HIPAA + HITECH: Maintain Compliance For Your Medical Practice

March 7, 2022 by Antonio Arias, MBA, CHBME

Topics: Revenue Cycle Management, Medical Credentialing

In today’s world, cyber threats are constantly targeting the healthcare industry in order to steal patient information and exploit sensitive data. In fact, healthcare data breaches cost US industries more than $6 billion annually. In an effort to combat this relentless barrage of attacks, there are certain compliance regulations to which healthcare organizations must adhere: HIPAA and HITECH.

While these pieces of legislation are distinct from each other, they complement each other in terms of safeguarding patient data and establishing rules for managing sensitive information so that hackers aren’t able to easily access it.

Keep reading to learn more about each set of requirements and how your medical practice can maintain compliance, protect patient information, and streamline your overall operations while keeping good cybersecurity measures in place.

Quick Links:

What Is HIPAA?

As defined by the Centers for Disease Control and Prevention (CDC), “The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that requires the creation of national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge.” Basically, HIPAA ensures personal health information (PHI) isn’t inappropriately transferred or managed so that the patient’s data is secure and their privacy is respected.

Since PHI can take many forms across an array of industries and services, there are various types of individuals and organizations who must follow HIPAA guidelines as they come across it, including:

  • Healthcare providers: This might be obvious, but healthcare professionals can have access to multitudes of information for countless patients, so it’s critical that they maintain HIPAA compliance when managing patient information
  • Health plans: Whether private insurance or other programs like Medicare, health plans and their related agencies and personnel must follow HIPAA compliance
  • Healthcare clearinghouses: These organizations act as the go-between for processing information; while perhaps not directly involved in patient care or managing health insurance plans, they still need to maintain HIPAA compliance
  • Business associates: This category covers a wide variety of third-party vendors or organizations who handle or have access to personal health information for whatever reason; each must adhere to HIPAA compliance

Essentially, the goal of HIPAA legislation is to protect patient information across all platforms or potential areas where that information might be accessed; therefore, it’s crucial that all pertinent parties follow HIPAA regulations.

maintain hipaa and hitech compliance


The Health Information Technology for Economic and Clinical Health Act (HITECH) was passed after HIPAA, in 2009, and establishes technological requirements that align with HIPAA and introduces the Breach Notification Rule which mandates that all breaches of 500+ individual records be reported to the Department of Health and Human Services’ Office for Civil Rights (OCR).

HITECH was signed into law as part of the American Recovery and Reinvestment Act (ARRA) and emphasizes the importance of adopting technology in the healthcare industry, specifically the use of electronic health record systems, in order to boost the quality of care, ease of communication, and security for the patient’s personal health informatin. 

The legislation itself uses the language “meaningful use” for implementing healthcare technology, which highlights that the technology was meant to be used intentionally and with purpose. In this context, “meaningful use” entails leveraging these resources to achieve one or more of these five goals:

  • Improve quality, safety, and efficiency
  • Engage patients in their care
  • Increase coordination of care
  • Improve the health status of the population
  • Ensure privacy and security

These five goals are cornerstones of healthcare legislation like the HITECH Act, which promises to streamline operations and protect sensitive patient information.

The HITECH Act is comprised of six parts:

  • Meaningful Use program: Establishes the goals of implementing technology in a variety of manners within the healthcare field
  • Business associate HIPAA compliance: This addressed a loophole in HIPAA legislation that was exploited by Covered Entities claiming they didn’t know that a Business Associate wasn’t compliant; with HITECH, more stringent reporting requirements were outlined
  • Breach notification rule: Patients whose information was accessed or stolen in a cybersecurity breach must be notified within 60 days
  • Willful neglect and auditing: Under the HITECH legislation, audits for HIPAA or HITECH violations could now result in a tiered system of fines depending on the findings of the audits
  • HIPAA compliance updates: Once again fortifying HIPAA legislation, this component of the HITECH Act increased potential fines for violations and tightened up restrictions
  • Access to electronic health records: With HIPAA, patients were given rights to obtain a copy of their records in physical form; with HITECH, patients were given rights to obtain an electronic copy of their records

Each one of these components plays a vital role in HITECH legislation and its importance to the progression of patient protection.

The Importance of Maintaining HIPAA and HITECH Compliance for Your Medical Practice

HIPAA and HITECH compliance means that your medical practice is doing its due diligence to protect patient information and that your patient records and other sensitive data are being managed, stored, and shared appropriately. Ensuring that only authorized parties have access to personal health information means that collaborative care can happen securely and in a streamlined manner.

what is hitech compliance

How to Maintain HITECH Compliance

There are three foundational principles that your medical practice can implement in order to maintain HITECH compliance:

Train Your Employees

In order for the staff at your medical practice to be compliant with HIPAA, HITECH, and other pertinent regulations, they need adequate training. After establishing a comprehensive understanding of the regulations, it’s a good rule of thumb to regularly review the regulations and how their role within the organization impacts compliance measures.

Establish an Information Security Program

Upon individually training or reviewing HITECH compliance regulations with your staff, establish an information security program or committee within your medical practice to keep everyone compliant.

Utilize Best Cybersecurity Practices

Across every component of your medical practice, it’s imperative to utilize good cybersecurity practices regarding information storage, frequently updating passwords, using strong passwords, restricting access for former employees, and more. This will help ensure that your medical practice isn’t subjected to a data breach.

Partner with NCG to Handle Your Revenue Cycle!

If your administrative team is frequently overwhelmed with the stress and intricacies of the medical billing and coding process, constantly facing claim rejections, and trying to stay up to date on new insurance or Medicare regulations, then it’s time to consider partnering with a medical billing firm to handle your revenue cycle.

Partnering with a medical billing firm like NCG can significantly optimize your revenue cycle by comprehensively streamlining your medical billing and coding processes—empowering your team to ensure compliance across the board and deliver quality care to your patients.

New call-to-action

Subscribe to Our Blog

Stay in-the-know on trends, best practices, and news affecting the medical billing industry!