Health Care Reform Legislation Survival Guide, Part 1 

Download Article

There have been articles in the mainstream media discussing efforts by technology companies and providers to digitize patient records. There is a tremendous push by the US federal government—as well as by some private payers and self-insured employers—to get all US health care providers wired in the near future, in an effort to better coordinate patient care, improve outcomes and “bend the cost curve” all at the same time.

Once patient data, known as protected health information (PHI), are stored electronically, they become exposed to potential data breaches. There are two pieces of recent legislation issued by the US Congress that affect, more than any other recent legislation, the security and privacy areas reviewed by IT auditors in the health care industry:

  1. Health Information Technology for Economic and Clinical Health (HITECH) Act
  2. US Department of Health and Human Services (HHS) Health Breach Notification (BNR) Rule: Final Rule, issued pursuant to the American Recovery and Reinvestment Act (ARRA) of 2009 (HHS BNR)

This article will address the HITECH Act. A second article, publishing in volume 5, 2010, of the ISACA Journal, will address HHS BNR.

Compliance with both of these rules—issued under authority of the HITECH Act by the HHS with respect to health care providers and by the US Federal Trade Commission (FTC) with respect to electronic health care record (EHR) vendors and other similar third parties—requires affected practices and businesses to assess and update their data privacy and security policies and procedures, as well as train all affected staff accordingly.

The HITECH Act was signed into law in February 2009 as part of the ARRA. The HITECH Act:

  • Includes goals related to the use and security of electronic health records to improve quality of care and reduce health care costs
  • Charges the Office of National Coordinator for Health Information Technology (ONC), a division within HHS, with coordinating efforts to implement HITECH Act requirements, including establishing national standards related to use and security of electronic health records
  • Strengthens enforcement and penalties associated with willful violations of US Health Insurance Portability and Accountability Act (HIPAA) requirements, such as disclosure of PHI, and provides requirements for notifying affected individuals when PHI has been, or is reasonably believed to have been, disclosed as the result of a breach

This article will briefly describe the HITECH Act and its impact on IT professionals in terms of:

  • What is this piece of legislation? Who is covered under this legislation?
  • When is it applicable? Do all organizations have to start complying with the legislation immediately?
  • Who needs to follow/implement this legislation?
  • What do organizations have to do to comply with the legislation?
  • Why do IT auditors need to know about this legislation?
  • What do IT auditors need to know about it? What is the role of IT auditors? Is it checking compliance at the end of a period/year, or is it a continual process?
  • What are the applicable fines or effects if these rules/acts are not followed?

The HITECH Act and Who It Covers

On 17 April 2009, HHS issued guidance specifying the technologies and methodologies that render protected health information unusable, unreadable or indecipherable to unauthorized individuals, as required by the HITECH Act, passed as part of the 2009 ARRA. This guidance was developed through a joint effort by the Office of Civil Rights (OCR), the ONC and the Centers for Medicare and Medicaid Services (CMS). The HITECH Act and its implementing regulations became effective in the fourth quarter of 2009. Auditors and security professionals need to understand this Act and its implementing regulations because they significantly expand the HIPAA security and privacy requirements. Similar breach notification provisions implemented and enforced by the FTC apply to vendors of personal health records and their third-party service providers, pursuant to section 13407 of the HITECH Act.

The HITECH Act has led to the first breach notification requirements in the US. Under the Act, a breach is defined as the unauthorized acquisition, use or disclosure of PHI. Organizations are exempt from the breach notification requirements if they can demonstrate that disclosures do not compromise the security or privacy of the data or lead to a significant risk of harm to affected individuals.

The HITECH Act directed the secretary of HHS to issue technical guidelines to health care providers. Published in August 2009, this guidance:

  • Requires health care providers and other HIPAA-covered entities to promptly notify affected individuals of a breach
  • Mandates notification to HHS and the media in cases where a breach affects more than 500 individuals. Breaches affecting fewer than 500 individuals must be reported to the HHS secretary annually. Guidance drafted by HHS extends to business associates of health care providers as well. The FTC has issued companion breach notification regulations for vendors of personal health records and other entities not covered by HIPAA. It should be noted that this affects non-US based companies that do business in the US or with US companies.

