by Government Relations Staff

February 19, 2009 — Congress enacted the HITECH Act as part of the American Recovery and Reinvestment Act on February 17, 2009. The HITECH Act calls for the voluntary adoption of HIT technology throughout the health care system. The new law substantially expands the federal government's effort to establish a national electronic patient records system by 2014, while providing for comprehensive records privacy and security standards.


In April 2004, President George W. Bush issued an executive order to provide federal leadership in the development and national implementation of an interoperable electronic patient records system by 2014. His order established the Office of the National Coordinator for Health Information Technology (ONC) to lead efforts to evolve health information technology (HIT) (e.g., computer hardware and software) in transforming the current, mainly paper-based records system to an electronic one. The ONC also was tasked to support the work of a federally recognized standards-setting body (the National eHealth Collaborative) to provide interoperability, privacy and security, and other standards in the development of electronic records.

States and local governments, as well as various health care systems, insurers, hospitals and communities across the country also have been working toward electronic patient records for some time. Certain distinct and insular health systems, such as the Veterans Administration health care system, already have electronic records in place.

It is believed that the use of HIT in the creation of electronic health patient records will:

  • Allow for comprehensive management of health information and help patients maintain and share their records securely with their health providers;

  • Improve health care quality, prevent medical errors, and reduce costs through decreased paperwork and increased administrative efficiency;

  • Give health providers ready access to complete patient information in a standard, electronic form for medical decisions and for payment purposes; and

  • Improve early detection of disease outbreaks and chronic disease management.

While there is a widespread belief that the administrative, quality-of-care and other efficiencies associated with HIT will mean that electronic records will substantially lower health care costs across the system, HIT implementation may be expensive, particularly for larger entities, such as hospitals and insurers. These and other health care entities and providers-including small and individual providers-have sought federal and state assistance to help address these costs.

In addition, the APAPO and other organizations have insisted that privacy and security standards must be a core component of HIT and electronic records' development to address particular concerns with movement of records from a paper-based to an electronic-based system.

The Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security and related Rules (which took effect beginning in 2003) were the federal government's first major effort to encourage a national electronic records system. While significant, these voluntary standards apply only to "covered entities," meaning health providers, health plans, and health care clearinghouses (usually those entities that assist providers or health plans with records processing).

The HITECH Act Seeks to Accomplish a National Electronic Patient Records System in Three Ways. The New Law —

Funds the ONC and places it under U.S. Department of Health and Human Services (HHS) oversight. To this end, the HIT standards-setting process is also funded and placed under HHS.

  • The ONC will consider the recommendations provided by the standards committees. The ONC will then present any recommendation that it endorses to the HHS Secretary, who then may adopt the standards through regulation to apply to the health system.

  • In addition to endorsing standards for HHS consideration, the ONC will coordinate HIT efforts among federal agencies, shepherd the overall federal strategic plan for adoption, and certify HIT technology for use in the system.

Provides grants and loans to health care providers — including psychologists — hospitals, nursing facilities, federally qualified health centers, community mental health centers and other entities in the health care system for implementation of HIT into their practices and facilities.

  • Primarily, HHS will provide grants to states to assist their efforts in promoting HIT technology and adoption of electronic patient records by providers. HHS will also establish through the states and Indian tribes a loan program to assist with adoption.

  • The ONC also may offer HIT technology to health providers for a "nominal" fee, unless the HHS Secretary determines that their needs are already being met through the marketplace, and taking into account the financial circumstances of smaller, low income or rural providers.

  • HHS will provide an extension program — including through regional centers — to assist providers as they adopt certified technology into their practices and facilities. Regional centers will focus assistance on rural and individual and small group practices, among other providers.

  • HHS will provide grants for demonstration programs for the development of academic curricula that integrates HIT technology into the clinical education of health professionals, including for graduate programs in behavioral or mental health.

  • In another part of the American Recovery and Reinvestment Act, Congress provides for Medicare incentive payments to physicians for the adoption of certified HIT technology into their (non-hospital-based) practices. These payments are significant in the first year and are phased out over a five year period. The stimulus package also provides for hospital incentive payments and modest Medicaid payments for a limited pool of providers (psychologists are not eligible). HHS may provide funding to support the development and adoption of electronic records for providers not eligible for these incentive payments and will conduct a study to determine how these payments may be applied to other providers.

Includes comprehensive patient records privacy and security provisions.

  • In general. ONC must ensure that patient's records are "secure and protected" and that the standards setting committees provide for such standards.

  • Privacy officer. A new HHS Chief Privacy Officer will advise the ONC on privacy and security issues and coordinate HHS work with other federal agency and state and regional efforts.

  • Applies HIPAA to electronic records networks. The HITECH Act expands the HIPAA Privacy, Security, and other requirements to apply to other entities beyond HIPAA covered entities, by deeming them as "business associates" of covered entities. Through this provision, Health Information Exchanges, Regional Health Information Organizations, and E-prescribing Gateways, for example, are now covered by HIPAA, when they act on behalf of providers, insurers or other covered entities.

  • Study on records' vendors. HHS will conduct a study and report to Congress on the privacy and security standards that should be applied to vendors of patient records. A vendor is an entity which maintains patient records but which is not a covered entity or a business associate of a covered entity under the law.

  • Stronger state laws preserved. The new law preserves stronger state privacy and related laws through application of the HIPAA preemption standard.

  • Preserves privilege. The HITECH Act preserves patient-provider privilege, including the psychotherapist-patient privilege recognized under federal common law.

  • Sensitive records segmentation. The standards committees must specifically make recommendations regarding technologies that provide for segmentation of particularly sensitive health information (mental health and substance use information would fall into this category). "Segmentation" is a concept that would provide additional protections for these records from inappropriate disclosure beyond treating providers.

  • Mental health testing records. Requires that HHS shall conduct a study on inclusion of mental health testing records in the current HIPAA Privacy Rule psychotherapy notes authorization requirement, which requires specific patient authorization of release of psychotherapy notes to entities beyond his or her treating provider.

  • Minimum necessary. Reaffirms the HIPAA Privacy Rule protection that disclosure of information must be confined to a limited data set of information on the patient or to the minimum amount necessary to accomplish the intended purpose of the disclosure. The HHS Secretary will issue further guidance regarding the "minimum necessary" requirement.

  • Private pay opt-out. Expands the HIPAA Privacy Rule protection that allows patients to restrict access to their records to allow patients who pay privately for services to not have their records shared with insurers for payment or administrative purposes.

  • Accounting of disclosures. Significantly expands the HIPAA Privacy Rule protection to require that a patient may have an accounting by an insurer (or other entity) for disclosures of his or her record for administrative purposes. The standards committees will make recommendations towards this end.

  • Breach notification. Requires covered entities and their business associates to notify a patient when his or her records have been breached so that the patient may mitigate the damage associated with the breach. Expands breach notification to apply to vendors of health records.

  • Marketing limitations. The new law further limits the ability of insurers, providers or other entities to use patient information for marketing purposes.

  • Improved enforcement. The HITECH Act provides for improved enforcement and greater penalties for violation of privacy and security standards, including permitting enforcement through state attorneys general.

  • Know-your-rights education. HHS will offer assistance and guidance in helping health providers, insurers, employers, patients and other entities in understanding their rights and responsibilities related to federal privacy and security requirements and will conduct a public education campaign about electronic records and rights regarding those records.