April 10, 2024

HITECH Compliance

Written by: Nancie Lee Cummins, CFE, CHA, CIFHA, OHCC, CHCM, CHCO, CORCM      


This article provides an overview of Health Information Technology for Economic and Clinical Health Act (HITECH) and basic checklist of policies and procedures for compliance of smaller health care organizations. This information is not all-inclusive and is not intended as consulting or legal advice.

HITECH is a critical aspect of the Health Insurance Portability & Accountability Act (HIPAA).  Since 2009, HITECH has given “teeth” to HIPAA law.  What’s the difference between HIPAA and HITECH? HIPAA guarantees patients access to their paper medical records. HITECH extended those rights to electronic medical records, extended privacy rights of patients to access their records, increased penalties for HIPAA violations, extended the HIPAA security and breach notification rules and expands the HIPAA encryption compliance requirement.

HIPAA and HITECH is for all health care organizations falling under the definition as a Covered Entity, from solo practices to larger clinics and hospital medical networks to health plans and clearinghouses. 

As a smaller organization your security measures can be in place whether you have an IT person you have access to as a 1099 employee or a person that is on your own payroll.  But, someone must be providing oversight to ensure compliance to both HITECH and HIPAA security rules, both Federal and any applicable State rules.

Let’s start with what HITECH, the acronym for the “Health Information Technology for Economic and Clinical Health Act.”  This act was signed into law by President Obama back in 2009.  For years we lived with HIPAA and understood we needed to protect patient information. HIPAA standards brought us the Administrative Safeguards, Physical Safeguards along with Technical Safeguards.  While we learned to protect information, everything was on paper.  Yes, we faxed and mailed and then the computer age brought us into sending information, claims, through the internet. Our PHI (Protected Healthcare Information) became EPHI (Electronic Protected Healthcare Information).   So here we are, understanding the rules on what we need to do on our own for our practices. But, is that really true?  As you will find out, we do have a lot of information, so much when you are writing your own HITECH plan you don’t know where to start.

Patient information is everywhere.  We can own a Durable Medical Equipment store, see our own doctor, or go and have a test done at a medical facility.  Each of these can cause exposure on behalf of patient information. 

The focus of this article is to be able to launch a list of questions which can be answered to put in place a basic plan in its simplicity of how to protect your own practice.  This can give you a start and with time being aware of “HITECH” you can add to what you have in place. Links have been provided for additional information which is recommended for review as you go through the process.

So, let’s start! Answer the questions and document.  Focus on the easier ones and go back into the others utilizing the links provided.

[Name of Your Practice]

HITECH Policy and Procedures

Electronic Health Records

When changing over from paper records to Electronic Health Records or E.H.R., electronic systems have the potential to actually reduce errors and often have additional security features, such as audit logs to track access to records and security controls assigned per user. 

  • Is your system a user-friendly tailored software for smaller practices? This will minimize challenges EHR has in setting up your software with your patient database. 
  • Does your system offer Artificial Intelligence (AI) options?
  • If so, is it “secure by design”?

Risk Assessment

  • When going through the list identify any vulnerabilities which can cause risks to Protected Health Information (PHI) or Electronic PHI (ePHI). Know your risks, so they can be mitigated accordingly. What are they? 
  • Who is responsible for conducting security risk assessments?
  • How often are these risk assessments performed?
  • What type of vulnerabilities were revealed and how were they address?

Patient privacy, confidentiality and the breach notification rule

  • The importance of maintaining privacy and confidentiality of patient information should be the top priority for your practice. 
  • How does patient information flow through your office?  Are all communications secure and private?  HIPAA requires Covered Entities to protect the privacy of all health information, including who can access it, and gives patients specific rights over it.
  • Is your organization compliant to a patient’s Right of Access?
  • How are security breaches prevented?
  • What is your procedure to notify patients in the event of a data breach?
  • Does your practice have a procedure for notifying the Health & Human Services (HHS) Secretary when there is a breach of 500 or records?

Preventing fraudsters

Having security measures in place safeguards patient data.  However, patients may not realize that someone has stolen their medical identity. 

  • Do your patients understand why they must show proof of identity when they arrive for care?
  • What are your protocols to verify patient identity?  Yes, there are patients that will use someone else’s medical card for services.
  • Does your organization have materials for patient education and risks of identity theft and medical fraud?
  • Do you encourage patients to review their medical statements for charges that are not known to them need to be reviewed?

Administrative safeguards

HIPAA administrative safeguards are actions, policies, and procedures designed to manage the selection, development, implementation, and maintenance of security measures to protect ePHI. These safeguards guide the conduct of a covered entity’s staff concerning ePHI.