Under the HHS and FTC regulations, notification is required when information is unsecured. These regulations specify encryption and destruction as the technologies and methodologies that render PHI unusable, unreadable or indecipherable to unauthorized individuals. Entities that secure PHI in accordance with the regulations are relieved from having to notify individuals, the HHS secretary and the news media in the event of a breach. The breach notification regulations became effective in September 2009.

Compliance Deadlines

Interim final breach notification regulations, issued in August 2009, implement section 13402 of the HITECH Act by requiring HIPAA-covered entities and their business associates, including those based outside the US, to provide notification following a breach of unsecured PHI. The HHS reports that similar breach notification provisions, implemented and enforced by the FTC, apply to vendors of personal health records and their third-party service providers, as specified in section 13407 of the HITECH Act. Section 164.400 of the interim final rule provides that this breach notification rule is applicable to breaches occurring on or after 30 days from the date of publication of this interim final rule, August 2009.

Who Is Covered Under This Legislation and Who Needs to Follow It?

The legislation indicates that the breach notification rules apply to covered entities under HIPAA and their business associates and require them to provide notification in the case of breaches of unsecured PHI. The Act also requires covered entities to provide to the media notification of breaches. The Act requires covered entities to safeguard electronic PHI and permits covered entities to use any security measures that allow them to reasonably and appropriately implement all safeguard requirements.

The HITECH Act applies to both vendors of personal health records that provide online repositories that people can use to keep track of their health information and entities that offer third-party applications for personal health records. These applications could include, for example, devices such as blood pressure cuffs or pedometers whose readings consumers can upload into their personal health records. Consumers may benefit by using these innovations, but only if they are confident that their health information is secure and confidential.

Complying With the Legislation

Organizations have to do the following to comply with the HITECH Act:

  • Implement a data classification policy—approved by senior management and communicated by management—that describes the acceptable processes used to identify, classify, store, secure and monitor access to a consumer’s PHI data.
  • Implement a process to detect a potential data breach and initiate timely incident response activities.
  • Implement a notification process. Vendors and related entities with access to personal health records need to ensure that a process is in place to notify affected parties without unreasonable delay and no later than 60 calendar days after discovery of the breach of the security of their individually identifiable health information. The rule specifies that notifications should:
    – Be written in plain language
    – Include, to the extent possible, a brief description of what happened, the types of information involved and steps individuals should take to protect themselves
    – Include a brief description of what the entity is doing to investigate and mitigate the breach. The notification must provide consumers with contact information that includes a toll-free number, e-mail address, and web site or postal address.
  • Implement processes, policies and procedures governing its training program, and report and file complaints to ensure compliance. Limited guidance has been issued to date defining minimum requirements for compliance.
  • Encrypt data—at rest and in transit. Since data are a company’s most valuable asset, compromise, disclosure or alteration could have a significant negative impact. Generally, encryption methods such as the Data Encryption Standard (DES), Blowfish, RSA (which stands for Rivest, Shamir and Adleman, who first publicly described it), RC5 (Rivest Cipher) and International Data Encryption Algorithm (IDEA) are used as the basis for implementing encryption technologies. In addition to servers and desktop workstations, encryption must be implemented on portable devices, such as laptops. A process for determining the business rationale and approval for encrypting the data at rest or in transit is needed to ensure the encryption effort is effectively implemented. Electronic PHI has been encrypted, as specified in the HIPAA Security Rule, by ‘‘the use of an algorithmic process to transform data into forms in which there is a low probability of assigning meaning without use of a confidential process or key’’ and when such confidential process or key that might enable decryption has not been breached. The US National Institute of Standards and Technology (NIST) tests encryption methodologies and identifies those that meet applicable standards.

Results of Noncompliance

The secretary of HHS is responsible for oversight, enforcing compliance and determining the amount of any proposed penalty.

Why Do IT Auditors Need to Know About the HITECH Act?

