The HITECH Act is a component of the economic stimulus package enacted by the federal government in 2009.  HITECH is an acronym for “Health Information Technology for Economic and Clinical Health.” HITECH extends some of the patient privacy and security provisions of HIPAA in order to better protect patient information while transitioning to the use of electronic health records for all Americans. 

HITECH changed HIPAA in many ways, but the three most relevant to faculty and staff are
1) Patient notification is now required if the patient’s unsecured protected health information (PHI) has been breached; 2) Significant penalties, both civil and criminal, may now be levied against individuals and institutions for violating patient privacy laws; and 3) Business associates that handle our PHI must comply with HITECH and HIPAA just as we do.  

Definition of a Breach

A breach is defined as “the unauthorized acquisition, access, use, or disclosure of protected health information (PHI) which compromises the security or privacy of the PHI. There are some exceptions, but you must immediately report all actual and suspected breaches so that the Compliance Office can make a determination as to whether a breach has occurred. You can do this in a variety of ways – see Reporting and Non-retaliation Policy.  

Preventing Breaches

Be authorized to use PHI. You are authorized to use PHI if you are involved in a patient’s treatment, if you are involved in patient billing and payment, or if you are involved in health care operations and you have a legitimate business reason to access PHI. Use the minimum PHI necessary to do your job. For example, if you are treating a patient this month for a broken ankle, you probably do not need to look at the records of a previous stay relating to that person’s hand injury. Keep PHI secure at all times. We cannot guarantee a patient’s information is private if we cannot keep it secure. Keep PHI confidential. Avoid discussing PHI in public places. Sign off of electronic records systems when you are finished accessing a record, especially if you share your workstation with others. Shred all paper medical records when they are no longer needed.  

Ensuring Our Business Associates Comply with HITECH/HIPAA

Business associates must comply directly with HITECH and HIPAA. They must report breaches of our PHI and they must have their own security measures in place to protect the PHI they use. We have to ensure that we have obtained Business Associate Agreements for all of our business associates. These agreements outline both our responsibility and the business associate’s responsibility for protecting the privacy and security of our patients’ PHI.