Skip Navigation

Rowan University Office of Compliance and Corporate Integrity

Rowan University

HITECH - Health Information Technology for Economic and Clinical Health

RowanSOM Breach notification policy, please click link.

RowanSOM Breach Identification & Validation Process, link.

Resource For Staff/Faculty RESOURCES FOR IDENTITY THEFT VICTIMS RESOURCES FOR BUSINESS ASSOCIATES FREQUENTLY ASKED QUESTIONS

The HITECH Act of the American Recovery and Reinvestment Act imposes more stringent regulatory requirements under the security and privacy rules of HIPAA, increases civil penalties for a violation of HIPAA, provides funding for hospitals and physicians for the adoption of health information technology, and requires notification to patients of a security breach. These broad new requirements will necessitate compliance by covered entities, business associates and related vendors in the health care industry.

On February 17, 2009, President Obama signed into law the Health Information Technology and Clinical Health Act (HITECH) as part of the American Recovery and Reinvestment Act. HITECH codifies and funds the Office of the National Coordinator for Health Information Technology (ONC) and provides for the infusion of $19 billion over a four-year period, in grants and loans, for infrastructure and incentive payments under Medicare and Medicaid for providers who adopt and use health information technology (HIT). It also expands security and privacy provisions and penalties to HIPAA business associates of covered entities. The implications of HITECH for hospitals, health care providers, vendors, health information exchanges (HIEs), and Regional Health Information Organizations (RHIOs) are far-reaching. Provisions of HITECH are summarized below.

Although the ONC was established by Executive Order in 2004, HITECH appropriates $2 billion to the ONC and codifies the duties of the National Coordinator, with the stated goal of “the utilization of an electronic health record for each person in the United States by 2014.” The ONC strategic plan is to include “the development of a nationwide health information technology infrastructure that allows for the electronic use and exchange of information” that ensures that patients’ health information is secure and protected.

The ONC is responsible for:


Consistent with other existing incentive programs developed by the federal government for the adoption of electronic health records (EHRs), and to implement the ONC’s strategic plan for the national adoption of HIT, HITECH also provides for $19 billion in grants and loan funding for incentives for the use of HIT. The entities that will be eligible for such grants and loan funding include those that support the HIT architecture that will enhance the nationwide electronic exchange of health information, including connecting HIEs; health care providers participating in Medicare, Medicaid, and the State Children’s Health Insurance Program (including hospitals and physicians); community health centers; clinical data repositories and registries; and public health departments. The funds provided must meet applicable standards determined by the HIT Standards Committee. Funds distributed will support technology architecture, development and adoption of certified EHRs for providers not otherwise eligible, training, infrastructure, and overall expansion and promotion of technology.

The Health Information Technology Extension Program will also be established to provide assistance and support to accelerate the adoption of HIT through regional centers of technical assistance. These regional centers will be associated with existing or new nonprofit groups and funding provided will be up to 50 percent of the capital, operating, and maintenance funds for up to four years. The criteria for determining qualified applicants will be published within the next 90 days. Beginning on January 1, 2010, the ONC may award grants and loan programs to states for the purchase of certified EHR technology used to exchange health information. Finally, the National Science Foundation is directed to provide assistance in the creation and expansion of medical health informatics education programs at institutions of higher education.

In a substantial change to the current security and privacy regulations under the Health Information Portability and Accountability Act (HIPAA), and in response to increased public awareness and debate over the privacy and security of electronic health information, HITECH requires the application of HIPAA security and privacy provisions and penalties directly to business associates of covered entities. Before HITECH, the security and privacy requirements were imposed on business associates through contractual provisions with covered entities. HITECH requires business associates to restrict the use and disclosure of protected health information (PHI) and subjects business associates directly to civil and criminal penalties for violating HIPAA requirements in the same manner as covered entities. The Secretary of Health and Human Services (HHS) will provide guidance on this requirement within the next year.

Another key requirement imposed by HITECH is for covered entities and business associates to notify individuals and the HHS if an individual’s unsecured or unencrypted protected health information “has been, or is reasonably believed…to have been, accessed, acquired, or disclosed as a result of such breach.” If the breach affects more than 500 individuals, the notification can be through media outlets. Further, personal health record vendors must notify the individual and the Federal Trade Commission of a breach. Of note is the fact that this provision is far more stringent than the breach notification laws that have been passed by numerous states, which require individual notification if the personal information is reasonably believed to have been used for identity theft purposes. Most states that have implemented breach notification laws require that the information be used for identity theft purposes before imposing civil or criminal penalties. Compliance with this provision of HITECH may be difficult for covered entities and business associates, although HITECH does not include, in the definition of a breach, an inadvertent disclosure or access to information provided that there is no further access or disclosure.

Other new privacy and security requirements in HITECH include:


HITECH pronounces that organizations that access PHI from covered entities, such as HIEs, RHIOs, e-prescribing gateways, or vendors that contract with covered entities to offer personal health records (PHRs) must have written contracts with the covered entity and will be treated like a business associate. This clears up existing confusion and further promotes the wider adoption of HIT.

In general, the effective date of HITECH is February 17, 2010. However, the incentive payments for practitioners and hospitals will commence in 2011 and phase out through 2015.

HITECH applies to covered entities, including hospitals, health care providers, health plans, business associates, vendors, HIEs, RHIOs, and PHRs. To comply with HITECh, we recommend the following

Further updates, including proposed regulations pertaining to HITECH, will be issued by the government in the near future. We will continue to provide you with updates on HITECH as developments occur.