The Health Information Technology for Economic and Clinical Health Act (HITECH Act) came into effect in 2009 as part of the American Recovery and Reinvestment Act (ARRA). As HITECH is related to improving efficiency in the healthcare system, it had several modifying effects on HIPAA, which was first enacted in 1996. This causes much confusion between the two acts, though they are distinct and have had different effects on the healthcare industry.
The Obama government introduced ARRA as an economic stimulus package that aimed at creating jobs and mitigating the impact of 2008’s Great Recession. As well as improving infrastructure, ARRA also invested in technological advancements in health and science, which in turn would lead to economic prosperity.
To help spur these advancements, the HITECH Act had five goals (which are often called the “Five Goals of the US Healthcare System). These goals were:
- To improve the healthcare system’s efficiency, quality, and safety;
- To allow for greater patient engagement with care;
- To enhance the coordination of care;
- To improve population health;
- To ensure the privacy and security of health records.
The final goal has a clear overlap with HIPAA, the main privacy regulation in the US healthcare space. The HITECH Act strengthened many aspects of HIPAA. For example, before 2009, the HIPAA Security Rule only applied to Covered Entities. The HITECH Act required that all Business Associates also comply with the Security Rule.
The HITECH Act also introduced new penalty structures for HIPAA violations. These tougher penalties were to incentivize compliance with the HIPAA Rules, and any revenue generated funded the Department of Health and Human Services’ Office for Civil Rights’ enforcement of HIPAA.
One of the most consequential aspects of the HITECH Act was encouraging the use of Electronic Health Records (EHRs). This was done by providing financial incentives to help the transition from paper to electronic records. Use of EHRs was limited before 2009, but has increased substantially since the Act was introduced. This makes it easier to share medical records between healthcare organizations, streamlining some operations.
The HITECH Act also brought about the HIPAA Breach Notification Rule. This requires that the public is notified if PHI has been accessed by unauthorized individuals, or if it has been used for unauthorized purposes. Patients must be notified whether their data was accessed by an external or internal individual, and if more than 500 individuals had been affected, the Department of Health and Human Services had to be notified.
The HITECH Act was amended in 2021 to introduce the HIPAA Safe Harbor Law. This allowed the Office for Civil Rights to refrain from enforcing HIPAA in cases where a data breach occurred despite the fact that the Covered Entity or Business Associate was HIPAA compliant. Alternatively, if the Office did prosecute, they could issue a Corrective Action Plan or reduce the penalties issued.
Alongside these changes, the HITECH Act also required that patients could access electronic versions of their medical records. To offset the costs that may be associated with this, healthcare organizations were allowed to charge a “reasonable fee” for EHR requests.
Finally, the HITECH Act prevented Covered Entities and Business Associates from using ePHI for marketing purposes without patient authorization. It also gave greater agency to patients by allowing them to rescind any previous authorizations they have for the use of the PHI. This again underscores the importance that the Act puts on patient privacy and security.