You are currently viewing What is the HITECH Act? Introduction for the Novice
What is the HITECH Act? New developments since 2009 including the ACA of 2010, HIPAA Omnibus of 2013, MACRA of 2015 and 21st Century CURES Act of 2016

What is the HITECH Act? Introduction for the Novice

What is the HITECH Act?   An Introduction for the Layperson

Money to convert from paper to electronic

People who ask, “What is the HITECH Act?” should understand how the Act stimulates the use of electronic health records and promotes patient safety and privacy.  EHRs also improve patient record access and ongoing interoperability among healthcare providers and their patients’ data.

In simple terms, the HITECH Act stimulates the economy with a specific focus on healthcare.   It creates stimulus through monetary incentives to stop using paper for patient records and start using an E.H.R.

Stop saying EMR and Start Saying EHR.

Above all, let’s get some acronyms straight. I recommend that you stop saying “E.M.R.” or electronic medical record and start saying “electronic health record” or “E.H.R.”    Why is that? Because the ARRA HITECH Act defines a “Certified Electronic Health Record” or “C.E.H.R.T.”   A CEHRT has to meet rigorous defined federal standards. There is no Standard definition for EMR, only an EHR.

A healthcare provider must prove using a certified electronic health record system to get the stimulus funds.  Installation compliance is an extensive task requiring that several ‘measures’ be met for patient safety, quality, and security and providing patients access to their health records via electronic means.

What is the History of the HITECH Act?

To simplify,

  • The HITECH Act is formally known as “The American Reinvestment & Recovery Act (ARRA)Health Information Technology for Economic and Clinical Health (HITECH) Act.” President Obama signed HITECH into law on February 17, 2009, as part of an economic stimulus bill.
  • The HITECH Act created economic incentives to implement electronic health records. The stimuli were available to hospitals (“Eligible Hospitals” or “E.H.s” and physicians “Eligible Professionals” or “E.P.s”) – meaningful use [EHR-MU], an effort led by Centers for Medicare & Medicaid Services C.M.S..), and the Office of the National Coordinator (O.N.C.) for HealthI.TT. The HITECH Act encourages nationwide meaningful use of interoperable electronic health records.

As a result of the HITECH Act

  • HITECH provides over $35 billion in stimulus funds to eligible hospitals and physicians. C electronic health record technology (CEHRT) had to be purchased and used in a meaningful way (defined by precise “Meaningful Use” criteria in the HITECH Act).
  • These criteria include many compulsory and optional requirements, including privacy Safeguards. In the gold rush to access some of the stimulus funds, E.H.R. companies were required to obtain certification from ATCBs (Authorized Testing and Certification Bodies) to become a CEHRT
  • Regional extension centers sprung up that provided training, and other services advised physicians and hospitals on U.S. H.H.S., C.M.S., and Office of the National Coordinator (O.N.C.) guidelines.
  • In turn, providers licensed CEHRT and attest to be a meaningful user. Installation and meaningful use required configuration and clinical use of an E.H.R., with policies and procedures prescribed by the HITECH act.
  • The attestation entitles an E.H. or an E.P. to receive stimulus funds.
  • Making false statements to the Government carries a penalty under the False Claims Act.

 Key Provisions

  1. Key provisions of the HITECH Act for hospitals and critical access hospitals (C.A.H.s) can be found at 42 C.F.R. § 495.22 – Meaningful use objectives and measures for E.P.s, eligible hospitals, and C.A.H.s for 2015 through 2018
  2. Providers are required to meet 42 C.F.R. § 495.40 – Demonstration of meaningful use criteria.
  3. Certification of electronic health record technology (CEHRT) for 2014 Stage 2 measures can be found 42 CFR 495.6(j)-(m) Stage 2 Objectives and Measures. There are core (required) measures and optional (menu) measures, of which certain minimum number(s) of menu measures were required

What is the significance for the Regulatory Risk and Compliance?

False Claims Act

To get the stimulus funds, a healthcare provider files an attestation with the U.S. Government (via C.M.S.) or state Medicaid that it had complied and requested funds. If the provider’s claims were not accurate, the provider could be subject to penalties under the False Claims Act.

Medical Malpractice Defense Strategy

Electronic health records now provide tamper-resistant measures that enable a skilled forensic expert in electronic health records to audit the log files and patient records, using the HITECH Act Standards for compliance. These strategies are useful in medical malpractice personal injury cases, fraud determinations, and medical billing and coding, among other types of cases.

Lasting Challenges of on the Healthcare Industry Today?

Moreover, now that E.H.R.s are in the majority of hospitals and providers in the U.S., some challenges have developed:

  • Privacy– When there are privacy breaches by hospitals or physicians (a.k.a. a ‘HIPAA Breach”), it can be indicative of a failure to correctly or ‘meaningfully use’ the CEHRT, or in the policies, procedures, and training of staff that use the CEHRT.


