HITECH Act, Building on HIPAA, Comes with Obligations, a Carrot and a Stick

HIPAA compliance is a core daily activity always on the minds of healthcare professionals, not just the domain of compliance officers. Violations of HIPAA’s privacy and security rules can result in civil and criminal penalties. HIPAA was amended with the HITECH Act, which provides additional protections and penalties for health information and encourages the use of electronic health records.

The HITECH Act of 2009 mandated the digitization of health records and also recognized the privacy risks in its enforcement interim final rule which established four categories of violations that reflect increasing levels of culpability. Compliance failures come with severe repercussions.  In order to assure compliance and prevent breaches read on for the “what, why and how” of the HITECH Act.

What is the HITECH Act and the 2021 Amendment?

While HIPAA ushered in the continuing digitization of healthcare, the Health Information Technology for Economic and Clinical Health (HITECH) Act revealed the growing importance of having a comprehensive IT security program. Enacted as part of the American Recovery and Reinvestment Act of 2009, HITECH added new requirements for HIPAA-covered entities and business associates to secure electronic protected health information (ePHI). It also incentivized healthcare providers to adopt and use electronic health records and established the Office of the National Coordinator for Health Information Technology.

In 2021, an amendment to HITECH was adopted that added a requirement for HIPAA-regulated entities to choose Recognized Security Practices (RSP) best suited to their organization. The purpose of the amendment was to incentivize covered entities to improve their cybersecurity defenses.

The HITECH Amendment recognizes certain “Acceptable Security Practices” that healthcare organizations must implement to protect ePHI. While the National Institute of Standards and Technology (NIST) Cybersecurity Framework is not specifically mentioned in the amendment, the standard provides a comprehensive set of guidelines that can be used to comply with RSPs and HIPAA security regulations.

Why is HITECH ACT compliance critically important

Compliance with HITECH helps secure medical records from hackers intent on selling information on the dark web or engaging in fraudulent billing, or any number of criminal activities. Providers who fail to protect their data face severe penalties, which is broken down into four levels based on culpability. As of 2022, the maximum financial penalty amount is $1.5 million for violations of an identical requirement during a calendar year.

These astonishing penalties can be lowered substantially or even rescinded if the violation is corrected within 30 days or if the violation was not due to willful neglect. Being able to show HIPAA that your organization demonstrated efforts at compliance can help, too.

Mature organizations, in an effort to protect themselves and their patients, are turning to digital compliance tools in order to streamline activities required by HIPAA, the HITECH Act, and other regulations.

How to streamline HITECH Act compliance

Healthcare entities need a holistic and comprehensive approach to build a best-practice IT security program, which is the major thrust behind the HITECH ACT 2021 Amendment.

A digital healthcare compliance platform featuring a built in IT Risk Management program mirroring HHS/OIG best practices can streamline and automate HIPAA and HITECH compliance by:

1. Helping the organization comply with NIST and ISO frameworks
2. Managing vendors, business associates, policies, procedures and incidents
3. Facilitating assessment and audit processes
4. Tracking steps from assessments to completion
5. Monitoring risk scores so users can determine future actions and additional controls needed

A comprehensive platform with IT Risk Management also offers automated record-keeping of authors, reviewers, and revisions, as well as attestations of adherence to policies. All information is organized in one single place. For those accustomed to managing IT risk in spreadsheets, switching to a platform for HIPAA and HITECH compliance is a quantum leap in assurance, auditability and productivity.

Covered entities and business associates must also provide ongoing training to workforce members to ensure they understand their responsibilities regarding ePHI. Healthcare employees are often targeted by cyber criminals who seek ePHI. Common examples include phishing, where an employee is lured into clicking on a link in an email and as a result, the organization becomes the victim of malware, ransomware or mass data exfiltration. Alternatively, criminals use social engineering tactics to trick employees into giving out data, passwords and more. In any case, the data breach must be tracked, managed and likely reported based on HIPAA’s breach notification rule.

Online courses equip employees to recognize suspicious emails and train them on how to handle sensitive data. Employees are also taught processes to follow and actions to take when incidents occur. When everyone in the organization receives comprehensive cybersecurity training, it is another step toward having a best-practice IT security program that meets the requirements and standards set by HIPAA and HITECH.

HIPAA and HITECH compliance simplified

Healthcare organizations understand the criticality of HIPAA requirements, but don’t always know how to navigate the digital shift underway. Manual compliance procedures may work but present terrific risk, are difficult to demonstrate, and do not scale – the risk is too great. The need to adopt agile, SaaS compliance technology has never been more palpable. IT security programs made operational in a healthcare compliance platform streamline your path to meeting with HIPAA and HITECH obligations and enable best practices for managing IT risk.