Why is the HITECH Act Important?

The HITECH Act (or Health Information Technology for Economic and Clinical Health Act) was passed in 2009 as part of the American Recovery and Reinvestment Act (ARRA) and appeared in ARRA as two separate Titles – Title XIII of Division A (“Health Information Technology”) and Title IV of Division B (“Medicare and Medicaid Health Information Technology; Miscellaneous Medicare Provisions”).

The reason for the HITECH Act appearing under two Titles is that Subtitles A, B, and C of Title XIII outlined a strategic plan for the development of a nationwide health information technology infrastructure; the adoption standards, implementation specifications, and certification criteria for EHRs; and how proposed Regional Extension Centers to support implementation of the plan would be funded.

The carrot for healthcare organizations to support the plan appeared in Title IV of Division B with the Meaningful Use incentive program for Medicare-eligible entities. Title IV also provided incentives for Medicaid-eligible entities in the form of grants for implementing certified EHRs or upgrading existing EHRs. The incentive program and grants were time-limited to accelerate the rate of adoption.

Due to the incentive program and grants being time-limited, adoption was rapid. Prior to the passage of the HITECH Act, only 10% of healthcare organizations used EHR systems. By 2017, more than 90% of healthcare organizations had EHR systems and were putting them to meaningful use. However, despite this positive outcome, the biggest consequence of the HITECH Act was the changes made to HIPAA via Title XIII Subtitle D.

Title XIII Subtitle D – Privacy Provisions

Title XIII Subtitle D of the HITECH Act was given the general title “Privacy”, but the content of this section covers far more than safeguarding the privacy of Protected Health Information created, received, maintained, or transmitted by EHRs and other health information technologies. Among the most significant changes:

• The HITECH Act introduced limitations on the permissible uses and disclosures of PHI – requiring Covered Entities to obtain an individual´s written authorization before using PHI for fundraising or marketing activities.
• The Act also extended individual´s rights inasmuch as individuals can now request an accounting of disclosures (from both Covered Entities and Business Associates) and that copies of PHI are sent to them – or any other authorized person – in an electronic format.
• Business Associates are now required to comply with the Administrative, Physical, and Technical Safeguards of the HIPAA Security Rule, and the Polices. Procedures, and Documentation standard (§164.316).
• Business Associates are now also required to comply with the HIPAA Privacy Rule standards relating to the General Rules and Organization Requirements for Uses and Disclosures of Protected Health Information (§164.502 and §164.504).
• Business Associates are now considered directly liable for violations attributable to noncompliance with the above requirements and could be subject to civil and criminal penalties for impermissible uses and disclosures of PHI or breaches of unsecured PHI.
• The scope of Business Associates was extended to include organizations that transmit PHI to, from, or on behalf of a Covered Entity. Such organizations include Health Information Exchange Organizations, E-prescribing Gateways, and vendors of personal health records.
• The definition of unsecured PHI was codified as “Protected Health Information that is not secured by a technology standard that renders Protected Health Information unusable, unreadable, or indecipherable to unauthorized individuals.”
• A new Breach Notification Rule was introduced requiring Covered Entities to notify individuals and HHS´ Office for Civil Rights when a breach occurred. Business Associates were instructed to notify the Covered Entity from whom the PHI had been received.
• The HITECH Act defined exceptions to breaches – definitions used by the Department of Health and Human Services (HHS) to produce “probability of harm” criteria for when it may not be necessary to notify the affected individual(s) and HHS´ Office for Civil Rights.
• The Breach Notification Rule stipulates what information should be provided to affected individuals and HHS´ Office for Civil Rights and when breaches of unsecured PHI had to be reported to the media. Timelines were also provided depending on the scale of the breach.
• The Rule applies to all Covered Entities and Business Associates – who are required to develop policies and procedures for the appropriate actions when a breach occurs. Training on the policies and procedures must also be provided to members of the workforce.
• The authority of HHS´ Office for Civil Rights to enforce HIPAA compliance was extended and the agency was instructed to investigate complaints and breaches attributable to willful neglect, impose sanctions where appropriate, and conduct compliance reviews.
• State Attorneys General and the Federal Trade Commission were also given the authority to pursue civil actions against non-compliant organizations depending on whether or the organization is covered by HIPAA (State Attorneys General) or not (Federal Trade Commission).