  • Patient safety alerts and medical decision making– One of the requirements of using an E.H.R. under Meaningful use is use of clinical decision support (CDS).  CDS ensures patient safety mechanisms alert clinicians. The alerts should integrate with the workflow of a physician. As a result, some hospitals and physicians have turned these alerts off.  This can lead, in my experience to unfortunate events.   Some medical malpractice cases start clinical decision-making errors, resulting in injury or death of a patient. This is both a failure to meet the Meaningful Use Standard and improper for ensuring patient safety.


  • Audit trails to ensure accuracy of record-keeping – To explain, audit logs provide a complete history of all access to a patient’s record, medication orders, and other orders as well as progress notes be physicians. Like the preceding example, this is both a failure to meet the Meaningful Use Standard and improper for ensuring patient safety. It has the additional effect of calling the health care provider’s integrity into question whether they are maintaining accurate records.


  • Physician productivity– Physicians that I interview complain of up to a 20% reduction in patient volume. The reason they say this is because of increased documentation and data entry requirements. We believe E.H.R.s can provide productivity benefits, but programmers need to improve usability testing with the intended clinical users.

Interoperability Imperative

Interoperability between different E.H.R.s, physicians, hospitals, and clinics, and paper transmitted via fax

    • During the initial Meaningful Use adoption period for E.H.R.s, if two providers were not both are not using the same E.HR., sharing patient data was challenging. Recent improvements between disparate E.H.R.s solved part of the problem.
    • Today, new legislation such as the 21st Century CURES Act section 4003 defines’ interoperability,’ for Health I.T. as follows:
      1. “Enables the secure exchange of electronic health information with, and use of electronic health information from, other health information technology without special effort on the part of the user;
      2. Allows for complete access, exchange, and use of all electronically accessible health information for authorized use under applicable State or Federal law; and
      3. Does not constitute information blocking as defined in section 3022(a).”
    • Interoperability problems between old and new systems and methods can cause patient safety errors. For example, patent identification errors can occur outside the reference laboratory. This risk increases for a non-integrated Lab Information System (LIS) and the hospital’s E.H.R. A fax of the lab results might be sent from the lab to the hospital.  The faxed document enters the hospitals’ system, is reviewed by a human who adds the image of the fax to the E.H.R. and the enters discrete data regarding the result of the lab into the hospital E.H.R. Human distraction such as having more than one chart open, or fatigue are known ‘sentinel’ or ‘never’ events can happen.

What New Health I.T. Legislation Since the HITECH Act  2009 Modifies or Changes Priorities for Healthcare?

Since 2009, several new initiatives modify or extend the importance of the HITECH Act.  Electronic health records form a foundation for the ACA, FDASIA, HIPAA, MACRA and the CURES Act.

Affordable Care Act of 2010

  • The Affordable Care Act of 2010 established comprehensive health care insurance reforms. The A.C.A. instantiated Federal regulations that sometimes-confounded state insurance regulations. To explain, concepts such as Minimum Essential Coverage (M.E.C.) and Essential Health Benefits (E.H.B.) were new terms.  Medically necessary care must be documented in the patient chart, which is now generally electronic due to the HITECH Act. The A.C.A. also provided more stringent sentencing guidelines for fraud.

FDASIA – 2012

HIPAA Omnibus Rule of 2013

To clarify, the HIPAA Omnibus Rule of 2013 provided increased, tiered civil money penalty structures of the HITECH Act. The Omnibus Rule adopted the HITECH Act’s prohibition against marketing, fundraising, and PHI (protected health information) sale without authorization.

Cybersecurity Act of 2015

The Cybersecurity Act of 2015 is designed to promote awareness  via a portal that reports security threats. It also encourage leverage of existing frameworks using recognized security practices. The term “recognized security practices” is used in the HITECH Act Amendment (see bel0w), meaning  “the standards, guidelines, best practices, methodologies, procedures, and processes developed under section 2(c)(15) of the National Institute of Standards and Technology (NIST) Act, the approaches promulgated under Section 405(d): Aligning Health Care Industry Security Approaches

MACRA – 2015

To elaborate, the Medicare Access and CHIP Reauthorization Act of 2015 (MACRA). Two key provisions of MACRA are Quality Payment Program tracks:

    • Advanced Alternative Payment Models (A.P.M.s) or
    • The Merit-based Incentive Payment System (MIPS)

21st Century Cures Act of 2016

  • The 21st Century Cures Act of 2016 is designed to speed up medical product development and create new innovations and advancements to patients. It has these key initiatives:
    • 4001: Health I.T. Usability
    • 4002(a): Conditions of Certification
    • 4003(b): Trusted Exchange Framework and Common Agreement
    • 4003(c): Health Information Technology Advisory Committee
    • 4004: Identifying reasonable and necessary activities that do not constitute information blocking
    • Intra-Federal agency coordination between :
      • C.M.S.,
      • H.H.S. Office of Civil Rights,
      • H.H.S. Office of the Inspector General (OIG),
      • Agency for Healthcare Research and Quality (AHRQ),
      • National Institute for Standards and Technology (NIST).
    • The CURES Act also modifies 42 C.F.R. Part 2 with respect to privacy and disclosure of substance use disorder and behavioral health records.
    • Regenerative medicine Advanced Therapy or RMAT focused on biologics
    • Breakthrough Devices program
    • Oncology center of Excellence