IT auditors need to know about this regulation because the interim final rule for the HITECH Act, which was issued in April 2009, states that a breach does not occur unless the access, use or disclosure poses “a significant risk of financial, reputational or other harm to an individual.” In the event of a breach, the rule requires covered entities to perform a risk assessment to determine if the harm standard is met. If risk assessment determines that the risk of harm to the individual is not significant, the covered entities are not required to tell their patients that their sensitive health information was breached. The FTC version stipulates that if an individual authorized the discharge of data, the data’s release is not considered a breach. The final rule became effective during August 2009.1

The FTC’s rule also allows for a vendor to engage in a risk analysis and states that if data were never acquired (i.e., officials are fairly certain that nobody saw the material), the incident does not count as a breach and notification does not have to occur. Both agencies have said they will not enforce the data breach rules for 180 days, during which time Devon McGraw, director of the health privacy project at the Center for Disease and Technology (CDT), hopes that HHS will go back to the drawing board.2

With regard to the possible overlap with state regulations specifically over the definition of breach notification, at this time, it appears any US state law is preempted. Auditors employed by a multinational firm or an organization with offices in multiple states will have to take this added complexity into consideration when assessing the organization’s compliance.

The HITECH Act also provides guidance and funding for establishing at least 70 regional centers to help promote EHR adoption. Practice Fusion, a newsletter for physicians, indicated earlier in 2010 that regional centers will offer “technical assistance, guidance and information on best practices to support and accelerate health care providers’ efforts to become meaningful users of EHRs.”3 More than 100,000 primary care providers will be supported by the regional centers. An excerpt from a Health Information Technology Extension Program: Regional Centers Cooperative Agreement Program document says that support should specifically focus on helping providers select the highest-value option, defined as that which offers the greatest opportunity to achieve and maintain meaningful use of EHRs and improved quality of care at the most favorable cost of ownership and operation, including both the initial acquisition of the technology, cost of implementation, and ongoing maintenance and predictable needed upgrades over time.4

Under the HITECH Act Medicare and Medicaid bonus payouts, a physician who can demonstrate “meaningful use” of an EMR in 2011 would be eligible to receive US $18,000 from Medicare for the first year and US $44,000 total through 2015. Incentives are reduced for adoption after 2012. Physicians whose practices feature a high volume of Medicaid patients can qualify for up to US $65,000 in incentives.


  • Federal Register, Part II, Department of Health and Human Services, 45 CFR Parts 160 and 164, “Breach Notification for Unsecured Protected Health Information; Interim Final Rule,” USA, 2009
  • IT Governance Institute, COBIT 4.1, USA, 2007
  • Department of Health and Human Services, Health Information Privacy, HIPAA Administrative Simplification Statute and Rules, USA, December 2000
  • Federal Trade Commission, “FTC Issues Final Breach Notification Rule for Electronic Health Information,” press release, 17 August 2009
  • Harlow, David; Health Care Law Blog, “Son of HIPAA Breach Notification Rules,” Healthblawg, 11 November 2009,


1 According to Devon McGraw, director of the health privacy project at CDT, the language was not handed down as part of the US $19 billion health IT section of the economic stimulus package and was expressly rejected by House of Representative staffers who helped craft the measure. He noted its inclusion by HHS is likely the result of lobbying on the part of the health care industry. CDT and its allies favor the approach taken by the FTC in its own data breach mandate, which takes effect the same day as the HHS rule. Noyes, Andrew; “HHS Urged to Rework Data Breach Rule,” Congress Daily, Tech Dose Daily, 17 September 2009
2 Ibid.
3 Practice Fusion, “HITECH EMR Stimulus Information for Physicians,” USA, 2010,
4 Health Information Technology Extension Program: Regional Centers Cooperative Agreement Program, “Funding Opportunity Announcement and Grant Application Instructions,” Office of the National Coordinator for Health Information Technology Department of Health and Human Services, USA, 2009

Christopher P. Buse, CISA, CISSP, CPA
is currently the chief information security officer (CISO) for the State of Minnesota (USA), Office of Enterprise Technology. He is a member of ISACA’s Governmental and Regulatory Agencies Area 4 Subcommittee.

is a consultant for DTG-Consulting Solutions. He is currently assigned as a project manager for a financial services client. He is a member of ISACA’s Governmental and Regulatory Agencies Area 4 Subcommittee.

Steve Sizemore, CISA, CGAP, CIA
is currently an IT audit manager with the Internal Audit Division of the Texas Health and Human Services Commission (USA). He is a member of ISACA’s Governmental and Regulatory Agencies Area 4 Subcommittee.

Enjoying this article? To read the most current ISACA® Journal articles, become a member or subscribe to the Journal.

The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.

Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute® and their committees, and from opinions endorsed by authors’ employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.

© 2010 ISACA. All rights reserved.

Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, MA 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.