Privacy Provisions Enacted in Final Omnibus Rule

While the majority of HITECH provisions were enacted in 2011, the privacy provisions were not enacted until 2013 when the Department of Health and Human Services published the Final Omnibus Rule. The Final Omnibus Rule incorporated most of the HITECH privacy provisions into the HIPAA Privacy, Security, and Breach Notification Rules, along with changes attributable to Executive Order 13563 and the Genetic Information Nondiscrimination Act.

Some HITECH privacy provisions incorporated into HIPAA were modified following public and stakeholder comments when the Interim Final Rule was published. These included patients being able to receive copies of their health information maintained on any electronic device (HITECH´s provisions only related to EHRs), and Business Associate accountability being extended to any subcontractors of Business Associates with whom PHI is shared.

The changes to the Privacy, Security, and Breach Notification Rules had significant implications – not only for Covered Entities and Business Associates, but also for patients. To demonstrate how the changes have affected operations in the healthcare industry, the following sections explain separately why the HITECH Act is important to Covered Entities, Business Associates, and patients.

Why is the HITECH Act Important to Covered Entities?

One of the primary objectives of the original HIPAA Act in 1996 was to streamline functions in the healthcare industry to improve efficiency and reduce costs. The Act had been partly successful in achieving its objectives by standardizing health care transactions and code sets but had failed to reach anything close to its full potential because many patient, treatment, and payment records were still maintained on paper.

The HITECH Act kicked the healthcare industry into the digital age by incentivizing healthcare organizations to become more efficient. In its 2016 Report to Congress, the Office of the National Coordinator for Health Information Technology reported “84 percent of academic studies examining health IT functionalities required under the Medicare and Medicaid EHR Incentive Programs had a positive or mixed positive effect on quality, safety, and efficiency of care”.

HITECH´s privacy provisions also encouraged Covered Entities to become HIPAA-compliant. Prior to HITECH and the publication of the Final Omnibus Rule, it was often cheaper to pay any fine issued for non-compliance than it was to invest in compliance. With fines substantially increased, and the risk of secondary fines being imposed by State Attorney generals, it was no longer financially viable for Covered Entities to pretend HIPAA didn´t exist.

Why is the HITECH Act Important to Business Associates?

Why is the HITECH Act important to Business Associates is an easy question to answer when you consider the privacy provisions of Title XIII Subtitle D. Since the publication of the Final Omnibus Rule, Business Associates (and their subcontractors) have had to comply with the majority of the Security Rule, the Privacy Rule´s General Rules and Organization Requirements for Uses and Disclosures of PHI and the Breach Notification Rule.

Undoubtedly this has created a lot of work for Business Associates, and some might consider certain requirements excessive. For example, Business Associates are required to implement a security awareness and training program for all members of the workforce. As a workforce consists of any individual under the control of the Business Associate (i.e., cleaners), this means resources may have to be assigned for training individuals with no access to a workstation.

However, the requirement to enter into a Business Associate Agreement with a Covered Entity before PHI is shared does provide some security against being falsely accused of non-compliance in the event of a data breach due to the negligence of a Covered Entity. Additionally, being able to demonstrate HIPAA compliance via an audit or certification can also contribute towards an increase in business with organizations in the healthcare industry.

Why is the HITECH Act Important to Patients?

There are multiple reasons why HITECH is important to patients – from facilitating faster, better-informed clinical decisions to enabling patients to have more involvement in their healthcare. Improved patients´ rights under HIPAA (via HITECH) enable patients to choose where they obtain healthcare (subject to the terms of their insurance) and smooth the transfer of medical histories from one provider to another – eliminating the necessity for repeat tests.

Beyond the impact HITECH has had on the healthcare experience, the increased enforcement of HIPAA and application of the Privacy and Security Rules to Business Associates mitigates the risk of data breaches. This reduces the likelihood of individually identifiable health information being used to commit identity theft; and – should a breach of unsecured PHI occur – the mandated notification procedures enable patients to take timely measures to mitigate the risk of being a victim of the data breach.