HITECH Act Amendment of 2021

The HITECH Amendment provides that “recognized security practices” (“RSPs”) include: (i) standards, guidelines, best practices, methodologies, procedures, and processes developed under section 2(c)(15) of the National Institute of Standards and Technology (“NIST”) Act; (ii) the approaches promulgated under section 405(d) of the Cybersecurity Act of 2015

Related Topics

Meaningful Use HITECH Act Expert Witness

Meaningful Use Audit Defense

HIPAA Privacy and HIPAA Security and the HITECH Act


Michael F. Arrigo

Michael Arrigo, an expert witness, and healthcare executive, brings four decades of experience in the software, financial services, and healthcare industries. In 2000, Mr. Arrigo founded No World Borders, a healthcare data, regulations, and economics firm with clients in the pharmaceutical, medical device, hospital, surgical center, physician group, diagnostic imaging, genetic testing, health I.T., and health insurance markets. His expertise spans the federal health programs Medicare and Medicaid and private insurance. He advises Medicare Advantage Organizations that provide health insurance under Part C of the Medicare Act. Mr. Arrigo serves as an expert witness regarding medical coding and billing, fraud damages, and electronic health record software for the U.S. Department of Justice. He has valued well over $1 billion in medical billings in personal injury liens, malpractice, and insurance fraud cases. The U.S. Court of Appeals considered Mr. Arrigo's opinion regarding loss amounts, vacating, and remanding sentencing in a fraud case. Mr. Arrigo provides expertise in the Medicare Secondary Payer Act, Medicare LCDs, anti-trust litigation, medical intellectual property and trade secrets, HIPAA privacy, health care electronic claim data Standards, physician compensation, Anti-Kickback Statute, Stark law, the Affordable Care Act, False Claims Act, and the ARRA HITECH Act. Arrigo advises investors on merger and acquisition (M&A) diligence in the healthcare industry on transactions cumulatively valued at over $1 billion. Mr. Arrigo spent over ten years in Silicon Valley software firms in roles from Product Manager to CEO. He was product manager for a leading-edge database technology joint venture that became commercialized as Microsoft SQL Server, Vice President of Marketing for a software company when it grew from under $2 million in revenue to a $50 million acquisition by a company now merged into Cincom Systems, hired by private equity investors to serve as Vice President of Marketing for a secure email software company until its acquisition and multi $million investor exit by a company now merged into Axway Software S.A. (Euronext: AXW.PA), and CEO of one of the first cloud-based billing software companies, licensing its technology to Citrix Systems (NASDAQ: CTXS). Later, before entering the healthcare industry, he joined Fortune 500 company Fidelity National Financial (NYSE: FNF) as a Vice President, overseeing eCommerce solutions for the mortgage banking industry. While serving as a Vice President at Fortune 500 company First American Financial (NYSE: FAF), he oversaw eCommerce and regulatory compliance technology initiatives for the top ten mortgage banks and led the Sarbanes Oxley Act Section 302 internal controls I.T. audit for the company, supporting Section 404 of the Sarbanes Oxley Act. Mr. Arrigo earned his Bachelor of Science in Business Administration from the University of Southern California. Before that, he studied computer science, statistics, and economics at the University of California, Irvine. His post-graduate studies include biomedical ethics at Harvard Medical School, biomedical informatics at Stanford Medical School, blockchain and crypto-economics at the Massachusetts Institute of Technology, and training as a Certified Professional Medical Auditor (CPMA). Mr. Arrigo is qualified to serve as a director due to his experience in healthcare data, regulations, and economics, his leadership roles in software and financial services public companies, and his healthcare M&A diligence and public company regulatory experience. Mr. Arrigo is quoted in The Wall Street Journal, Fortune Magazine, Kaiser Health News, Consumer Affairs, National Public Radio (NPR), NBC News Houston, USA Today / Milwaukee Journal Sentinel, Medical Economics, Capitol ForumThe Daily Beast, the Lund Report, Inside Higher Ed, New England Psychologist, and other press and media outlets. He authored a peer-reviewed article regarding clinical documentation quality to support accurate medical coding, billing, and good patient care, published by Healthcare Financial Management Association (HFMA) and published in Healthcare I.T. News. Mr. Arrigo serves as a member of the board of directors of a publicly traded company in the healthcare and data analytics industry, where his duties include: member, audit committee; chair, compensation committee; member, special committee.

Leave a Reply