HITECH and HIPAA
• Describe the purposes of the Health
Information Technology for Economic and
Clinical Health (HITECH) Act of 2009
• Explore how the HITECH Act is enhancing the
security and privacy protections of the Health
Insurance Portability and Accountability Act
(HIPAA) of 1996.
• Determine how the HITECH Act and its impact
on HIPAA apply to nursing practice.
• Nurses need to be familiar with the goals and
purposes of the HITECH Act of 2009, including the
Medicare and Medicaid HIT provisions of the law.
• How it enhances the security and privacy
protections of the Health Insurance Portability
and Accountability Act (HIPAA) of 1996
• How it otherwise impacts nursing practice in the
emerging EHR age
• The concepts of “meaningful use” and “certified
Overview of the HITECH Act
• The HITECH Act established the Office of the National Coordinator
for Health Information Technology (ONC) within the U.S.
Department of Health and Human Services (HHS).
• The ONC is headed by the National Coordinator, who is responsible
for overseeing the development of a nationwide HIT infrastructure
that supports the use and exchange of information in order to
– improve health care quality
– reduce the cost of health care
– improve people’s health by promoting prevention, early detection and
management of chronic diseases
– protect public health by fostering early detection and rapid response
to infectious diseases, bioterrorism, and other situations
– facilitate clinical research
– reduce health disparities
– better secure patient health information
• Improving health care quality has been an ongoing challenge in this
How a National HIT Infrastructure is
• Developing a national HIT infrastructure is an
enormous and extremely complex undertaking
that requires extensive financial technological
and human resources.
• Monetary incentives are available to clinicians
and facilities who implement EHR systems that
meet the specific standards.
• Providers that fail to adopt such systems within
a specified time frame may be subject to
significant governmental penalties.
Health Insurance Portability and
Accountability Act (HIPAA) of 1996
• Intent of the act was to
– curtail healthcare fraud and abuse
– enforce standards for health information
– guarantee the security and privacy of health
– assure health insurance portability for employed
• Consequences were put into place for institutions
and individuals who violated the requirements of
How the HITECH ACT Changed HIPAA
• The OCR is part of HHS and is responsible for enforcing
• Compliance with the Privacy and Security Rules is
mandatory for all covered entities
• Entities are to conduct regular audits to assure
compliance and any breaches in the privacy or security
of PHI must be remedied immediately
• Improved privacy and security of patient health
information by applying the requirements of HIPAA
directly to the business associates of covered entities.
• Strengthens the enforcement of HIPAA
Potential Legal Issues Associated with
• BYOD (bring your own device) Healthcare
organizations typically do not encourage personal
devices and in many instances actually have
policies in place forbidding employees from using
personal devices in the workplace.
– Policies may restrict use to devices issued by the
organization, secured, and routinely audited
• Social Media Use
– Nurses who engage with social media need to be
especially cognizant of a potential breach of
confidentiality of patient information.
Implications for Nursing Practice
• Be involved
• Stay involved
• Protect yourself
• HITECH Act and the HIPAA Privacy and Security Rules are intended
to enhance the rights of individuals.
• These laws provide patients with greater access and control over
their PHI. They can control its uses, dissemination, and disclosures.
• Covered entities must not only establish a required level of security
for PHI but also sanctions for employees who violate the
organization’s privacy policies and administrative processes for
responding to patient requests regarding their information.
• They must be able to track the PHI and note access from both a
perspective of what information was accessed but also by whom
and any disclosures.
• There is global awareness of the need for privacy protections for
personal health information or PHI.