Home » Resources and Tools » HITECH HITECH
Computer recycling is easy with AccuShred

Helping You Comply With HITECH

The HITECH Act

The Health Information Technology for Economic and Clinical Health Act (HITECH Act or "The Act") is part of the American Recovery and Reinvestment Act of 2009 (ARRA). ARRA contains incentives related to health care information technology in general (e.g. creation of a national health care infrastructure) and contains specific incentives designed to accelerate the adoption of electronic health record (EHR) systems among providers.

Because this legislation anticipates a massive expansion in the exchange of electronic protected health information (ePHI), the HITECH Act also widens the scope of privacy and security protections available under HIPAA; it increases the potential legal liability for non-compliance; and it provides for more enforcement.

Business Associates and Business Associate Agreements

The HITECH Act now applies certain HIPAA provisions directly to business associates. Formerly, privacy and security requirements were imposed on business associates via contractual agreements with covered entities. As we have noted elsewhere in this guide, we suspect that many small providers do not have the requisite contracts (aka Business Associate Agreements) in place. In some cases Business Associate Agreements (contracts) exist but may not meet all the requirements of the rules. Under the lax enforcement regime of the past, lack of contractual agreements has apparently not proved problematic for the provider community as a whole. This may soon change.

Under the HITECH Act, business associates are now directly "on the compliance hook" since they are required to comply with the safeguards contained in the HIPAA Security Rule (SR). The HITECH Act does not speak directly to the rationale, but even casual observers understand that a potentially massive expansion in the exchange of ePHI increases the privacy and security concerns of all stakeholders. Most, if not all, software vendors providing EHR systems will clearly qualify as business associates. Requiring vendors to comply directly ensures that more provider/vendor dialog will occur regarding the necessary Business Associate Agreements (contracts), and regarding other compliance issues of mutual interest. The vendors themselves will insist on it.

The "fun" for business associates does not stop with HIPAA Security Rule compliance and contractual agreements. The Act requires business associates to report security breaches to covered entities consistent with the notification requirements. Also, they are now subject to civil and criminal penalties under HIPAA if certain conditions exist, as mentioned in the introduction of this section. Finally, the business associate requirements listed above are illustrative and not exhaustive. There are additional business associate requirements that may be imposed depending on how the relationship with the provider is defined.

The bottom line is that business associates and providers will share more joint responsibilities than they have previously. Large providers, with the help of counsel and other specialized staff, will not likely be surprised by these changes. However, for many small providers the HITECH Act may be the first real introduction to the business associate concept-yet one more regulatory requirement that will require serious attention.

AccuShred can help your company maintain HITECH compliance by providing secure containers for the storage of unwanted PHI and by the complete destruction of those records. We also can help with the creation of a written compliance policy and staff training related to that policy.

Banking/Financial | Health Care | Pharmacy | Real Estate | Industrial | Engineering | Insurance | Legal | Government | Accounting | Consulting | Mortgage/Property | Gaming