Home > Compliance > HITECH Act Compliance
Print PagePrint this Page

HITECH Act Compliance


What is HITECH?
The Health Information Technology for Economic and Clinical Health (HITECH) Act was set in motion in 2009 as part of the American Recovery and Reinvestment Act. It provides the healthcare industry over $31 billion in stimulus funds dedicated to infrastructure improvements, including the adoption of Electronic Health Records (EHR). In addition, HITECH addresses new privacy requirements for patient health information for Protected Health Information (PHI) security, breach notification and penalties for non-compliance. HIPAA Compliance

Who is affected by HITECH?
Simply put, HITECH applies to all HIPAA covered entities and their business associates.

What are the requirements of HITECH?
HITECH requires any organization that accesses, maintains, retains, or modifies records, or anyone storing, destroying or otherwise holding, using or disclosing PHI to protect that information. The regulation also sets forth the notification requirements for companies that do not secure their PHI and suffer a data breach.

How do companies comply with HITECH?
To comply with HITECH, companies must secure PHI data in motion, at rest or in use. According to the Federal Register, the Department of Health and Human Services recommends deploying encryption in order to secure PHI in motion. Data encryption renders "electronic PHI unusable, unreadable or indecipherable to unauthorized persons."

What are the penalties of HITECH non-compliance?
If an organization is breached and they protected the PHI using authorized methods, they are not subject to the notification requirements. However, if a company is breached and their data was not secured, the company is subject to fines up to $1.5 million (mandatory for cases of "willful neglect") and the following notification requirements:
  • Written notice by first-class mail to the individual at the last known address.
  • If there is insufficient or out-of-date contact information, especially if there are 10 or more individuals with insufficient information for mailed notification, the organization must post notification on their website and or in major print or broadcast media.
  • If the company believes imminent misuse of the unsecured PHI is possible, notice by telephone or other method is permitted in addition to the above methods.
  • If more than 500 residents of any given state are affected, then prominent media outlets within the state must be sent notification. For any breach of more than 500 individuals, the U.S. Health and Human Services Secretary must be immediately notified. The Secretary must also be notified annually of all other breaches.
  • The Secretary will maintain a list on an HHS website that identifies each breach in which the unsecured PHI of more than 500 individuals is compromised.
    • How does CipherOptics help?
    When you need to encrypt your data in motion, CipherOptics makes it easy. Whether you need to protect a single link, or your entire network, we eliminate the complexity of encrypting today's networks.

    Our solutions combine standards-based, wire-speed encryption appliances with CipherEngine, the only policy definition and key distribution technology designed for multi-node networks. Together, they give you the highest level of data protection at the lowest total cost. CipherEngine gives you the power to protect data in motion wherever, however and whenever you want, without changes or disruptions to your network, your infrastructure, or your operations.

    To see just how easy it can be to comply with HITECH, call 1-877-878-6655 or feel free to ask us a question.

    Learn More About:
    Network Encryption
    Ethernet Encryptors
    IP Encryptors
    CipherEngine Policy and Key Management