In this lesson, we're going to cover the HITECH Act, including its goals, its importance, and a few details. At the end of the lesson, we're going to provide you with answers to some common business associate agreement questions.

The HITECH Act (Health Information Technology for Economic and Clinical Health Act) was introduced during the Obama administration and signed into law on February 17, 2009.

The HITECH Act expanded the responsibilities of business associates under the security and privacy rules. Responsibilities and requirements for covered entities and their business associates include:

  • Providing notification following a breach of unsecured protected health information
  • Limitations on the sale of PHI, marketing, and fundraising communications
  • Stronger individual rights to access electronic medical records
  • Restriction of the disclosure of certain information
  • Only using PHI for proper purposes
  • Protect PHI at all times

The Goals of the HITECH Act

The HITECH Act was established to promote and expand the adoption of health information technology, specifically, the use of electronic health records by healthcare providers.

The Act also removed some of the loopholes in the HIPAA Act by tightening up the language of HIPAA. This helped to ensure that all business associates were complying with HIPAA Rules, and when health information was compromised, notifications were sent to the affected individuals in a timely manner.

Tougher penalties for HIPAA compliance failures were also introduced to add an extra incentive for healthcare organizations and their business associates to comply with the HIPAA Privacy and Security Rules.

The Importance of the HITECH Act

Prior to the introduction of the HITECH Act, only 10 percent of hospitals had adopted electronic health records. In order to advance healthcare, improve efficiency and care of patients, and make it easier for health information to be shared between different covered entities, electronic health records needed to be adopted.

The HITECH Act introduced incentives to encourage hospitals and other healthcare providers to make the change from paper records to electronic records. Had the Act not been passed, there is a good chance that many healthcare providers would still be using paper records today.

The HITECH Act also helped to make certain that healthcare organizations and their business associates were complying with the HIPAA Privacy and Security Rules, were implementing safeguards to keep personal health information private and confidential, were restricting the uses and disclosures of health information, and were honoring obligations to provide patients with copies of their medical records upon request.

The Act did not make compliance with HIPAA mandatory. That was already a requirement. However, it did make certain that entities found not to be in compliance could be issued substantial fines. Penalties help increase compliance, and sometimes the only language that businesses understand is one that affects the bottom line.

Some Common Business Associate Agreement Questions

Who does a business associate agreement apply to?

Covered entities can be fined for not having a HIPAA business associate agreement in place or for having an incomplete agreement in place. And even if one wasn't in place, business associates are still obligated to comply with the HIPAA Security Rule.

However, the issue for many covered entities is they are often unsure who a HIPAA business associate agreement actually applies to. The Department of Health and Human Services defines a business associate as a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity, if that helps.

However, exclusions to this definition exist and it may be the case that the scope of a covered entity's relationship with a vendor changes over time. As you can see, it's not exactly black and white, or even finite.

Can you insist that every contractor sign a BAA?

Some covered entities have taken a better-safe-than-sorry approach to address their definition issues and have executed agreements with all entities they have business relationships with. Even when not required.

Recent research funded by the California Healthcare Foundation found that many covered entities were entering into agreements with other covered entities unnecessarily and were also entering into agreements with vendors who had no access to PHI and were never likely to.

What does access to ePHI include?

Many vendors are not given PHI to perform tasks on behalf of the covered entity, but ePHI passes through their systems. Many software solutions touch ePHI which means the software provider is classed as a business associate. There are exceptions for entities that merely act as conduits through which ePHI simply passes, although most cloud service and software providers are not excepted from compliance with HIPAA and BAAs are required.

Can I use a business associate agreement template?

There are many HIPAA business associate agreement templates available, but care should be taken before they are used. Before using such a template, it's important to check for whom that template has been designed to make sure it's relevant. It should also be personalized to include all of the requirements stipulated by the covered entity.