HITECH Act Compliant EHR Software

Solutions for Your Practice

Although the Health Information Technology for Economic and Clinical Health (HITECH) Act is more than a decade old, it is still a highly relevant piece of legislation that affects the way behavioral health providers interact with patient information. The goal of passing the HITECH Act was to promote the use of electronic health record (EHR) systems and support the adoption of new technology in the United States.

Clinicians who wish to maintain compliance across the regulatory landscape need to know how the HITECH Act for medical records affects the use of EHRs to avoid hefty fines and penalties.

Start Free Trial

HITECH Fast Facts

Here's a quick run-down of the basics about HIPAA:

Official Title: Health Information Technology for Economic and Clinical Health Act

Year Enacted: 2009

Aliases: HITECH Act  Under the American Reinvestment and Recovery Act

Jurisdiction: State and local public health agencies

Most Recent Update to HITECH: 2019

HITECH Compliance and Enforcement: U.S. Department of Health and Human Services (HHS)


The HITECH Act is part of the American Recovery and Reinvestment Act (ARRA) of 2009. Lawmakers signed this economic stimulus bill in February 2009. HITECH anticipated the need for greater adoption of EHRs to facilitate the exchange of protected health information (PHI) between clinicians, hospitals and other appropriate entities. Before the introduction of the law, just 10% of hospitals were using EHR technology. By 2017, 96% of non-federal acute care hospitals had adopted EHRs, as well as 86% of office-based physicians, making HITECH successful in its central goal.

HITECH Act and HIPAA Compliance

In addition to driving the adoption of EHRs, HITECH made significant changes to the Health Information Portability and Accountability Act (HIPAA) of 1996. Some of the most notable updates implemented include:

  • The requirement for business associates to be HIPAA compliant
  • Tougher penalties for HIPAA violations
  • The requirement to issue notifications of a data breach to affected individuals within 60 days
  • The requirement to give patients electronic copies of their PHI upon request
  • Publishing breach summaries online
  • Further restricting permitted uses and disclosures of patient information

HITECH's influence on HIPAA was to tighten up loopholes, increase auditing and enforcement and raise the upper financial penalty cap to improve compliance among healthcare providers.

Common HITECH Violations for Behavioral and Mental Health Providers

HITECH doesn't set forth regulations on its own. It merely bolsters and supports the rules already codified in HIPAA. Therefore, HITECH violations are HIPAA violations for the improper use, handling or storage of patient PHI. The most common violations for mental and behavioral health providers are:

  • Not securing patient records
  • Leaving data unencrypted
  • Hacking breaches
  • Theft or loss of devices containing PHI
  • Lack of employee training on HIPAA
  • Improper sharing of PHI
  • Improper disposal of records
  • Third-party PHI disclosure
  • Unauthorized release of information

Behavioral health providers work in situations where questions of proper use are a bit more ambiguous. To help behavioral health clinicians align with proper use under HIPAA, the HHS released a set of clarifying rules specifying when mental healthcare providers can:

  • Communicate with a patient's friends, family members or other individuals involved in their care
  • Communicate with family members of an adult or minor patient
  • Listen to family members, friends or involved individuals about the person receiving treatment
  • Communicate with family members, involved individuals or law enforcement when the patient is presenting a severe imminent threat of harm
  • Communicate to law enforcement about patients brought in for emergency psychiatric holds
  • Consider the patient's ability to agree or object to the sharing of their information

Fines and Penalties for HITECH Violations

A new interpretation of HITECH in 2019 added four levels of culpability to HIPAA violations, each with a different range of fines.

  1. No knowledge: No knowledge of or culpability for the breach
  2. Reasonable cause: No willful violation
  3. Willful neglect ⁠— corrected: Willful violation through neglect, rectified promptly
  4. Willful neglect ⁠— not corrected: Willful violation through neglect, not rectified as soon as possible

The new fine structure for practices that violate HIPAA is as follows.

Culpability Annual Penalty Limit
No Knowledge $100 $50,000 $25,000
Reasonable Cause $1,000 $50,000 $100,000
Willful Neglect - Corrected $10,000 $50,000 $250,000
Willful Neglect - Not Corrected $50,000 $50,000 $1,500,000

Criminal penalties are also possible for HIPAA violations. The possible penalties are also categorized into the following tiers:

Unknowingly or With Reasonable Cause One Year
Under False Pretenses Five Years
For Personal Gain or Malicious Reasons Ten Years


To help clarify the role of HITECH in mental and behavioral healthcare, we've compiled five of the most common questions we receive about this crucial piece of legislation.

HITECH closes loopholes in HIPAA and requires more stringent data breach reporting and disclosure rules, as well as a new fine structure.

HITECH Compliance and EHRs

When selecting an EHR with the HITECH Act of 2009 in mind, the most crucial feature is HIPAA compliance. HITECH's role has been to make HIPAA compliance functionally mandatory for organizations that want to avoid substantial fines, and the best way to ensure alignment is to choose an EHR certified by the Office of the National Coordinator for Health Information Technology.

Certified EHR Technology contains all the privacy and security features you need to remain compliant with HIPAA and is also a requirement for full participation in MIPS.

ICANotes for HITECH Compliance and Beyond

ICANotes understands how stressful it can be to keep current with legislation like HITECH that expands and changes over time. That's why we consistently update our EHR software to meet the regulatory needs of all types of behavioral and mental health providers. In addition to HITECH and HIPAA compliance, our software offers the ability to integrate with a wide range of third-party health information exchanges, putting your practice on the road to required interoperability.

To see how ICANotes can improve the speed and quality of your documentation on a secure and compliant platform, register for a free trial or a live demo of the software that truly understands your unique needs.

More Resources on Behavioral Health Compliance

Adding and Updating Digital Contact Information in NPPES

Behavioral health providers are no strangers to collaboration and patient file exchanges.…

Read More

Why You Should Share Behavioral Health Notes With Patients

You might feel a little nervous when you think about writing behavioral…

Read More

Client Confidentiality: Best Practices for Behavioral Therapy Patients

Confidentiality is required for therapy to be effective. Without it, clients might…

Read More

Top 5 Reasons Behavioral Health Professionals Get Sued

The role of a behavioral health professional comes with a significant amount…

Read More

What You Need to Know About EHRs and Patient Privacy

The electronic health record, or EHR, is a type of software physicians…

Read More

How Behavioral Health Clinicians Can Avoid a Lawsuit

Most clinicians enter the behavioral health field because they are driven to…

Read More

What Does HIE Mean for You and Your Practice?

Although the majority of patient information is still stored in paper files…

Read More

Understanding North Carolina’s HIE Mandate

Despite inconsistencies in federal and state funding, many electronic health information exchanges…

Read More

Tips for Keeping Patient Records Secure

The vital importance of HIPAA compliance, coupled with the risks inherent in…

Read More

Why Medical Data Needs to be Protected

One of the most pressing issues of our time is that of…

Read More

Enforcing the Law and Caring for Mental Health

Saturday morning cartoons make everything seem so simple, don’t they? Think of…

Read More

Intuitive, Accessible, Time-Saving

ICANotes - the only EHR software that actually thinks like a clinician.