HIPA-07

Do you comply with the requirements of the Health Information Technology for Economic and Clinical Health Act (HITECH)?

Explanation

This question is asking whether your organization complies with the Health Information Technology for Economic and Clinical Health (HITECH) Act, which was enacted as part of the American Recovery and Reinvestment Act of 2009. The HITECH Act expanded and strengthened the privacy and security provisions of HIPAA (Health Insurance Portability and Accountability Act). The HITECH Act includes requirements for: 1. Notification of breaches of unsecured protected health information (PHI) 2. Restrictions on the sale of PHI 3. Limitations on marketing and fundraising communications 4. Expanded individual rights to access electronic medical records and restrict disclosures 5. Increased penalties for HIPAA violations 6. Extended HIPAA requirements directly to business associates This question is being asked in a security assessment because organizations handling protected health information must comply with HITECH requirements to protect patient privacy and avoid significant penalties. Assessors want to ensure that your organization has implemented the necessary controls and processes to meet these legal requirements if you handle PHI. To best answer this question, you should: 1. Clearly state whether you comply with HITECH requirements 2. Provide specific details about how your organization meets these requirements 3. Mention any relevant certifications or assessments that demonstrate compliance 4. If you don't handle PHI at all, explain that HITECH is not applicable to your services If you're not fully compliant but are working toward compliance, be transparent about your current status and timeline for full compliance.

Guidance

Refer to HIPAA regulations documentation for supplemental guidance in this section.

Example Responses

Example Response 1

Yes, our organization fully complies with the HITECH Act requirements We have implemented comprehensive policies and procedures to meet all HITECH provisions, including breach notification protocols, access controls, and audit logging for PHI We conduct annual HIPAA/HITECH risk assessments and have documentation of our compliance program Our staff receives regular training on HIPAA/HITECH requirements, and we maintain Business Associate Agreements with all relevant third parties We have implemented technical safeguards including encryption of PHI at rest and in transit, access controls based on the principle of least privilege, and comprehensive audit logging of all access to PHI Our compliance has been verified through independent third-party assessments conducted annually.

Example Response 2

Yes, we comply with HITECH requirements as they apply to our role as a Business Associate Our cloud infrastructure services that may process PHI are designed with HITECH compliance in mind We maintain a formal HIPAA compliance program that includes the enhanced requirements introduced by the HITECH Act This includes breach notification procedures, encryption of all PHI, access controls, and comprehensive logging and monitoring We provide our customers with a signed Business Associate Agreement (BAA) that addresses HITECH requirements While we provide the compliant infrastructure, we work with our customers to ensure they understand their responsibilities for configuring and using our services in a compliant manner.

Example Response 3

No, we do not currently fully comply with all HITECH Act requirements While we have implemented many security controls aligned with HIPAA requirements, we have identified gaps in our breach notification procedures and our ability to provide electronic access to information as required by HITECH We are actively working to address these gaps through a formal remediation plan with expected completion within the next 6 months In the interim, we have compensating controls in place, including enhanced monitoring and manual processes to detect and respond to potential breaches We currently do not recommend using our service for PHI until our compliance program is complete, and we do not sign Business Associate Agreements at this time.

Context

Tab
Case-Specific
Category
HIPAA Compliance

ResponseHub is the product I wish I had when I was a CTO

Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.

As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!

I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

Signature
Neil Cameron
Founder, ResponseHub
Neil Cameron