Regulatory Compliance For Healthcare Organizations

 By Jordan MacAvoy, vice president of marketing, Reciprocity Labs.

Jordan MacAvoy
Jordan MacAvoy

There are several regulatory compliance requirements that healthcare organizations must follow. Even so, it’s the Health Insurance Portability and Accountability Act (HIPAA) that gets the most recognition. If your organization is involved in the healthcare industry, you should ensure that it complies with the Health Information Technology for Economic and Clinical Health Act (HITECH) as well.

These two compliance requirements are somehow interrelated. However, HITECH is meant to enhance information technology in the healthcare industry while protecting the security and privacy concerns regarding ePHI. HITECH significantly modified HIPAA and the Social Security Act. Therefore, it can be difficult to understand how these regulatory compliance frameworks complement each other.

How HITECH And HIPAA Are Similar

HITECH and HIPAA compliance is overseen by the Health and Human Services Department (HHS). Typically, healthcare organizations tend to focus on HIPAA compliance since it is the backbone of the Privacy Rule that sets national standards regarding PHI and medical record protection. The Privacy Rule was adopted in 2000. Since then, HHS has only made one modification. That was in 2002 when the Privacy Rule was modified to become one of the initial information privacy and security regulations.

The Office of the National Coordinator for Health Information Technology (ONC) is mandated to promote the quality of healthcare by advancing health IT. ONC is also tasked with the role of securing ePHI and establishing procedures for electronic health records (EHRs) to promote privacy.

Therefore, while HITECH and HIPAA complement each other, they are dissimilar. HITECH focuses on information technology as well as the preservation of electronic information, whereas HIPAA dwells on protecting privacy as well as expanding beyond information systems.


Although HITECH and HIPAA have many similarities, the two regulations also differ on various vital details. HITECH was meant to expand HIPAA. Even so, the latter remains focused on addressing privacy and breach notification issues to protect against identity theft and fraud. On the other hand, HITECH differs from HIPAA because it established restructured criminal and civil compliance penalties. Furthermore, HITECH extended HIPAA’s breach notification requirement beyond covered organizations also to include business associates.

From an IT perspective, compliance managers ought to focus on the significance of robust encryption. In case malicious actors breach the ePHI, effective encryption will mitigate rule violations. Therefore, if the encryption makes the information unreadable, the organization won’t be fined. Nonetheless, proving effective encryption means complying with the NIST Federal Information Process Standard. Therefore, healthcare regulatory compliance can only be realized if you fully understand your organization’s IT infrastructure.

How HITECH’s Medicaid and Medicare Compliance Affects HIPAA Business Associates

You can only understand healthcare regulatory compliance after you understand overlaps that exist between business associates, as well as their information and how this affects the entire supply chain. Business associates are individuals or organizations that provide services to covered entities or perform activities or functions on behalf of the entities.

Typically, the Omnibus Rule’s definition of business associates includes healthcare management companies, healthcare payment organizations, and healthcare plans under the HITECH and HIPAA umbrella. Nonetheless, for those who work with Medicaid, additional services can get incorporated under the compliance requirements.

For instance, HIPAA and HITECH regard Medicaid’s Non-Emergency Medical Transportation (NEMT) is a business associate that falls under the Omnibus Rule. Therefore, despite being a network of transport brokers, information collected remains subject to the necessary healthcare regulations.

Organizations should determine their location within the supply chain since this will minimize HITRUST and HIPAA violations. Besides, an organization should decide whether or not it wants to assume the compliance risks if it chooses to scale.

What Should Boards Of Directors Know?

Organizations that are looking to shift into the healthcare sector should ensure that their boards recognize compliance implications. Providing the requisite level of board oversight requires in-depth visibility into the healthcare landscape as well as an organization’s compliance environment. Furthermore, if an organization decides to include its vendors or healthcare providers as part of its corporate set-up, the board should be aware of how these parties fit into the supply chain.

Under HIPAA regulatory requirements, vendor risk can create corporate risk. Therefore, whether your organization sits at the bottom, of the supply chain, at the helm, or in the middle, any interaction that it makes with HIPAA-regulated entities means it must comply with all the necessary regulatory requirements.

You should think about HITECH and HIPAA violations as dominoes set up in a row. In case one domino falls, the others will automatically fall. Therefore, the significance of vendor management could increase, especially if you decide to expand further into the healthcare industry.

Organizations in the healthcare industry should not only focus on HIPAA compliance. Incorporating HITECH compliance helps you to protect information that is in your privacy. By staying compliant, you will also avoid penalties in case a breach occurs. Thus, it’s crucial to understand how HIPAA and HITECH complement each other.

Write a Comment

Your email address will not be published. Required fields are marked *