  • What security checks are employed to ensure that individuals in key employee positions are screened? This includes background checks and taking oaths of confidentiality, where necessary.
  • Administrative safeguards include four implementation specifications.  Is there documentation to support practice compliance to these requirements?
  1. Risk Analysis
  2. Risk Management
  3. Sanction Policy
  4. Information System Activity Review
  • What security measures are already in place to protect EPHI (i.e., safeguards)?
  • Is executive leadership and/or management involved in risk management and mitigation decisions?
  • Are security processes being communicated throughout the organization?
  • Does the covered entity need to engage other resources to assist in risk management?
  • Does your practice apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity?
  • Are employees required to sign a statement of adherence to security policy and procedures (e.g., as part of the employee handbook or confidentiality statement) as a prerequisite to employment?
  • Are there existing procedures for determining that the appropriate workforce members have access to the necessary information?
  • Are the procedures used consistently within the organization when determining access of related workforce job functions?
  • Does the sanction policy provide examples of potential violations of policy and procedures?
  • Does the sanction policy adjust the disciplinary action based on the severity of the violation?
  • Do the termination policies and procedures assign responsibility for removing information system and/or physical access?
  • Do the policies and procedures include timely communication of termination actions to ensure that the termination procedures are appropriately followed?
  • Are the information systems functions adequately used and monitored to promote continual awareness of information system activity?
  • What logs or reports are generated by the information systems?
  • Would it serve the organization’s needs to designate the same individual as both the Privacy and Security Official (for example, in a small provider office)?
  • Has the organization agreed upon, and clearly identified and documented, the responsibilities of the Security Official?
  • How are the roles and responsibilities of the Security Official crafted to reflect the size, complexity and technical capabilities of the organization?

Technical safeguards

Securing your electronic systems protects ePHI.  This is where it is recommended that you have an “IT person” who is a person who works in the field of information technology (IT) and specializes in computer systems and networks. 

  • Has an IT professional installed and set up your infrastructure in your organization can ensure reliability and security?
  • Encryption is not mandatory to be compliant to the security rule.  However, encryption renders data unusable.  In the event of a data breach, when the data was encrypted, the breach is not required to be reported.  The encryption implementation specification is addressable, which means is should be implemented if, after a risk assessment, your Security Officer has determined that the specification is a reasonable and appropriate safeguard in its risk management of the confidentiality, integrity and availability of e-PHI.  How does your organization protect ePHI that is used in emails and/or texts?


With all the cyber threats and vulnerabilities, a structured cybersecurity framework needs to be in place. 

  • What do you have in place to prevent malicious software?  What do you have to protect your network from cyber threats?
  • Are your monitoring systems done routinely?
  • How do you respond in the event to mitigate a cybersecurity incident?   
  • Do you have a contingency plan in the event of a cybersecurity incident?
  • How do you evaluate if the cybersecurity incident is a breach (or not)?
  • Ransomware attacks are also referred to as Cy-X or Cyber extortion. Don’t forget the anti-virus software and the educating of employees on signs of unusual activity.  NIST which stands for National Institute of Standards and Technology is part of the U.S. Department of Commerce.

Data backup and recovery

  • Data should be backed up on a regular basis.  Encrypted storage protects the integrity of the software and database in case of a disaster.  Has this been tested?

Audits and assessments

  • Are you conducting internal audits? Security assessments and compliance review should be in place.  Remember these are areas that can validate the protection of PHI and ePHI.

Education and Training

Training for employees on HITECH should include educating staff members about the basics. Their responsibilities include safeguarding protected health information (PHI), and the requirements of compliance regarding electronic health records (EHRs), and health information technology (HIT). Let’s look at what we can include under the training.

  • Include an overview of the HITECH Act, its purpose and objectives.  By providing comprehensive training on HITECH Act and related HIPAA regulations, employees will understand how to participate in safeguarding patient information. They will be able to actively prevent the risks of breaches, and help maintain compliance with regulatory requirements.
  • Understanding HIPAA is crucial.  Come up with a list of what ways you can prevent breaches.  Is it the computer screen in your office that is viewable from the lobby?  Can they hear you discussing with a patient privacy information? Are patient files sitting out?  Come up with your own list and implement training for prevention. Train your staff on HIPAA regulations and how their responsibility is in protecting patients.
  • Training and awareness educating staff members on the importance of protecting PHI and EPHI should be done on a continual basis.  How often are you training?
  • Are you keeping employees up to date on any changes in regulations? 
  • Are they reporting risks to management? 
  • Can your employees recognize a threat through an email such as Phishing?
  • Are there internal office policies regarding no downloading from unknown web pages? 
  • Are they allowed to attach their own devices to their computers which could cause breach of security controls.

Additional Resources

Review the HIPAA provisions and how the HITECH Act strengthens the HIPAA enforcement. You will see added information requiring privacy, security, and breach notifications.

HHS 405(d) Knowledge on Demand

Knowledge on Demand is the 405(d) Program’s free cybersecurity education platform. It includes multiple levels of delivery methodologies designed to reach the varied size health care facilities across the country. Our platform includes cybersecurity awareness trainings that align with the top 5 cybersecurity threats outlined in the landmark 405(d) Health Industry Cybersecurity Practices publication.

HIPAA Security 101 for Covered Entities

Health IT Privacy and Security Resources for Providers

HHS Smaller providers and businesses

NIST Small business for Cybersecurity Corner


This is just a start!  This is Part 1 in a mini-series on HIPAA and HITECH rules for smaller health care organizations. 

Utilize the steps and keep on adding as you gather your information.  There is a lot of information available.  Be sure to use web sites that give you information that is accurate such as Centers for Medicare and Medicaid Services, Health and Human Services, Office of Civil Rights and U S Government Agencies.

If you are a Practice Manager, Administrator or owner of a small medical organization and responsible for overseeing HITECH and HIPAA compliance, consider online training.  Click Here to learn more.

Learn more about HIPAA HITECH

  • For more information on our HIPAA Privacy and Security Course CLICK HERE!
  • For more information on our HIPAA Privacy Officer Course CLICK HERE!


Copyright © 2024 American Institute of Healthcare Compliance All Rights Reserved


Verified by MonsterInsights