Lepide Blog: A Guide to IT Security, Compliance and IT Operations

What is HITECH Compliance and How to Meet Its Requirements

What is HITECH Compliance

HITECH compliance stands for the Health Information Technology for Economic and Clinical Health Act. It was signed into law in 2009 in the USA as a part of the American Recovery and Reinvestment Act (ARRA).

What is HITECH Compliance?

The purpose of the HITECH Act was to encourage more healthcare providers in the USA to make proper use of electronic health records (EHR), whilst doing so in a responsible and secure way. The key phrase that HITECH refers to is “meaningful use”. Meaningful use refers to how healthcare providers should be using EHR technology, more specifically, that EHR technology should be used in a way that can be measured and quantified.

The Relation Between HITECH and HIPAA

The first Title of HIPAA, which is concerned primarily with the portability of health insurance and protecting workers rights, has nothing really to do with HITECH. However, Title II of HIPAA, all about security controls around protected health information, is far more closely linked to HITECH.

The HITECH Act and HIPAA work together to help organizations take up electronic health records whilst implementing the appropriate technical safeguards to ensure it is secure. HITECH required the Secretary of the HHS to issue guidance every year to healthcare providers to help them do this in the best way. It also enabled governing bodies to issue stricter fines for HIPAA violations and introduced new requirements that we will go through in this article.

Goals of HITECH Compliance

In order to implement the ultimate goal of HITECH, which is to promote the use of electronic health records, the ACT has three phrases of meaningful use. These are broken down into stages.

HITECH Stage 1

The rules of this stage are not pinned down completely, they will change depending on the covered entity. There are dozens of objectives that you will have to meet, and they are split into multiple categories; core objectives, menu objectives and clinical quality.

Core objectives include things like Computerized Provider Order Entry, menu objectives include things like submitting electronic data to the right locations, and clinical quality includes weight screening and electric blood pressure monitoring etc.

HITECH Stage 2

HITECH Stage 2 requires more sophisticated use of EHRs. There are a couple of categories (core objectives and menu objectives) for hospitals and professionals, and the actual objectives themselves differ for each category. Essentially, stage 2 expands upon the rules of stage 1, ensuring that businesses have improved their electronic security through encryption, risk analysis, technology, policies and practices.

HITECH Phase 3

This phase contains 8 requirements that both professionals and hospitals need to meet. They are broad but closely related to phases 1 and 2. These requirements include:

  • Secure ePHI
  • Make sure you can create electronic prescriptions
  • Implement Clinical Decision Support
  • Implement CPOE
  • Make sure patients can access electronic files in a timely manner
  • Ensure care is coordinated
  • Health Information Exchange
  • Public Health Reporting

Security Benefits of HITECH Compliance for Patients

The most obvious benefit that patients have thanks to the HITECH Act is that they will have access to their own protected health information electronically. The HITECH Act also ensures that covered entities have to notify patients of any data breaches involving their ePHI or PHI. If more than 500 records are involved in a data breach then the covered entity will have to report the breach to the Department of Health and Human Services. There are strict penalties for such incidents as well.

HITECH does allot a large budget for companies to improve their adoption and protection of electronic data, which benefits both healthcare companies and patients.

HITECH Compliance Best Practices

Achieving and maintaining HITECH compliance requires organizations to do a number of things. Healthcare providers should ensure that all employees and business partners receive regular, detailed training on what the HITECH requirements are, to make sure that meaningful use of EHR technology is obtained and the security policies and procedures in the organization are being fulfilled properly.

Secondly, organizations will need to implement a data security platform to help ensure the security and integrity of PHI and ePHI. Such security solutions will need to be able to classify sensitive data related to HITECH and HIPAA at the point of creation, and show which users have access to it. They will also need to be able to detect anomalous user behavior in relation to this data, and whenever any changes are made to the data or surrounding permissions that may constitute a breach of compliance.

Organizations need to ensure that they are operating on a zero-trust policy where users only have access to the data they need to fulfill their role. Start from the viewpoint that all your users are potential threats to your security and compliance, and limit access where possible.
Make sure that the data security platform that you choose will keep a detailed audit log, and allow you to run regular risk assessments to ensure that you can produce detailed audit reports and investigate effectively when required. All of your internal training and policies surrounding HITECH will also need to be regularly audited to make sure they are up to date and effective.

How Lepide Helps with HITECH Compliance and Security

The Lepide Data Security Platform is specifically designed to help organizations achieve and maintain HITECH compliance through persistent classification, access governance and behavioral analytics.

Lepide enables organizations to scan, discover and classify their protected health information. Admins can then generate a list of users who have access to that data, and also a list of users with excessive permissions that should be revoked. Whenever any changes occur to these permissions, Lepide alerts the admins in real time and can generate automated threat response templates if required.

Lepide uses enhanced anomaly spotting technology to determine normal user behavior, and alert admins in real time whenever any anomaly occurs (including single point anomalies). Again, threat response templates can be executed on the generation of any alert to help shut down or mitigate the threat.

Lepide also contains hundreds of pre-set compliance reports for HIPAA, HITECH and other compliance mandates that simplify and collate audit data from detailed event logs into readable, actionable reports, making is easy to keep an eye on events and investigate suspicious or unwanted changes.

If you’d like to see how the Lepide Data Security Platform can help you to achieve and maintain HITECH compliance, schedule a demo with one of our engineers.