WSJ logo
Forbes logo
Fox News logo
CNN logo
Bloomberg logo
Los Angeles Times logo
Washington Post logo
The Epoch Times logo
Telemundo logo
New York Times
NY Post logo
NBC logo
Daily Beast logo
USA Today logo
Miami Herald logo
CNBC logo
Dallas News logo

Health Information Technology for Economic and Clinical Health Act (HITECH) Compliance

Federal Healthcare Lawyers and Consultants Experienced in HITECH Compliance

Dr. Nick Oberheiden
Attorney Nick Oberheiden
HITECH Compliance Team Lead
envelope iconContact Nick

While the Health Information Technology for Economic and Clinical Health Act (HITECH) has been around for more than a decade, it continues to confuse and present risks for the healthcare industry across the United States. Through the enactment of HITECH, Congress expanded the scope of the Health Insurance Portability and Accountability Act (HIPAA) and increased the penalties for HIPAA noncompliance. As a result, HITECH compliance is essential, and healthcare providers subject to HITECH and HIPAA need to work with a team of experienced lawyers and consultants who can guide them forward.

At Oberheiden P.C., our team includes lawyers with deep experience in all federal healthcare compliance and enforcement areas, including HITECH compliance. Our team also includes HITECH consultants who have prior experience working for the federal government in healthcare law enforcement. We take a comprehensive and custom-tailored approach to helping healthcare organizations implement effective compliance programs, and we are also available to communicate with federal healthcare authorities on behalf of our clients when necessary.

5 Key Areas of HITECH Compliance for Healthcare Providers

There are numerous aspects to HITECH compliance for healthcare providers. The statute and its enabling regulations are dense and complicated, and with federal authorities ramping up enforcement in recent years, it is now more important than ever that healthcare providers do what is necessary to establish, maintain, and prove compliance. With this in mind, while the following are some of the key areas of HITECH compliance for covered healthcare providers, this list is by no means exhaustive:

1. Electronic Health Records (EHR)

The primary focus of the HITECH Act is on the use and protection of electronic health records (EHR). The statute was enacted at a time when healthcare providers’ use of EHR was both sparse and inconsistent. With its enactment, Congress sought to encourage a transition to certified EHR technology while also establishing uniform standards and ensuring that healthcare providers implemented adequate protections for their patients’ data.

2. EHR Incentives and Penalties

Congress included incentive programs within the statute to encourage the adoption of HITECH’s EHR standards. These programs provide financial incentives for healthcare providers. Although these incentives originally included payments to providers that “meaningfully” used EHR, today, healthcare providers face financial penalties for noncompliance.

Along with imposing penalties for EHR noncompliance, HITECH also increased the penalties for HIPAA noncompliance. Crucially, these penalties provide incentives for covered healthcare providers to maintain effective compliance programs and for federal authorities and fee-for-service auditors working with the government to uncover incidences of noncompliance.

3. Data Privacy and Security Rules

Another key aspect of HITECH compliance is data privacy and security compliance. Under the statute, covered healthcare entities must take adequate steps to ensure the protection of EHRs, including (but not limited to) EHRs that contain protected health information (PHI). Under the HITECH Act, healthcare providers may not disclose EHRs containing PHI without a patient’s consent unless the patient health information disclosure is for purposes of treatment, payment, or healthcare operations management.

Along with covering healthcare entities, HITECH’s data privacy and security requirements also cover “business associates.” This term is defined in HIPAA to include entities that have access to PHI through services they provide to healthcare entities. While HIPAA requires covered healthcare entities to oversee their business associates’ use of PHI, the HITECH Act establishes direct federal obligations for business associates.

4. Breach Notifications

The HITECH Act also established new breach notification requirements for covered healthcare providers and business associates. To maintain HITECH compliance, covered entities must notify patients of unauthorized access to “unsecure” (or unencrypted) PHI. This includes not only external cybersecurity breaches but also unauthorized internal access. If data breaches reach 500 or more patients, notification must also be provided to the U.S. Department of Health and Human Services (DHHS). s

This has two key implications. Not only must covered entities ensure that they comply with HITECH’s breach notification requirements upon learning of a breach, but they must also have mechanisms to identify (and address) breaches when they occur. At Oberheiden P.C., our HITECH consultant works with our clients to help them implement effective cybersecurity safeguards so they can manage HITECH breach notification compliance effectively.

5. Compliance Documentation and Access to Records

Due to the risks of noncompliance (discussed in greater detail below), an effective approach to HITECH compliance management is essential. Not only must covered entities establish and maintain HITECH compliance, but they must also document their compliance efforts on an ongoing basis. This will allow them to affirmatively demonstrate compliance during an audit or investigation—which can be essential for avoiding unnecessary penalties.

Covered entities must also provide patients with access to their EHR upon request in compliance with the statute; and, during an audit or investigation, they must be prepared to provide relevant records to the inquiring auditor or agency. Thus, effective documentation is critical for several reasons, and this is something we prioritize with our clients.

Put our highly experienced team on your side

Dr. Nick Oberheiden
Dr. Nick Oberheiden

Founder

Attorney-at-Law

Lynette S. Byrd
Lynette S. Byrd

Former DOJ Trial Attorney

Partner

Brian J. Kuester
Brian J. Kuester

Former U.S. Attorney

Kevin McCarthy
Hon. Kevin McCarthy

55th Speaker, U.S. House of Representatives (ret.)