At a holistic level, the digitalization of medical records has driven innovation in the healthcare industry. Data can be collated quickly to be used for immunization reporting, disease surveillance, and in research projects such as Cancer Moonshot. There is also evidence to suggest that the digitalization of medical records reduces physician burnout, which in turn leads to more accurate diagnoses and treatments, and better patient outcomes – primarily thanks to HITECH.

The Implications of HITECH for HIPAA Compliance

The changes to HIPAA introduced via the HITECH Act had significant implications for HIPAA compliance. Although Business Associates were legally required to comply with areas of the Security and Privacy Rules and the entirety of the Breach Notification Rule, Covered Entities were also legally required to conduct due diligence on potential Business Associates prior to disclosing PHI rather than rely on the previous requirement to “seek assurances” of compliance.

Consequently, Covered Entities may be required to establish that Business Associates have implemented the necessary Administrative, Physical, and Technical Safeguards of the Security Rule, have policies in place to limit uses and disclosures of PHI, have procedures in place to respond to individuals´ requests for a copy of PHI or an accounting of disclosures, and have implemented a security and awareness training program that includes training on the Breach Notification Rule.

It is also important for Covered Entities to keep on top of their own HIPAA compliance due to the extended enforcement authority of HHS´ Office for Civil Rights, the greater awareness of privacy rights (by patients and plan members), and the increased penalties for noncompliance. In recent years, penalties have not only been issued for violations of HIPAA that resulted in a data breach, but also for impermissible disclosures and the failure to respond to patient access requests.

The Increased Penalties for Noncompliance

Before HITECH, noncompliance with HIPAA attributable to willful neglect could potentially attract a civil monetary penalty of up to $100 per violation up to a maximum annual limit of $25,000 for each violation type – provided HHS´ Office for Civil Rights could prove a violation had resulted in harm. Due to the low penalties for noncompliance, it was cheaper for Covered Entities to pay fines on the few occasions they were issued rather than go through an expensive compliance process.

The HITECH Act changed that with the introduction of a four-tier penalty structure and increased penalty amounts. Originally, the maximum civil penalties that could be imposed by HHS´ Office for Civil Rights were capped at $1.5 million per violation type; but the maximum penalties per tier have increased over the years due to inflation. Currently (as of 2022) the penalties for noncompliance are:

Level of Culpability	Minimum Penalty per Violation Type	Maximum Penalty per Violation Type	Annual Penalty Limit
Lack of Knowledge	$127	$30.133	$30,133
Lack of Oversight	$1,280	$60,973	$121,946
Willful Neglect	$12,794	$60,973	$304,865
Willful Neglect not Corrected within 30 days	$60,973	$1,919,173	$1,919,173

In addition to the penalties for noncompliance that can be issued by HHS´ Office for Civil Rights, HITECH gave State Attorneys General the authority to bring civil actions against Covered Entities and Business Associates when a citizen of a state is “adversely affected” by a violation of HIPAA. State Attorneys General can impose civil monetary penalties of up to $25,000 per violation type, but there is no cap on the amount of the maximum penalty for multiple violations.

Updates to the HITECH Act Since 2009

In 2018, the Department for Health and Human Services issued a Request for Information asking stakeholders to suggest ways of reducing the administrative burden of complying with HIPAA and for improving data sharing among healthcare providers for better healthcare coordination. Many organizations responded by suggesting immunity from enforcement action in the event of a data breach if it could be demonstrated they had complied with the requirements of the Security Rule.

As a result of the feedback, an amendment to the HITECH Act (HR 7898) was signed by President Trump in 2021 which gives HHS´ Office for Civil Rights the discretion to refrain from enforcement action, mitigate the degree of a penalty for violating HIPAA, or reduce the length of a corrective action plan if an organization can demonstrate compliance with a recognized security framework for at least twelve months prior to a data breach or security-related HIPAA violation.

More recently, in April 2022, the Department for Health and Human Services issued a further Request for Information seeking comments on how best to implement an as yet unenacted provision of the HITECH Act (§13410(c)(3)) which calls on the Department to develop a methodology to “distribute a percentage of civil monetary penalties collected to harmed individuals”. This Request may take time to resolve because there also has to be a method of identifying harmed individuals.

HITECH Act FAQs