HITECH Act Subtitle D Audit Checklist

The HITECH Act was passed in 2009 to strengthen HIPAA standards, such as breach notifications. While there are four subtitles under HITECH Act, our focus will remain on Subtitle D as this relates specifically to improving healthcare data privacy and security.

There are three primary types of audits associated with HITECH compliance: security, business associate and breach notification. Security Risk Analysis is required under the Security Rule.

1. Security Policies and Procedures
The HITECH Act was intended to facilitate the use of new electronic healthcare infrastructure. It incentivizes healthcare providers to adopt and implement technologies that will enhance patient outcomes, efficiency and cost reduction while simultaneously creating additional risks such as data breaches or information leakage. However, new technologies pose additional risks.

In order to mitigate risks associated with data breaches, HITECH requires organizations to establish policies and procedures to protect ePHI. A security audit must also be performed regularly to verify compliance with HIPAA security rules as well as devise an adequate response plan in case of data breach.

Audit will assess various areas such as IT risk assessment, physical site security, employee training and procedures, asset and device management, breach notification policies and breach notification processes within an organization. Specifically, this audit will ensure there is an established process to inform affected individuals, the Secretary of Health and Human Services as well as media outlets if a data breach occurs.

2. Business Associate Agreements
The HITECH Act provided stronger civil and criminal enforcement of HIPAA by giving State Attorney Generals more authority to prosecute violations. Furthermore, tougher penalties were implemented that encouraged organizations to take compliance obligations seriously.

Business Associates are vendors who perform services on behalf of Covered Entities that require sharing electronic protected health information (ePHI), such as EHR providers, software vendors, data analysis services, cloud computing providers, legal services firms, actuarial firms or accreditation agencies.

The HITECH Act established stringent privacy regulations for Business Associates as it did for Covered Entities, mandating that all business associates create and adhere to a BAA and provide breach notifications when needed. You must also vet them through a questionnaire which assesses their own security practices; failing this may result in costly breaches or lawsuits for your organization.

3. Privacy Policies and Procedures
HITECH also requires healthcare organizations to comply with privacy policies and procedures, such as policies pertaining to the use, disclosure and protection of electronic protected health information (ePHI). A complete compliance program must include procedures for reporting data breaches or security incidents and must consider their impacts both on patients as well as workforce members.

This act includes several provisions designed to incentivize adoption and meaningful use of electronic health records (EHRs) while improving HIPAA enforcement and liability protections for Covered Entities, Business Associates and other participants in electronic transmission of healthcare data – among these is an increased maximum penalty of $1.5 million per incident and new guidelines regarding Business Associate responsibilities and liabilities.

The Act also mandates that Covered Entities conduct self-audits to evaluate and assess the effectiveness of their privacy and security compliance programs, at least six times each year. This must include an inventory review as well as procedures for erasing or destroying electronic Personal Health Information stored on those devices.

4. Breach Notification Procedures
The Health Information Technology for Economic and Clinical Health Act (HITECH Act) incentivized healthcare technology adoption while also creating significant security risk. Subtitle D of the HITECH Act modified HIPAA to address these risks while strengthening enforcement of existing privacy and security rules.

An unsecured electronic Protected Health Information (ePHI) breach can pose a serious threat to both patient health and safety, as well as to healthcare organizations’ reputations. As part of the HITECH Act, Covered Entities and Business Associates must notify individuals, the Secretary of Health and Human Services, and in certain instances even media when such breaches of unprotected ePHI occur.

An audit to ensure compliance with HITECH involves creating an asset and device inventory of devices accessing electronic PHI, and verifying appropriate safeguards are in place – such as reviewing all potential PHI disclosures on every device and any potential violations that might have taken place.