Getting HITECH: Unraveling the Complexities of Compliance

The following is a guest blog post by Jason Carolan, CTO for ViaWest.
Jason Carolan

HITECH and HIPAA compliance are incredibly important to the bottom lines of many companies. But what exactly does this compliance entail? In 2009, the HITECH Act (Health Information Technology for Economic and Clinical Health) was passed, expanding the scope of the previous Health Insurance Portability and Accountability Act (HIPAA). HITECH enforces the rules of HIPAA, while invoking stiff fines for non-compliance. Now more than ever before it is absolutely imperative that companies working with healthcare organizations ensure they have all the facts before designing IT solutions. And one of the keys to having all the facts is knowing the core terminology.

A Covered Entity under the HIPAA privacy rule refers to health plan groups, health care clearinghouses and health care providers that transmit health information electronically, including, doctors, dentists, chiropractors, insurers, Medicare, medical plans and billing services. These Covered Entities face the additional challenge of managing their Business Associates, revisiting agreements and ensuring privacy, security, enforcements and breach notification updates in order to meet the requirements of the Final Rule.

A Business Associate (BA) under the HIPAA privacy rule refers to a person or organization that conducts business with a Covered Entity that involves the use, access or disclosure of protected health information (PHI). HITECH also specifies that an organization that provides data transmission of PHI is a BA. Examples of BAs include vendors, subcontractors and IT service providers that provide managed hosting services requiring access, use or disclosure of PHI.

All HIPAA Covered Entities and Business Associates must comply with security controls to safeguard PHI through the following due diligence efforts:

  • Ensure the confidentiality, integrity, and availability of PHI
  • Protect against any reasonably anticipated threats and hazards
  • Protect against reasonably anticipated uses or disclosures of PHI that are not permitted
  • Ensure compliance by its workforce through Administrative Safeguards, Physical Safeguards, Technical Safeguards, Organizational Requirements and Policies and Procedures
  • Documentation of breach notification procedures and timeliness of breach notification

Covered Entities and Business Associates who have a strong security posture and can prove their due diligence through establishments and audit of controls and breach preparedness have a lower risk of fines than those companies that do nothing.  Proven due diligence includes:

  • Prioritizing compliance efforts
  • Culture awareness
  • Implementing security policies
  • Conducting risk assessments
  • Enforcing and validation of controls to protect PHI

IT departments are dealing with the same or shrinking budgets.  So, with a larger component of IT budget consumed by compliance, CIOs and CTOs are getting pressure from a resource standpoint but shrinking budgets. Failing on compliance can bring stiffer punishments and fines, so, more and more companies are looking at outsourcing so that they can share the burden and ensure they aren’t missing important components.

An audit may not be a pleasant experience, but it’s a reality, and being prepared is the key. The right technology provider can help you not just with a compliance checklist, but can take it a step further and provide a comprehensive set of solutions to be “baked in” upfront – minimizing the risk of audit or the “pain” of the audit if you are in the midst of one.

With increased regulation comes increased risk and complexity surrounding HIPAA compliance.  Are you confident in your company’s data security?

About the author

John Lynn

John Lynn

John Lynn is the Founder of, a network of leading Healthcare IT resources. The flagship blog, Healthcare IT Today, contains over 13,000 articles with over half of the articles written by John. These EMR and Healthcare IT related articles have been viewed over 20 million times.

John manages Healthcare IT Central, the leading career Health IT job board. He also organizes the first of its kind conference and community focused on healthcare marketing, Healthcare and IT Marketing Conference, and a healthcare IT conference,, focused on practical healthcare IT innovation. John is an advisor to multiple healthcare IT companies. John is highly involved in social media, and in addition to his blogs can be found on Twitter: @techguy.