What is HITECH (Health Information Technology for Economic and Clinical Health) Act of 2009?

Why HITECH was enacted

Besides stimulating EHR adoption in the United States, the HITECH Act was passed to further expand data breach notifications and the protection of electronic protected health information (ePHI).

HITECH also increased the number of penalties for repeated or uncorrected HIPAA violations.

HITECH Act summary

The HITECH Act contains four subtitles:

• Subtitle A: Promotion of Health Information Technology
  • Part 1: Improving Healthcare Quality, Safety and Efficiency
  • Part 2: Application and Use of Adopted Health Information Technology Standards; Reports
• Subtitle B: Testing of Health Information Technology
• Subtitle C: Grants and Loans Funding
• Subtitle D: Privacy
  • Part 1: Improved Privacy Provisions and Security Provisions
  • Part 2: Relationship to Other Laws; Regulatory References; Effective Date; ReportsThe HITECH Act directed the head of ONC to estimate and publish the resources required to achieve the goal of EHR use by every person in the U.S. by 2014. The act also authorized the ONC -- if the ONC makes a certified EHR technology available, such as through open-source coding -- to impose a fee to healthcare providers that adopt this certified technology.

HITECH Act and meaningful use

As it was originally enacted, HITECH stipulated that, beginning in 2011, healthcare providers would be offered financial incentives for demonstrating meaningful use of EHRs until 2015, after which time penalties would be levied for failing to demonstrate such use.

Providers were able to start using EHRs as late as 2014 and avoid penalties, but the incentive payment they were eligible to receive was less than that of earlier adopters.

The meaningful use program evolved over the course of three stages:

• Stage 1 established the base requirements for electronic capture of clinical data.
• Stage 2 encouraged the use of EHRs for increased health information exchange (HIE) and continuous quality improvement at the point of care.
• Stage 3 focused on using EHRs to improve health outcomes through ePrescribing, clinical decision support, computerized provider order entry, HIE, clinical data registry and case reporting.

Because adoption for stage 2 had been slow, the Centers for Medicare and Medicaid Services announced in mid-2014 that it would put off stage 3 until 2017. Stage 3 of meaningful use was an option for providers that year, but it became mandatory for all participants in 2018. However, several groups requested that stage 3 be either canceled or at least paused until 2019 due to concerns about provider and vendor readiness.

With the introduction of the Medicare Access and CHIP Reauthorization Act (MACRA) in 2015, meaningful use became one of the components of the new Merit-Based Incentive Payment System (MIPS), which is part of MACRA.

MIPS harmonized existing CMS quality programs (including meaningful use), the Physician Quality Reporting System and Value-Based Payment Modifier.

In 2018, CMS renamed the meaningful use program the Promoting Interoperability (PI) program reflecting a renewed focus on advancing health data interoperability and patient access to health information. Why it's important and how it has changed health IT

One of the major impacts of the HITECH Act is that the rate of EHR adoption for eligible hospitals increased from 3.2% to 14.2% from 2008 to 2015. Prior to the HITECH Act, the rate of adoption was low -- only 10% of hospitals and 17% of doctors had adopted the technology, according to a report in the journal Health Affairs.

The HITECH Act also expanded privacy and security provisions that were included under HIPAA, holding not only healthcare organizations responsible for disclosing breaches, but holding their business associates and service providers responsible, as well.

HITECH Act vs. HIPAA

HITECH and HIPAA, also known as the Health Insurance Portability and Accountability Act, are separate and unrelated laws, but they do reinforce each other in certain ways. For example, HITECH stipulates that technologies and technology standards created under HITECH will not compromise HIPAA privacy and security laws.

HITECH also requires that any physician or hospital that attests to meaningful use must have performed a HIPAA security risk assessment as outlined in the Omnibus Rule, or the 2013 digital update to the original 1996 law.

Another example: HITECH established data breach notification rules; HIPAA's Omnibus update echoes those rules and adds details, such as holding healthcare providers' business associates accountable to the same liability of data breaches as the providers themselves.

HITECH Act Enforcement Interim Final Rule

The HITECH Act Enforcement Interim Final Rule went into effect on Nov. 30, 2009, and it amended a section of the Social Security Act (SSA) to include the HITECH Act's four categories of violations that reflect increasing culpability.

The final rule also incorporated corresponding tiered penalties for violations, and it revised limitations on the secretary of HHS to impose penalties for violations of HIPAA's rules.

The final rule also added a new subsection in the SSA regarding noncompliance due to willful neglect, requiring HHS to investigate any complaints that indicate a violation occurred due to willful neglect, and to impose penalties on these violations.

Business associates and business associate agreements

The HITECH Act requires business associates to comply with the HIPAA Security Rule with regards to ePHI and to report PHI breaches. Business associates must also comply with HIPAA Privacy Rule requirements that apply to covered entities when the associates act on the behalf of those entities.

Under the HITECH Act, a business associate is directly liable for uses and disclosures of PHI that are not in accordance with either HIPAA rules or its agreement with a covered entity.

Editor's note: This article was written by Scot Petersen and Tayla Holman in 2018. TechTarget editors revised it in 2024 to improve the reader experience.