH Act

What is the HITECH Act

HITECH or the Health Information Technology for Economic and Clinical Health Act, was signed into law as part of the American Recovery and Reinvestment Act in 2009 to encourage healthcare organizations to adopt and use Electronic Health Records (EHR). HITECH utilized both a stick and carrot by offering incentives to organizations to adopt EHR Standards as well as penalties for making insufficient usage of EHR.

The HITECH act foresaw the wide expansion of the exchange of electronically protected healthcare information (ePHI) between doctors, clinics, health insurance companies, and other entities that utilize healthcare information. In order to safeguard ePHI in a digitally oriented healthcare system, HITECH also altered the enforcement of HIPAA in several ways:

HITECH strengthened enforcement of the HIPAA Security and Privacy laws by strengthening penalties for breaches.

HITECH mandated security audits of all healthcare providers to be used to investigate and determine whether providers meet minimum standards to be in compliance with the Privacy and Security rules.

Finally, it created a four-tiered system of HIPAA violations. HITECH also allowed organizations and individuals to suffer penalties even if they were unaware of a violation as well as allowing entities to escape penalties if the violations are found to be unavoidable and not due to negligence on the part of the entity and the violations are corrected within 30 days of discovery.

  • First Tier: The covered entity did not know and could not reasonably know of the breach. Generally, these range to $100 to $50,000 per incident up to $1.5 million in penalties.
  • Second Tier: The covered entity knew or by exercising reasonable diligence would have known of the violation, though they did not act with willful neglect.  Fines for the second tier can range from $1,000 up to $50,000 per incident up to $1.5 million.
  • Third Tier: The covered entity “Acted with willful neglect” and corrected the problems with a 30 day period of the breach. Penalties for the third tier can range from $10,00 - $50,000 per incident up to $1.5 million.
  • Fourth Tier: The covered entity acted with willful neglect and failed to make a timely correction. Fines start at $50,000 per incident up to $1.5 Million.
HITECH Act created four tiers of penalties for HIPAA Violations

Additionally, the HITECH act extended the Privacy Rule and Security Rule to apply directly to business associates, such as software providers, billing firms, law firms, and other organizations that help covered entities perform the business and administrative side of their operations, though it was the Omnibus Rule which laid the groundwork for how these rules would be enforced.

Related: What is Protected Health Information.

HITECH Compliance Goals

The overarching goal of HITECH was to encourage and promote the use of secure and portable EHR throughout the United States. In order to achieve this goal, it specified three stages of meaningful use requiring the increasing deployment of EHR along with safeguards to maintain the quality and security of the data.

HITECH required covered entities to undergo HIPAA Compliance training under the standards set by the Security Rule. Additionally, the rule strengthened the Breach notification rule by requiring notification of a PHI breach to all affected parties, regardless of whether the breach could result in harm or not.

As noted above, HITECH expanded HIPAA Compliance requirements.

Best Practices for HITECH and HIPAA Compliance

1: Stay informed. Make sure that employees of your organization are actually knowledgeable of HIPAA, HITECH, and data breach notification laws. How can you ensure they are knowledgeable? Ongoing education and training.

2: Create a security plan. HIPAA requires workplaces to implement various safeguards in order to ensure the security and privacy of PHI. A formal security policy should set in place physical, administrative, and technical safeguards to ensure the privacy, safety, integrity of PHI such as data protection solutions that proactively classify records from unauthorized access or use.

3: Educate your employees, and enforce compliance. Research has demonstrated that employee negligence is the leading risk of a data breach. Security training should be frequent and constantly updated.

4: Limited access to sensitive data. Ensure that PHI can only be accessed by employees who need access to this information for their delegated job responsibilities on an as-needed basis. Furthermore, it is a best practice to be able to log who accesses PHI, when, and what each employee did with the protected data.

5: Perform frequent reviews of your security protocols. Not only is this a requirement of HITECH, but it can also help you identify and eliminate risk prior to a breach actually occurring by correcting vulnerabilities and implementing policies and procedures that can lower your organization risk of a breach.

HITECH is Complex. Accountable makes HITECH Compliance simple

As you can see, The HITECH Act has a lot of moving parts and compliance can feel like it is a moving target.

It’s important to remember that as easy as it is to violate the HITECH act, implementing training and policies to safeguard PHI and your organization from a breach is easier. That is why we created Accountable: a complete solution designed to help you achieve and maintain your organization’s compliance with HITECH. We built it to include you the tools you need to train your employees, manage your vendors, and root out security risks within your organization.

Oh, and it’s free to get started.



More from the Blog

Does HIPAA Apply After Death? Understanding Privacy Rights
HIPAA

Does HIPAA Apply After Death? Understanding Privacy Rights

How To Comply With the HIPAA Security Rule
HIPAA

How To Comply With the HIPAA Security Rule

Common Examples Of Employee HIPAA Violations and How to Avoid Them
Privacy Compliance

Common Examples Of Employee HIPAA Violations and How to Avoid Them

Five Principles of Risk Management
Risk Management

Five Principles of Risk Management

Is Chat GPT HIPAA Compliant?
News & PR

Is Chat GPT HIPAA Compliant?

What You Need to Know About HIPAA Data Encryption
Data Security

What You Need to Know About HIPAA Data Encryption

HIPAA Training: A Must for Healthcare Businesses
HIPAA

HIPAA Training: A Must for Healthcare Businesses

Navigating HIPAA's Privacy Rule: Your Quick Guide to Accounting for Disclosures
HIPAA

Navigating HIPAA's Privacy Rule: Your Quick Guide to Accounting for Disclosures

Compliance Managment Full Hexagon logo

Expert compliance support, on-demand

Accountable Compliance Success Managers are dedicated to making sure your company is fully compliant as we guide you step-by-step through the process of achieving HIPAA compliance.
chevron left
Expert guidance
chevron left
Build trust
chevron left
Dedicated Compliance Success Managers
chevron left
HIPAA Training
chevron left
Decrease risk
chevron left
Close more deals
Get Started Free
Talk To An Expert
schedule accountable demo
Accountable Compliance Management Logo

We make it easy to get your own HIPAA Certification and build trust with your customers and patients.

Product
PlaybooksHow it worksProductPricingWatch DemoSeal of ComplianceGet Support
Solutions
HIPAAGDPR
Resources
BlogHIPAA TrainingHIPAA Risk AnalysisGDPR Risk Analysis
Company
AboutCareersSupportContact UsPrivacy CenterProduct Updates
Account
Sign InForgot Password
star iconstar iconstar iconstar iconstar icon

"Accountable allowed us to quickly establish Core Compliance with HIPAA as well as a firm foundation for our Security Program." - Michael H.

© 2024 Accountable HQ, Inc.
SitemapTerms of ServicePrivacy Policy