What is the HITECH Act?

by Kapua Iao

Graphic of electronic health record on tablet.

HIPAA (the Health Insurance Portability and Accountability Act of 1996) is U.S. legislation that protects the rights and privacy of medical patients. Since its enactment, the U.S. Department of Health and Human Services (HHS) has established various additions and amendments that ensure even more protections and responsibilities.

RELATED: HIPAA Stands For . . .

In this post, we’ll take a closer look at HITECH, the Health Information Technology for Economic and Clinical Health Act of 2009.

Together, HIPAA and HITECH establish federal standards on the defense of protected health information (PHI). Covered entities and business associates must follow all requirements regarding PHI, individual rights, and administrative responsibilities.

So what is HITECH and how does it relate to HIPAA? And how can Paubox Email Suite and HIPAA compliant email strengthen a healthcare provider’s HIPAA compliance?

A HIPAA review

HIPAA is intended to improve healthcare standards and combat PHI fraud and abuse.

SEE ALSOWhat is HIPAA? Or is it HIPPA?

The Act is regulated and enforced by HHS’s Office for Civil Rights (OCR) and consists of five sections (or titles). Most commonly referenced is Title II, which sets the policies and procedures for safeguarding PHI and includes several later rules:

Generally, HIPAA asserts that covered entities must make a concerted effort to prevent data breaches and protect patients’ PHI or face an OCR investigation and possible HIPAA violation.

RELATED: Understanding and Implementing HIPAA Rules

The latest addition to HIPAA is the HITECH Act and two corresponding rules: Breach Notification (2009) and Omnibus Final (2013).

What is HITECH?

The HITECH Act is part of the American Recovery and Reinvestment Act (ARRA) of 2009. ARRA is intended to support job growth in various public sectors, including healthcare.

HITECH supports two general initiatives: 1) promoting the adoption and meaningful use of electronic health records (EHR) and cybersecurity measures, and 2) acting as further support for OCR and HIPAA.

Technology adoption

HITECH set aside funds to create a nationwide EHR network, offering monetary incentives to healthcare providers that adopt new technologies.

Since 2009, researchers have demonstrated that there was an increase in EHR adoption, though experts are still watching the growth rate to understand why.

A 2020 HITECH amendment provides a different type of incentive to covered entities that adopt “recognized cybersecurity practices” related to monitoring, auditing, and risk management policies and procedures.

The new incentive allows for some leniency toward breached healthcare providers that prove their compliance to specific cybersecurity practices for at least one year prior.

RELATED: HIPAA Amendment Incentivizes Cybersecurity Best Practices

HIPAA and HITECH

There are several key parts to HITECH that relate directly to HIPAA.

First, it strengthens OCR’s civil and criminal enforcement of HIPAA rules. HITECH establishes four categories of violations with increasing levels of culpability and corresponding fines (max penalty, $1.5 million).

Under this provision, OCR must publicly publish a summary of reported breaches (unofficially called the Wall of Shame) for greater access and transparency. Finally, HITECH allows OCR to perform periodic audits on healthcare providers to ensure compliance.

Second, HITECH requires healthcare providers to notify OCR and all affected individuals of any unauthorized uses and disclosures. What and when to report depends on the breach size; those that affect more than 500 individuals are shared publicly on the Wall of Shame.

RELATED: What to Do After You Violate HIPAA

Third, the Act obliges business associates to comply with the Security Rule as well as the use and disclosure provisions under the Privacy Rule. In other words, business associates are liable for breaches, subsequent OCR investigations, and HIPAA violations.

RELATED: Business Associate Agreement Provisions

Lastly, the Omnibus Final Rule further details the requirements needed to comply with HIPAA and HITECH, adding more accountability to healthcare providers. Moreover, it addresses certain patient privacy questions and issues, especially individual right of access to EHRs and PHI.

One thing remains the same: email security is a necessity

Email is not a HIPAA compliant method of communication unless an extra layer of email security is applied.

Healthcare providers can safely transmit PHI via email with Paubox Email Suite because Paubox’s patented software automatically encrypts all outgoing messages by default.

Our solution is simple for employees to use since it easily integrates with platforms like Google Workspace and Microsoft 365. No need to use patient portals or third-party apps to send HIPAA complaint emails to patients.

We recently added a Zero Trust Email feature for our Plus and Premium customers, which is an extra layer of protection that ensures messages are genuine and not phishing emails.

All healthcare providers must understand the nuances of HIPAA and HITECH. But they can rely on Paubox Email Suite to do the heavy lifting when it comes to email communication.

Don’t let patient care and rights get lost under all the government regulations; use Paubox to communicate with ease and to ensure HIPAA compliance today.

Try Paubox Email Suite Plus for FREE today.