Do you comply with the requirements of the Health Information Technology for Economic and Clinical Health Act (HITECH)?
Explanation
HITECH compliance is the focus here, specifically whether you meet the requirements of the Health Information Technology for Economic and Clinical Health Act, which strengthened HIPAA enforcement. The HITECH Act expanded and strengthened the privacy and security provisions of HIPAA (Health Insurance Portability and Accountability Act).
The HITECH Act includes requirements for:
- Notification of breaches of unsecured protected health information (PHI)
- Restrictions on the sale of PHI
- Limitations on marketing and fundraising communications
- Expanded individual rights to access electronic medical records and restrict disclosures
- Increased penalties for HIPAA violations
- Extended HIPAA requirements directly to business associates
This question is being asked in a security assessment because organizations handling protected health information must comply with HITECH requirements to protect patient privacy and avoid significant penalties. Assessors want to ensure that your organization has implemented the necessary controls and processes to meet these legal requirements if you handle PHI.
To best answer this question, you should:
- Clearly state whether you comply with HITECH requirements
- Provide specific details about how your organization meets these requirements
- Mention any relevant certifications or assessments that demonstrate compliance
- If you don't handle PHI at all, explain that HITECH is not applicable to your services
If you're not fully compliant but are working toward compliance, be transparent about your current status and timeline for full compliance.
Guidance
Refer to HIPAA regulations documentation for supplemental guidance in this section.
Example Responses
Example Response 1
Yes, our organization fully complies with the HITECH Act requirements We have implemented comprehensive policies and procedures to meet all HITECH provisions, including breach notification protocols, access controls, and audit logging for PHI We conduct annual HIPAA/HITECH risk assessments and have documentation of our compliance program Our staff receives regular training on HIPAA/HITECH requirements, and we maintain Business Associate Agreements with all relevant third parties We have implemented technical safeguards including encryption of PHI at rest and in transit, access controls based on the principle of least privilege, and comprehensive audit logging of all access to PHI Our compliance has been verified through independent third-party assessments conducted annually.
Example Response 2
Yes, we comply with HITECH requirements as they apply to our role as a Business Associate Our cloud infrastructure services that may process PHI are designed with HITECH compliance in mind We maintain a formal HIPAA compliance program that includes the enhanced requirements introduced by the HITECH Act This includes breach notification procedures, encryption of all PHI, access controls, and comprehensive logging and monitoring We provide our customers with a signed Business Associate Agreement (BAA) that addresses HITECH requirements While we provide the compliant infrastructure, we work with our customers to ensure they understand their responsibilities for configuring and using our services in a compliant manner.
Example Response 3
No, we do not currently fully comply with all HITECH Act requirements While we have implemented many security controls aligned with HIPAA requirements, we have identified gaps in our breach notification procedures and our ability to provide electronic access to information as required by HITECH We are actively working to address these gaps through a formal remediation plan with expected completion within the next 6 months In the interim, we have compensating controls in place, including enhanced monitoring and manual processes to detect and respond to potential breaches We currently do not recommend using our service for PHI until our compliance program is complete, and we do not sign Business Associate Agreements at this time.
Context
- Tab
- Case-Specific
- Category
- HIPAA Compliance
Related questions
- Do your workforce members receive regular training related to the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules and the HITECH Act?
- Have you identified areas of risk?
- Have the relevant policies/plans been tested?
- Have you entered into a Business Associate Agreements with all subcontractors who may have access to protected health information (PHI)?
- Do you monitor or receive information regarding changes in HIPAA regulations?
- Has your organization designated HIPAA Privacy and Security officers as required by the rules?

