The HITECH (Health Information Technology for Economic and Clinical Health) Act of 2009 is legislation that was created to stimulate the adoption of electronic health records (EHR) and the supporting technology in the United States. President Barack Obama signed HITECH into law on Feb. 17, 2009, as Title XIII of the American Recovery and Reinvestment Act of 2009 (ARRA) economic stimulus bill.
The Office of the National Coordinator (ONC) for Health Information Technology was established in 2004 within the Department of Health and Human Services (HHS). The HITECH Act gave ONC the authority to manage and set standards for the stimulus program. It also established grants for training centers for the personnel required to support new health IT infrastructures in healthcare organizations.
The HITECH Act also established a Health IT Policy Committee to make recommendations to the head of ONC related to the implementation of a national health IT infrastructure.
Why HITECH was enacted
Besides stimulating EHR adoption in the United States, the HITECH Act was passed to further expand data breach notifications and the protection of electronic protected health information (ePHI).
HITECH also increased the number of penalties for repeated or uncorrected HIPAA violations.
HITECH Act summary
The HITECH Act contains four subtitles:
- Subtitle A: Promotion of Health Information Technology
- Part 1: Improving Healthcare Quality, Safety and Efficiency
- Part 2: Application and Use of Adopted Health Information Technology Standards; Reports
- Subtitle B: Testing of Health Information Technology
- Subtitle C: Grants and Loans Funding
- Subtitle D: Privacy
- Part 1: Improved Privacy Provisions and Security Provisions
- Part 2: Relationship to Other Laws; Regulatory References; Effective Date; Reports
The HITECH Act directed the head of ONC to estimate and publish the resources required to achieve the goal of EHR use by every person in the U.S. by 2014. The act also authorized the ONC -- if the ONC makes a certified EHR technology available, such as through open-source coding -- to impose a fee to healthcare providers that adopt this certified technology.
HITECH Act and meaningful use
As it was originally enacted, HITECH stipulated that, beginning in 2011, healthcare providers would be offered financial incentives for demonstrating meaningful use of EHRs until 2015, after which time penalties would be levied for failing to demonstrate such use.
Providers were able to start using EHRs as late as 2014 and avoid penalties, but the incentive payment they were eligible to receive was less than that of earlier adopters.
The rollout of meaningful use happens in three stages; providers must demonstrate two years in a stage before moving on to the next one.
Because adoption for stage 2 has been slow, the Centers for Medicare and Medicaid Services (CMS) announced in mid-2014 that it would put stage 3 off until 2017. Stage 3 of meaningful use was an option for providers that year, but it became mandatory for all participants in 2018. However, several groups have requested that stage 3 be either canceled or at least paused until 2019 due to concerns about provider and vendor readiness.
MACRA (Medicare Access and CHIP Reauthorization Act) included a category called Advancing Care Information that effectively replaced meaningful use while retaining certain aspects of the program. Healthcare providers are still required to report on meaningful use stage 3 measures, but will be able to choose which measures are best suited to their practice.
Why it's important and how it has changed health IT
One of the major impacts of the HITECH Act is that the rate of EHR adoption for eligible hospitals increased from 3.2% to 14.2% from 2008 to 2015. Prior to the HITECH Act, the rate of adoption was low -- only 10% of hospitals and 17% of doctors had adopted the technology, according to a report in the journal Health Affairs.
The HITECH Act also expanded privacy and security provisions that were included under HIPAA, holding not only healthcare organizations responsible for disclosing breaches, but holding their business associates and service providers responsible, as well.
HITECH Act vs. HIPAA
HITECH and HIPAA, also known as the Health Insurance Portability and Accountability Act, are separate and unrelated laws, but they do reinforce each other in certain ways. For example, HITECH stipulates that technologies and technology standards created under HITECH will not compromise HIPAA privacy and security laws.
HITECH also requires that any physician or hospital that attests to meaningful use must have performed a HIPAA security risk assessment as outlined in the Omnibus Rule, or the 2013 digital update to the original 1996 law.
Another example: HITECH established data breach notification rules; HIPAA's Omnibus update echoes those rules and adds details, such as holding healthcare providers' business associates accountable to the same liability of data breaches as the providers themselves.
HITECH Act Enforcement Interim Final Rule
The HITECH Act Enforcement Interim Final Rule went into effect on Nov. 30, 2009, and it amended a section of the Social Security Act (SSA) to include the HITECH Act's four categories of violations that reflect increasing culpability.
The final rule also incorporated corresponding tiered penalties for violations, and it revised limitations on the secretary of HHS to impose penalties for violations of HIPAA's rules.
The final rule also added a new subsection in the SSA regarding noncompliance due to willful neglect, requiring HHS investigate any complaints that indicate a violation occurred due to willful neglect, and to impose penalties on these violations.
Business associates and business associate agreements
The HITECH Act requires business associates to comply with the HIPAA Security Rule with regards to ePHI and to report PHI breaches. Business associates must also comply with HIPAA Privacy Rule requirements that apply to covered entities when the associates act on the behalf of those entities.
Under the HITECH Act, a business associate is directly liable for uses and disclosures of PHI that are not in accordance with either HIPAA rules or its agreement with a covered entity.