Government Consultant

Mike Pompeo
Mike Pompeo

Of Counsel

Former U.S. Secretary of State

John W. Sellers
John W. Sellers

Former Senior DOJ Trial Attorney

Linda Julin McNamara
Linda Julin McNamara

Federal Appeals Attorney

Nicholas B. Johnson
Nicholas B. Johnson

Former Prosecutor

Roger Bach
Roger Bach

Former Special Agent (DOJ)

Chris Quick
Chris J. Quick

Former Special Agent (FBI & IRS-CI)

Michael S. Koslow
Michael S. Koslow

Former Supervisory Special Agent (DOD-OIG)

Ray Yuen
Ray Yuen

Former Supervisory Special Agent (FBI)

Understanding the Risks of Noncompliance with the HITECH Act

The risks of noncompliance with the HITECH Act are substantial for both healthcare providers and business associates. Not only can healthcare providers face penalties for EHR-noncompliance as noted above (calculated as a percentage of their Medicare billings), but providers and business associates can both face penalties under HIPAA for failing to adequately safeguard PHI. In cases involving accusations of willful neglect, these penalties can potentially add up to millions of dollars per year.

Noncompliance can lead to additional civil monetary penalties (CMP) under the False Claims Act and other federal statutes as well. In short, when it comes to HITECH compliance, covered entities have a lot at stake, and this makes a proactive approach to HITECH compliance essential.

Developing an Effective HITECH Compliance Program

With all of these in mind, what does it take to develop an effective HITECH compliance program? Here are some of the primary steps our HITECH lawyers and HITECH consultant take when assisting our clients:

  • Comprehensive HITECH Compliance Needs Assessment – We conduct comprehensive HITECH compliance needs assessments so that we can provide custom-tailored compliance solutions to our clients.
  • HITECH Compliance Program Development – After assessing an organization’s needs, we work closely with the organization’s key stakeholders to develop all necessary policies, procedures, and safeguards.
  • HITECH Compliance Program Training and Implementation – Our HITECH lawyers and HITECH consultant also assist with training and implementation to ensure that our clients’ efforts to develop effective compliance programs do not go to waste.
  • Ongoing Advice and Consultation – Our HITECH lawyers and HITECH consultants remain available to our clients to provide advice and insights as needed on an ongoing basis.
  • Internal HITECH Compliance Audits and Improvements – We also assist our clients with conducting internal audits and cybersecurity stress tests so that they can make any improvements that are necessary to secure their patients’ data and withstand federal scrutiny when necessary.

FAQs: How to Effectively Manage HITECH Compliance

Are Healthcare Providers Required to Comply with the HITECH Act?

Yes, healthcare providers are required to comply with the HITECH Act. While the statute originally provided for an incentivized phase-in approach, today healthcare providers that fail to comply face financial penalties.

What is the Difference Between HIPAA and HITECH?

HITECH expands upon the healthcare recordkeeping requirements established under HIPAA. HITECH also establishes new requirements regarding electronic health records (EHR), data security, and breach notifications, and it imposes new and enhanced penalties for noncompliance.

What Federal Agency Enforces HITECH Compliance?

The U.S. Department of Health and Human Services (DHHS) and Centers for Medicare and Medicaid Services (CMS) are the primary federal agencies responsible for enforcing HITECH compliance. Healthcare providers and business associates can face scrutiny from auditors working with CMS as well; and, in cases involving cybersecurity breaches and other privacy issues, various other federal agencies may also get involved.

What are the Penalties for Not Being in Compliance with the HITECH Act?

As of 2024, healthcare providers that fail to comply with the HITECH Act’s EHR requirements can face penalties equal to 3% of their relevant Medicare billings. Noncompliance can also lead to penalization under HIPAA, the False Claims Act, and various other federal laws and regulations.

Do I Need a HITECH Lawyer or a HITECH Consultant?

To manage HITECH compliance effectively, healthcare associates need both lawyers who can advise them on the legal aspects of compliance and consultants who can assist with implementing effective EHR storage and cybersecurity protocols. At Oberheiden P.C., we have both lawyers and consultants on our team, so we are able to serve as a single source of HITECH compliance for our clients.


Speak with a HITECH Lawyer or HITECH Consultant at Oberheiden P.C.

Do you have questions (or concerns) about HITECH compliance? If so, we can help, and we invite you to get in touch. To schedule an appointment with a senior HITECH lawyer or HITECH consultant at Oberheiden P.C., please call 888-680-1745 or request a complimentary consultation online today.

Contact Us Today

This field is for validation purposes and should be left unchanged.
Terms and Conditions
I accept the Terms and Conditions.(Required)

Impeccable Service

ratingratingratingratingrating

Nick gives you the immediate comfort of feeling 100% protected. He is polite, respectful— and extremely compelling. His legal strategy turned out to be brilliant.

– Marshall M.

View more testimonials

Why Clients Trust Oberheiden P.C.

  • 2,000+ Cases Won
  • Available Nights & Weekends
  • Experienced Trial Attorneys
  • Former Department of Justice Trial Attorney
  • Former Federal Prosecutors, U.S. Attorney’s Office
  • Former Agents from FBI, OIG, DEA
  • Serving Clients Nationwide
Contact Us 888-680-1745 866-781-9539