HITECH Act Compliance Assessment

Do you have a breach notification policy that complies with HITECH requirements?*

HITECH requires notification of breaches affecting 500+ individuals within 60 days

Have you trained staff on breach detection and reporting procedures?*

Do you maintain a breach log with risk assessments for all incidents?*

Are all Business Associate Agreements (BAAs) updated to meet HITECH standards?*

HITECH expanded BA liability and required specific contract provisions

Do your BAAs include provisions for breach notification from BAs to you?*

Have you verified that subcontractors have BAAs in place?*

Are you aware of the tiered penalty structure under HITECH ($100 - $50,000 per violation)?*

Do you have cyber liability insurance that covers HITECH penalties?*

If you use EHR systems, are they certified under the ONC Health IT Certification Program?

Do you participate in meaningful use reporting for Medicare/Medicaid incentives?

Have you conducted a Security Risk Analysis (SRA) in the past 12 months?*

Required under HIPAA Security Rule, emphasized by HITECH enforcement

Do you encrypt ePHI at rest and in transit?*

Are patients able to request electronic copies of their health information?*

HITECH strengthened patient rights to access their data

Do you have audit controls in place to track access to ePHI?*

Have you appointed a Privacy Officer and Security Officer?*