This blog continues our series on health data information security & data privacy laws in the United States. This two part blog series will go through the key areas that you need to focus on when ensuring your organization is compliant with The Health Information Technology for Economic and Clinical Health Act. During this post we examine the important definitions and provisions of HITECH.

In 2009, HITECH was passed:

  1. As part of a larger effort to stimulate the American economy during the Great Recession and isn’t actually its own, individual piece of legislation. 
    1. HITECH is formally known as Title XIII of the Health Information Technology of the American Recovery and Reinvestment Act of 2009.  
  2. To strengthen the information security & privacy requirements of hIPAA

HITECH1Because HITECH updated HIPAA, any discussion of HIPAA is not complete without considering HITECH. Additionally, we want to ensure we provide a complete and accurate picture of these two legislations. As a result, this series on HIPAA & HITECH is divided into four pieces:

    1. HIPAA | Foundations
    2. HITECH |Foundations
    3. HIPAA & HITECH | Today’s Health Data Privacy Laws in the USA
    4. HIPAA & HITECH | Third-party Risk Management

In this blog, we provide an overview of HITECH with the goal of enabling you to meaningfully contribute to healthcare privacy-related discussions at your organization. Because HITECH deals with implementing new technologies, we cover this Regulation in whole rather than just its information security & privacy aspects, as is the case with our HIPAA articles. 

Important Definitions

In order to fully understand HITECH, the following terms are important to understand: 

  1. Breach
    1. In General – The unauthorized acquisition, access, use, or disclosure of PHI which compromises the security or privacy of the PHI, except where an unauthorized person would not reasonably have been able to retain the information
    2. Exceptions – A breach does not include:
      1. Any unintentional acquisition, access, or use of PHI by an employee or individual acting under the authority of a covered entity or business associate if:
        1. The acquisition, access, or use was made in good faith and within the course & scope of the individual’s employment or other professional relationship
        2. The information is not further acquired, accessed, used, or disclosed by any person
      1. Any inadvertent disclosure from an authorized employee of PHI to another, similarly situated employee who’s working at the same facility
      2. Any information received as a result of a disclosure is not further acquired, accessed, used, or disclosed without proper authorization
  2. 2. Business Associate
        1. A function/activity involving the use or disclosure of individually identifiable health information, including:
            • Claims processing/administration
            • Data analysis
            • Processing or administration
            • Utilization review
            • Quality assurance
            • Billing
            • Benefits management
            • Practice management
            • Repricing 
        1. Any other function or activity regulated by this subchapter
          • Provides (but not as a workforce member of the covered entity) any of the following services to (or for) a covered entity and involves the disclosure of individually identifiable health information to the person:
            • Legal
            • Actuarial
            • Accounting
            • Consulting
            • Data aggregation
            • Management
            • Administrative
            • Accreditation
            • Financial
    1. A covered entity participating in an organized health care arrangement that performs a function/activity as described above does not, simply through the performance of such function/activity/service, become a business associate of other covered entities participating in the organized health care arrangement
    2. A covered entity may be a business associate of another covered entity
       3. Covered Entity
    1. Any of the following:
      1. .A health plan
      2. A health care clearinghouse
      3. A health care provider (who transmits any health information in electronic form in connection with a transaction)
      4. Disclosure
    1. The release, transfer, provision of access to, or divulging in any other way information outside of the entity holding the information
     5. Health Information Technology (HIT)
    1. Any of the following that are sold as services designed for or that support the use by health care entities or patients to electronically create, maintain, access, or exchange health information:
      1. .Hardware
      2. Software
      3. Integrated technologies (or related licenses)
      4. Intellectual property
      5. Upgrades
      6. Packaged solutions
     6. Individually Identifiable Health Information
    1. Any information (including demographic info) that:
      1. Is created or received by a:
        1. Health care provider
        2. Health plan
        3. Employer
        4. Health care clearinghouse
      1. Relates to the past, present, or future physical or mental health/condition of an individual; the providing health care to an individual; or the past, present, or        future payment for providing health care to an individual, and:
        1. Identifies the individual; or
        2. Can be reasonably used to identify the individual
     7. Marketing
    1. A communication by a covered entity/business associate that is about a product/service and that encourages recipients of the communication to purchase/use the product/service is not considered a health care operation
     8. Personal Health Record
    1. An electronic record of PHR identifiable health information on an individual that can be drawn from multiple sources and that is managed, shared, and controlled by or primarily for the individual
     9. PHI (Protected Health Information)
    1. Individually identifiable health information:
      1. That is (unless stated otherwise):
        1. Transmitted by electronic media
        2. Maintained in electronic media
        3. Transmitted or maintained in any other form/medium
                            ii. PHI excludes individually identifiable health information in these scenarios:
        1. In education records covered by FERPA (the Family Educational Rights and Privacy Act)
        2. Per 20 U.S.C. 1232g(a)(4)(B)(iv):
          • Records on a student who is 18 years of age or older, or is attending an institution of postsecondary education, which are made or maintained by a physician, psychiatrist, psychologist, or other recognized professional or paraprofessional acting in [their] professional or paraprofessional capacity, or assisting in that capacity, and which are made, maintained, or used only in connection with the provision of treatment to the student, and are not available to anyone other than persons providing such treatment, except that such records can be personally reviewed by a physician or other appropriate professional of the student’s choice
        1. In employment records held by a covered entity in its role as employer
        2. Regarding a person who has been deceased for more than 50 years

                         iii. The Northern Mariana Islands

     10. Treatment

    1. The provision, coordination, or management of health care (and related services) by at least one health care provider, including:
      1. The coordination/management of health care by a health care provider with a third party
      2. Consultation between health care providers relating to a patient
      3. The referral of a patient for health care from one health care provider to another
     11. Use
    1. Any of the following activities regarding individually identifiable health information within an entity which that entity maintains:
      1. Sharing
      2. Employment
      3. Application
      4. Utilization
      5. Examination
      6. Analysis


Key Provisions of HITECH

HITECH’s overarching objective is to improve the quality of health care through the use of technology. The Regulation implements this through the creation of a Health Information Technology (HIT) infrastructure and various exchange that enable the widespread use of electronic health records in a secure, private, and accurate manner. To support these objectives, HITECH requires:

  • The creation of a single electronic health record for each individual in the United States
  • Breach notifications to individuals (potentially) affected by the breach
  • Restrictions on disclosures and sales of health information
  • Ability for individuals to opt-out of marketing

To encourage organizations to adopt these standards, HITECH:

  • Provides financial incentives (most of which have expired as of the time of writing)
  • Fines for noncompliance, ranging from $100 - $1,500,000

In part two of our blog series, we will examine critical areas of HITECH including breach notification requirements, fines for non-compliance and what your organization can do to meet the regulation.