What Is the HITECH Act?

What Is the HITECH Act?

  When you think about technology, does it make you want to throw your computer out of the window? A lot of people can find technology frustrating, but the HITECH Act, which is part of What Is HIPAA Training?, has made health care easier in some ways. You may be wondering, what is the HITECH Act? It's part of HIPAA, and it focuses on using technology and providing care using secure electronic health records. Read on to learn more about for a HITECH summary and how it relates to your work in health care.

HITECH Act History

The Health Information Technology for Economic and Clinical Health Act (HITECH) doesn't have a long history. President Barack Obama signed the act into law early in 2009, and the act has become an important part of health care legislation. HITECH came as part of an economic stimulus package known as the American Recovery and Reinvestment Act (ARRA). The law helped health care organizations switch from using paper records to electronic health records (EHRs). Since then, more health care providers have started using EHRs. That has allowed providers to offer excellent care without having to deal with as much paper. Patients also have more access to their own records and can access them outside of a doctor's appointment.


While the HITECH Act became law in early 2009, health care providers had some time to implement it. The requirements of the act became enforceable at the end of November 2009, so health care providers had plenty of time to prepare. At this point, providers needed to comply with the law or face penalties. Still, the enforcement of HITECH then is not the same as it is today. While a relatively new law, HITECH has good through some changes. The connection of HITECH to HIPAA changed the course of the law. Now, health care providers need to comply with HITECH and HIPAA as one piece of legislation.


In January 2013, the government published the HIPAA Final Omnibus Rule, which combined HIPAA and HITECH. Health care providers had until September of the same year to comply. The combination helped strengthen the privacy and security rules that were already a part of HIPAA. While it has made it harder to comply with HIPAA, that has helped protect patient information and hold health care providers accountable. Today, health care providers need to be in compliance. But the act extends to everyone working in health care settings, even if they don't work with patients directly.

Purposes of the Act

The HITECH Act had multiple goals when it came into being. While its structure has changed since the HIPAA Final Omnibus Rule, it still covers security and privacy when using EHRs and accessing protected health information (PHI). Using EHRs allow providers to access patient data in real-time, so you can view and update records as things change. That is a lot easier than having to copy paper documents and have massive folders for patients. But EHR use isn't the only purpose of HITECH. As you learn about HIPAA, you should consider how the purposes of HITECH fit into the law and how you can comply with every rule.

Expand EHR Use

Before HITECH, many health care facilities couldn't afford to switch to electronic systems. The switch can be expensive and time-consuming, so the act aimed to make the transition easier on providers. HITECH provided a financial incentive to providers who switched. That made switching to EHRs a much easier decision. More providers could now afford to switch over, and it has made managing health records much easier for everyone involved. While EHRs aren't perfect, they allow you to access a patient's medical history and streamline your workflow. Using an EHR can also save physical space once you transfer everything to a digital format, and you can provide patients with their records.

Provide Access to Patients

In the past, providing patients with their medical records was possible but difficult. A health care provider would have to make a copy of the record the patient wanted and give it to the patient securely. Now, EHRs make it easy to transfer electronic copies. Patients can use electronic copies when reporting their health to schools or workplaces. But it can still be expensive for providers to send electronic records, so HITECH does allow providers to charge a fee for the service. As always, you should verify that you are sharing PHI with the right person. That way, you don't violate HIPAA rules and face penalties.

Remove HIPAA Loopholes

While HIPAA has always been a strong act, it did have a small loophole allowing business associates to not comply. It also allowed health care offices to claim they didn't know their associates had to comply with the law. However, HITECH cleared up the language from HIPAA, and now business associates of health care offices must comply with HIPAA. Even if an associate mainly does administrative work, they still need to secure PHI and ensure only authorized users can access it. Removing this loophole has allowed the Department of Health and Human Services (HHS) to hold medical providers accountable for the actions of everyone working there. Now, doctors, accountants, and everyone in between should understand and follow HIPAA.

New HIPAA Rule

HITECH also introduced a new HIPAA rule, known as the Breach Notification Rule. When a covered entity, such as a health care office, has a data breach, the office must notify those affected within 60 days of learning of the breach of PHI. Covered entities must send breach notification letters to patients through first-class mail. The letter should include the nature of the breach and the PHI that was exposed. You should also cover what you're doing to address the breach and what your patients can do. If the breach affects more than 500 people, you have to report the breach to the HHS within 60 days. Large breaches also require a notice to a prominent local media outlet. For breaches that affect fewer than 500 people, you have until the end of the calendar year to report the breach. When a business associate discovers a breach, they have to notify their covered entities and let the entity report the issue to the HHS and affected individuals.

