What is the Health Information Technology for Economic and Clinical Health (HITECH) Act?

What is the Health Information Technology for Economic and Clinical Health (HITECH) Act?
Healthcare is a broad industry and includes different acts that maintain the privacy and security of healthcare data. For instance, Digital Information Security in Healthcare Act (DISHA) secures the exchange of health information of individuals between clinics and other health organizations. 

Similarly, the HITECH Act, Health Information Technology for Economic and Clinical Health Act, was created to support technology and the adoption of Electronic Health Records (EHR) in the United States. 

What is the HITECH Act?

The HITECH ACT, or better known as The Health Information Technology for Economic and Clinical Health Act, is a part of an economic package introduced during the Obama administration. The Act was signed into law by Barack Obama in February 2009. 

The Significance of the HITECH Act

Before HITECH came in 2008, only 10-15% of hospitals had used EHRs. To enhance healthcare, improve care coordination, and to share health information between different entities, EHRs should be adopted. Several healthcare organizations wanted to convert EHRs from paper records; the cost of this transition was expensive. 

Therefore, the HITECH Act encouraged healthcare providers to make a change. If the HITECH wouldn’t have passed, many healthcare organizations would still use the traditional methods and have spent dollars. The ACT increased the use of EHR adoption. According to reports, the rate of EHR adoption increased from 3.2% in 2008 to 14.2% in 2015. 

By the end of 2017, nearly 90% of healthcare experts adopted EHR, and nearly 90% of non-federal acute hospitals have implemented certified health IT. It also ensures that business associates must comply with HIPAA Privacy and security rules to keep health information safe and private. It doesn't make any compliance with HIPAA but made sure that no entities found not in compliance could be issued with a fine. 

HITECH Act Summary and Compliance Date

The Act encouraged healthcare experts and providers to use EHRs and to give security for the healthcare data. Compliance with the requirements of the HITECH ACT became applicable on 30th November 2009. The requirements and the conditions of HITECH were incorporated into HIPAA in the Final Omnibus Rule, which brought them together in the same legislation. The final rule was published in 2013 and had a compliance date of September 2013. 

It contains four subtitles. Subtitle A focuses on the promotion of Health Information Technology and is divided into two parts. Part 1 targets to improve healthcare quality, efficiency, and safety. 

HIE has developed a core capability for physicians and hospitals to achieve meaningful use and receive stimulus funding. The main components of meaningful use are the use of a certified EHR technology for the electronic exchange of health information. The use of EHR is to submit clinical quality. Overall, providers had to show that they are using certified EHR technology. 

Meaningful use Stage 1

The first step to achieve meaningful use is to have a certified EHR and to be able to describe that it is used to meet the requirements. It contains 25 objectives for Eligible Providers and 24 measures for eligible hospitals. Again the measures have been divided into a core set and menu set. 

Let’s check what menu set and core set requirements are: 

Menu Set Requirements

  • Incorporate clinical lab-test results into certified EHR as structured data. 
  • To provide patients with electronic access to their health information. 
  • To perform medication reconciliation.
  • To send reminders to patients for further follow-up.
  • To provide electronic syndromic data to health agencies. 
  • To generate a list of patients according to their conditions
  • To provide summary care data for transitions. 

Core Set Requirements

1. To use computerized order entry.
2. To record demographics. 
3. To provide patients with a copy of their health information.
4. To record the smoking status of patients who are 13 years or above. 
5. To implement one clinical decision support role. 

Part 2 targets with the application and use of the health information technology reports. Subtitle B covers the testing of healthcare information technology, whereas Subtitle C covers loan funding. Subtitle D covers the security of electronic health information. 

HIPAA Violation Penalties

The HITECH Act opted for penalties for HIPAA covered entities and business associates. The HSS can retain a proportion of HIPAA penalties to fund its efforts. HHS was able to dedicate resources and to identify the data breaches. The HHS launched the first phase of its HIPAA compliance audit program. 

Before the launch of the HITECH Act, businesses were unaware that they were violating  HIPAA. The sanctions HHS could impose were $100 for each violation, and it could be extended up to $25,000. The maximum financial penalty for violation was increased by up to $1.5 million per violation per category. 

The Breach Notification Rule

Under the new Breach notification rule, the entities are required to issue notifications to the individuals within sixty days of the breach. The breach notification letter must be delivered to patients via mail. The mail should explain the nature of the breach and the type of information that was exposed. 

Furthermore, the breaches of records should also be reported to the HHS within 60 days of discovery, and smaller breaches within two months of the calendar year. 

Access to Electronic Health Records

The rule gave health plan members access to obtain copies of their health information by submitting a request. HITECH changed the HIPAA right of access and allowed individuals to obtain a copy of their health data in electronic format. 


HIPAA privacy rule allows health plan members to access copies of their PHI, whereas the HITECH Act allowed the option of accessing the copies in electronic form. HITCH requires that physicians and hospitals must have performed a HIPAA security risk assessment, as outlined in the Omnibus Rule. 

The primary goal of the HITECH Act is to improve the quality and efficiency of healthcare in HIPAA Compliant Care. The HITECH Act affects HIPAA in several ways. It introduced the Breach Notification Rule and the power to HHS to facilitate enforcement action. 

Major Components of HITECH Act

Here are a few major programs of the HITECH Act: 

1. Meaningful Useful Program

It was created by the Department of Health and Human Services (HHS). According to the CDC, the Meaningful Useful Program has some priorities- to improve population and public health and to engage patients in their health. 

2. Business Associate HIPAA Compliance

Business Associates were supposed to have an obligation to comply with compliance requirements. The HITECH introduced strict requirements for business associates agreements, including failure to report a data breach. 

3. Willful Neglect and Auditing

Along with the audit, they have a violation penalty and fine system. In Tier A, there is a penalty for HIPAA violation when the offender didn’t realize they violated the ACT. The result is up to $100 fine for each violation. 

In Tier B, the violations include reasonable cause but not willful neglect. The result is a $1000 penalty for each violation that can exceed up to $100,000 per year. Tier C includes violations that organizations have corrected. For this, they might have to pay $10,000 for violation. 

4. HIPAA Compliance Updates

The HITECH Act closed HIPAA loopholes and introduced penalties for noncompliance. Before HITECH, fines were smaller, and organizations found it cheaper to ignore HIPAA compliance and pay fines rather than investing in security. 

After the Act was expanded by the HHS with the HIPAA, it made modifications to HIPAA according to the regulations released in 2009 by the HITECH Act. 


HITECH has laid a base for a revolution in the healthcare industry. It provides positive incentives in the form of meaningful use and negatives in the form of penalties. It clearly defines the information guideline and what cannot be released without authorization. 
Covetus Get in Touch
Get free consultation right away via text message or call
Send Massage