What Is the HITECH Act?
The Health Information Technology for Economic and Clinical Health Act (HITECH Act) is legislation created to facilitate and expedite the adoption of Electronic Health Records (EHR) and the supporting technology in the United States. It was signed into law by President Barack Obama in February 2009 as part of the American Recovery and Reinvestment Act of 2009 (ARRA) economic stimulus bill.
In addition to stimulating EHR adoption, the HITECH Act was passed to expand data breach notifications further and the protection of Protected Health Information (PHI) and Electronic Protected Health Information (ePHI) and increase the number of penalties for repeated or uncorrected Health Insurance Portability and Accountability Act (HIPAA) violations. In essence, one of the results of the HITECH Act was to give teeth to HIPAA in terms of enforcement of protecting patients’ private data. The HITECH Act established tiers of enforcement and significant penalties for violations of HIPAA rules.
The HITECH Act contains four subtitles.
1. Subtitle A: Promotion of Health Information Technology
- Part 1: Improving Healthcare Quality, Safety, and Efficiency
- Part 2: Application and Use of Adopted Health Information Technology Standards; Reports
2. Subtitle B: Testing of Health Information Technology
3. Subtitle C: Grants and Loans Funding
4. Subtitle D: Privacy
- Part 1: Improved Privacy Provisions and Security Provisions
- Part 2: Relationship to Other Laws; Regulatory References; Effective Date; Reports
Let’s jump in and learn:
The HITECH Act and “Willful Neglect”
In 2013, four years after HIPAA was passed, the Department of Health and Human Services (HHS) released the HIPAA Final Rule. A key objective of the Final Rule was to bolster patient privacy protections and enhance the government’s enforcement of and penalties.
According to the Final Rule, the Secretary of HHS must formally investigate complaints indicating possible violations due to willful neglect. It also gives the Secretary the power to impose civil money penalties if violations due to willful neglect are verified.
| “Willful neglect means conscious, intentional failure or reckless indifference to the obligation to comply with the administrative simplification provision violated.” 45 CFR 160.401 |
The Four Tiers of Penalties Under the HITECH Act
The HITECH Act established four tiers for HIPAA violations and corresponding penalty structures, with two categories for willful neglect.
1. No knowledge
The person did not know (and, by exercising reasonable diligence, would not have known) that the person violated the provision.
2. Reasonable Cause
The violation was due to reasonable cause and not willful neglect.
3. Willful Neglect – Corrected
The violation was due to willful neglect that was corrected in a timely manner (30 days).
4. Willful Neglect – Not Corrected
The violation was due to willful neglect that was not corrected in a timely manner.
| Category | Minimum Penalty | Maximum Penalty | Annual Limit |
| Tier A: No Knowledge | $100 | $50,000 | $25,000 |
| Tier B: Reasonable Cause | $1,000 | $50,000 | $100,000 |
| Tier C: Willful Neglect – Corrected | $10,000 | $50,000 | $250,000 |
| Tier D: Willful Neglect – Not Corrected | $50,000 | $50,000 | $1,500,000 |
Data Breach Notification
The HITECH Act includes a HIPAA rule, known as the Breach Notification Rule. In the event that a Covered Entity or Business Associate suffers a data breach, individuals whose personal information has been exposed or potentially exposed by a security breach must be notified.
The rules for data breach notification are specific. Letters must be sent via first-class mail and should include known information about the breach, the nature of the breach, and the exposed PHI. The letter should also include information about what is being done to address the breach and what steps patients should be taking to follow up.
In terms of timing, if the data breach affects more than 500 people, the breach must be reported to HHS within 60 days and a notice sent to a major local media outlet. For smaller breaches affecting fewer than 500 people, the breach has to be reported by the end of the calendar year.
Business Associates that discover a data breach are required to notify all Covered Entities. It is then the responsibility of the covered entities to handle notifications.
The HITECH Act and “Meaningful Use”
With the HITECH Act, HHS received a $25 billion budget to promote the use of EHR. Called the Meaningful Use Program, the initiative offered monetary rewards to health care providers that moved to certified EHRs. The incentives to switch to certified EHRs changed to penalties after a stipulated period of time for those who failed to demonstrate meaningful use of EHRs.
As it was originally enacted, HITECH stipulated that beginning in 2011, healthcare providers would be offered financial incentives for demonstrating meaningful use of EHRs until 2015, after which time penalties would be levied for failing to demonstrate such use (e.g., issue prescriptions, to exchange health information).
The HITECH Act and Business Associates
As related to HITECH and HIPAA, a Business Associate is a person who performs or assists in performing a function or activity that involves the use or disclosure of PHI on behalf of a Covered Entity (i.e., health plans, health care clearinghouses, and health care providers). Essentially, any entity that is exposed to or works with PHI on behalf of a Covered Entity would qualify as a Business Associate.
The services that business associates provide include:
- Accounting
- Accreditation
- Actuarial
- Administrative
- Billing companies
- Consulting
- Data aggregation
- Data storage
- Financial services
- IT
- Legal
- Management
- Transcription services
In addition, if a service provider deals with PHI related to long-term care, hospital confinement, dental, or vision, they are considered a Business Associate.
The HITECH Act requires Business Associates to comply with the HIPAA Security Privacy Rules for the administrative, physical, and technical safeguards of PHI as well as develop and establish a written data security program. They are also required to report PHI breaches to Covered Entities. Under the HITECH Act, Business Associates are liable for any PHI use or disclosure that does not follow HIPAA rules or agreements.
The HITECH Act and HIPAA
In January 2013, the government published the HIPAA Final Omnibus Rule, which combined HIPAA and the HITECH Act. The combination strengthened the HIPAA privacy and security rules, enacting higher standards for compliance to protect patient information and hold health care providers accountable for misuse and breaches.
The HITECH Act strengthens civil and criminal enforcement of HIPAA rules and establishes four categories of violations with increasing levels of culpability and corresponding fines (The Four Tiers of Penalties under the HITECH Act, as mentioned above) with broader enforcement. Under the HITECH Act, a state attorney general can bring an action on behalf of a state’s residents.
HITECH Strengthens Healthcare System
The HITECH Act helped improve the healthcare system by giving significantly more enforcement power to HIPAA and expediting EHR adoption. The data security protections, which were expanded under the HITECH Act, go a long way to improving the security of patients’ information, while EHRs facilitate communications between providers. With EHRs, information about patients can much more quickly and easily be shared between care teams, resulting in better patient treatment.
Egnyte has experts ready to answer your questions. For more than a decade, Egnyte has helped more than 16,000 customers with millions of customers worldwide.
Last Updated: 10th March, 2022