Publication of Breaches

In addition to having to publish large breaches in a local publication, the Office for Civil Rights (OCR) publishes breaches of any size on its website. The list includes the covered entity's or business associate's name and the category of the breach. It will also include the location of the PHI affected and the number of individuals that the breach affected. While it can feel like a shame to be part of the list, it covers every breach, even those you had no control over. Sometimes, you can have a security breach despite doing everything the HIPAA Security Rule requires. All you can do is refresh your knowledge of HIPAA so that you can reduce the risk of future attacks.

Tougher HIPAA Penalties

When a HIPAA violation occurs, HITECH allows for tougher penalties. This can make it even more appealing for all providers and associates to follow HIPAA rules and regulations. HITECH increased the maximum fines for HIPAA violations, and it increased the annual maximum penalty. Individual penalties can now be as high as $250,000, compared to the previous $100 or more, depending on the category. Over the course of a year, repeat and uncorrected violations can result in up to a $1.5 million fine. Before, the maximum was $25,000 per year. The HHS wants to make sure that providers and other covered entities comply with HIPAA, and higher fines are a good way to do it.

HITECH Act Enforcement

The higher penalties allow the HHS to take violations more seriously. While they can opt to waive fines for breaches in which the covered entity had no control, they can give large fines to more serious issues. If someone accesses PHI for personal gain or malicious intent, that person could face higher fines and even jail time. A jail sentence can be up to 10 years if the intent of accessing PHI was to cause harm. Because of this, health care offices should take more precautions. Training health care and medical office staff can help prevent certain violations, and that can help the organization avoid more fees.

Meaningful Use Program

As part of the HITECH Act, the HHS received a $25 billion budget to help reach certain goals. This budget helped find the Meaningful Use Program, which gave monetary rewards to health care providers that switched to certified EHRs. Certified EHRs have met certain standards by an authorized testing and certification body, so they're safe and secure to use. Because implementing such a system can be expensive, the money helped a lot of health care providers make the transition. The program encourages providers to switch to certified EHRs and use them in meaningful ways, like to issue prescriptions or to exchange health information. Now, the program goes by the name Promoting Operability, and it's now part of the Medicare Merit-Based Incentive Payment System (MIPS). It can measure health care quality, cost, and improvement efforts. While it doesn't offer financial rewards, it still encourages health care providers to switch to an easy-to-use electronic system to manage patient records. Consider a few things the program helps with.

Improve Efficiency

EHRs are a more efficient way to track and access patient information. Instead of searching through physical files in a filing cabinet, health care providers can use electronic search tools to find a patient's medical history. Providers can also search more easily within a patient's file, which can be useful for patients with a long medical history. You can discover when a patient received a diagnosis or started treatment. This efficiency can help you save time so that you can focus more on your patients. Then, you can give better care.

Better Coordination of Care

In almost all cases, multiple providers work with the same patients. During an annual visit, a nurse will see the patient first to discuss any issues or complaints for the appointment. The nurse can then note those complaints in the patient's records, and the doctor can easily review them. Then, when the doctor enters the room to see the patient, they can easily find the information they need. That way, the doctor and patient can get right into discussing any questions or concerns. And if a patient has to see a different provider one day, that provider can access the patient's records. They don't have to worry about finding the physical file or worrying where it is.

Ensure Security and Privacy

HIPAA already emphasized the importance of security and privacy. But with HITECH, the Meaningful Use Program helped providers switch to an even more private and secure option. While no security method is immune to breaches, it can be easier to use methods like encryption to protect digital files. You can ensure that only authorized users can access certain patient files. And you can track access to those files, so you can learn when someone may be violating HIPAA and accessing a record when they shouldn't. When using technology, the Security Rule has guidelines you can follow to control access and secure transmission of information. That way, you can make sure PHI stays secure and confidential.

Engage Patients and Caregivers

Technology has also made it easier for health care providers to communicate with patients and their caregivers. You can more easily share patient documents with your patients and authorized third-parties. There's no need to make a photocopy and mail or hand-deliver it to the recipient. As long as you have a certified EHR or another secure system, you can send records instantly. So you can send your patient their test results and let them know if their results are normal. You can also spend more time during appointments with patients since you don't have to spend as much time on administrative tasks. While technology can be frustrating, using an EHR can help simplify and automate parts of your workflow.

