The Health Information Technology for Economic and Clinical Health Act (HITECH Act) legislation was created in 2009 to stimulate the adoption of electronic health records (EHR) and supporting technology in the United States. President Obama signed HITECH into law on Feb. 17, 2009, as part of the American Recovery and Reinvestment Act of 2009 (ARRA) economic stimulus bill.
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
The Office of the National Coordinator (ONC) for Health Information Technology was established in 2004 within the Department of Health and Human Services. The HITECH Act gave the ONC the authority to manage and set standards for the stimulus program. It also established grants for training centers for the personnel required to support new health IT infrastructure in healthcare organizations.
HITECH Act summary
As it was originally enacted, HITECH stipulated that, beginning in 2011, healthcare providers would be offered financial incentives for demonstrating "meaningful use" of EHRs until 2015, after which time penalties may be levied for failing to demonstrate such use.
Providers can start using EHRs as late as 2014 and avoid penalties, but the amount of incentives they are eligible to receive will be less than earlier adopters. The rollout of meaningful use is happening in three stages; providers must demonstrate two years in a stage before moving on to the next one. Because adoption for stage 2 has been slow, the Centers for Medicare and Medicaid Services (CMS) announced in mid-2014 that it will put stage 3 off until 2017.
HITECH Act regulations and meaningful use stages
Another HHS department, CMS, under advisement from the ONC, created meaningful use attestation requirements in three stages. Meaningful use stage 1 set a minimum bar of 25 total criteria, 15 core requirements and 10 "menu" requirements. Physicians and hospitals have different requirements for some of the criteria. Some of the core requirements included using a computerized physician order-entry (CPOE) system.
Meaningful use stage 2 upped the ante by enforcing stage 1 requirements and introducing new ones, such as demonstrating the ability to exchange key clinical information between providers of care and patient-authorized entities electronically.
CMS policymakers are currently writing meaningful use stage 3 requirements. The authors have claimed they plan to release a proposed set in late spring 2015.
Meaningful use attestation
Healthcare organizations are required to go through a process of meaningful use attestation --compliance and governance paperwork -- to prove they have completed the stage requirements and are eligible for reimbursements. Organizations that do not attest on time will incur penalties. Some organizations have chosen to opt-out of the program at stages 2 and 3 because of lack of progress on meeting the requirements or lack of budget to complete the tasks.
Part of meaningful use requirements involve using ONC-Certified EHR Technology, frequently referred to by regulators as "CEHRT." ONC writes the certification rules, which vendors must apply to their medical records software in order for their customers to receive incentives.
HIPAA and HITECH
HITECH and HIPAA, also known as the Health Insurance Portability and Accountability Act, are separate and unrelated laws, but they do reinforce each other in certain ways. For example, HITECH stipulates that technologies and technology standards created under HITECH do not compromise HIPAA privacy and security laws.
It also requires that any physician and hospital that attests to meaningful use must also have performed a HIPAA security risk assessment as outlined in the "Omnibus rule," or 2013 digital update to the original 1996 law. Another example: HITECH established data breach notification rules; HIPAA's omnibus update echoes those rules and adds details such as holding healthcare providers' business associates accountable for the same liability of data breaches as the providers themselves.