Help Population and Public Health

While HIPAA protects PHI in many cases, public health authorities can be an exception. These agencies can collect and receive information to help monitor public health. States can mandate the collection of different metrics, such as cancer or pandemic disease numbers. Having these numbers as part of the public record allows the community to understand what is happening around them. Public health agencies shouldn't reveal identifying information, but they can reveal the number of cases of a certain disease. Using an EHR can make it easier to collect this information from your organization. You can filter for the metric you need, so you can save time searching through every paper record.

Reduce Costs

Another benefit of the Meaningful Use Program was that it helped organizations save money. That allowed more health care providers to use an electronic system without having a huge budget. However, using EHRs can also save on costs over time. You won't have to worry about paying for as much paper or ink. Printer maintenance won't be as important, and you may not need as many printers. While technology can be expensive, the costs go down after that initial expense. While the program no longer offers financial incentives, it does show that the switch can help patients and providers. If you haven't already, you should make the switch to an EHR as soon as possible.

Is HITECH Different From HIPAA?

When learning about HITECH, you may wonder how it differs from HIPAA. HIPAA covers privacy and security for all health records, electronic or not. The HITECH Act is now part of HIPAA, but it focuses on electronic records and the security surrounding them and data breaches. As a health care provider, you need to understand both laws and how they work together. It doesn't matter if you're a provider, an associate, or part of the office staff; you need to follow HIPAA, and so you need to follow HITECH. Even though HITECH is a newer part of HIPAA, it's just as important as the Privacy Rule and the Security Rule. If you don't comply with any part of HIPAA, you could face harsh penalties. As you learn how to comply with HIPAA, you should consider how HITECH has changed the original law.

How HITECH Has Changed HIPAA

HITECH has changed HIPAA in a few ways. While the acts were originally separate, the two have merged. HITECH is a small but vital part of HIPAA, especially as providers rely more and more on technology. Whether you have been in health care for years or are new to the field, you should know how HITECH has affected HIPAA throughout the years. There will probably be more changes to the laws in the future, but the history is important to know. Consider how the history and the current state of HITECH and HIPAA affect how you do your job in health care.

Reverse the Burden of Proof

Before HITECH, the HHS and OCR had to prove that a data breach exposed PHI. Because of this, the burden of proof was on the department to find issues with data breaches. That made it easier for health care organizations to get away with non-compliance, especially if they said they didn't know of the breach. However, the burden is now on health care providers to prove the breach didn't expose PHI. This can be difficult, so it has given way for OCR and HHS to give more penalties for HIPAA violations. But it has also incentivized covered entities to tighten their security procedures. That way, they can mitigate the risk of future data breaches and HIPAA violations. By doing that, entities can save money on violation penalties. Reversing the burden of proof has also allowed OCR and HHS to focus on other tasks. Doing so can help the entire country by focusing more on other activities related to health and health care.

Fewer Investigations that Result in Enforcement

Since the implementation of HITECH, OCR has started to intervene earlier when breaches or HIPAA violations occur. That gives health care organizations more notice and time to take action to resolve the violation or breach. A covered entity can bring in a security team to conduct a risk assessment and patch up any vulnerabilities. Then, they can alter their security procedures to better protect PHI in the future. OCR can also offer technical assistance to covered entities that need it. The assistance can help entities prepare for the future and improve their policies and procedures. While a change in procedures can be difficult, it also means fewer cases get as far into the violation process. That means OCR doesn't have to give as many penalties.

Better Data Collection and Submission

While the switch from the Meaningful Use Program to the Promoting Operability Program meant that organizations didn't have a financial incentive to use EHRs, it still helped. Now, the program focuses on more than just how providers can use EHRs. The program focuses on the interoperability of EHRs, and that helps providers collect and submit data. That can help when tracking diseases or other public health issues. Using an electronic system eliminates the need to copy and scan documents. It also cuts down on the time providers have to spend collecting data if they can search for it electronically.

More Patient Access

Even if patients have to pay to access their electronic records, doing so is a lot easier than asking for a paper copy. This means that patients have more access to their health records, which can help in multiple ways. Of course, if a patient has to see a different provider, they can easily transfer their existing records to the new office. The patient can also obtain their records if they need to prove they've received certain immunizations before starting a job or moving into a college dorm. Giving patients more access to their records can empower them. While they still need you to provide care, it can give them some sense of freedom.

Understanding HITECH

The HITECH Act has encouraged providers to use electronic health records and has encouraged offices to take more security measures. Both of those purposes can help providers offer better care to patients and to keep data more secure. No matter your position, you should understand HITECH and how it fits into HIPAA. That way, you can ensure you follow both sets of regulations when doing your job. Do you need to learn more about HIPPA? Enroll in our HIPAA courses today.