Healthcare Software Testing Strategies for HITECH Compliance

Timothy Joseph
Timothy Joseph | June 30, 2020

Healthcare Software Testing Strategies for HITECH Compliance

Think of HITECH compliance like a HIPAA upgrade. The HITECH Act came more than ten years after HIPAA in order to enforce tougher data security requirements mandated for all healthcare organizations as well as their business associates to follow.

But what is the HITECH Act? What is HITECH compliance? And what software testing strategies should your team implement in order to uphold HITECH compliance?

We compiled this HIPAA and HITECH Act compliance guide so that your healthcare application meets all requirements and standards essential for this ever changing industry.

What Is the HITECH Act?

The HITECH Act of 2009 is a law that expands the scope of privacy and security protections enforced under HIPAA by increasing the potential legal liability for not maintaining HIPAA and HITECH compliance. The HITECH Act—an abbreviation for the Health Information Technology for Economic Clinical Health Act—also creates incentives for the adoption and meaningful use of healthcare information technology and electronic health records (EHR).

HITECH was enacted in anticipation of future technology advancement within the healthcare industry. Under the HITECH Act, the United States Department of Health and Human Services agreed to spend $25.9 billion to promote and expand the application of health information technology, including for the creation of a nationwide network of electronic health records.

HIPAA and HITECH compliance requirements do not change or cancel each other out. While HIPAA has been around since 1996 to protect patient health data and to simplify hospital administrative procedures, HITECH enforces a higher level of quality and security for electronic systems within the U.S. healthcare infrastructure.

HITECH Act Subtitles

HIPAA was groundbreaking legislature for healthcare, yet not comprehensive enough to prevent certain problems. It was enacted during a time when having computers wasn’t the norm, making it insufficient at regulating electronic privacy and security measures. Technical loopholes made it difficult to enforce intended regulations, not to mention the lenient fees and low penalties for those that were not HIPAA compliant.

That’s why the four subtitles under the HITECH Act are designed to be solutions for these problems. To better understand this HIPAA and HITECH Act compliance guide, lets first explore the requirements of the HITECH Act:

  • Subtitle A: Promotion of Health Information Technology – The beginning of the act addresses the need to create a new electronic healthcare infrastructure that can securely support and protect EHRs. This new infrastructure should be thought of as a national standard of healthcare quality, efficiency and safety. This section then provides details on how to coordinate these adopted standards with the federal government and private entities.
  • Subtitle B: Testing of Health Information Technology – This section of the act establishes who can apply for grants and funding in order to be a part of testing health information technology. The establishments applying for grants include higher education institutions, federal laboratories and nonprofit entities.
  • Subtitle C: Grants and Loans Funding – This subtitle outlines how the grant and loan funds are to be applied, who ensures that these funds are applied properly and what standards for health information technologies must be met.
  • Subtitle D: Privacy – The end of the act focuses on the improved security and privacy provisions and the relationship of these provisions to current laws.

What is HITECH Compliance?

HITECH compliance enforces healthcare provider to:

  • Uphold the Meaningful Use Program
  • Enforce Business Associates HIPAA Compliance
  • Carry out the Breach Notification Rule (when applicable)
  • Avoid practices that lead to Willful Neglect and Auditing
  • Maintain HIPAA Compliance Updates

Meaningful Use Program

To incentivize the adoption of EHRs, the Department of Health and Human Services created the Meaningful Use Program that provided compensation to healthcare providers that put EHRs to a meaningful use.

But what does meaningful use mean? To check all the boxes on our HIPAA and HITECH Act compliance checklist, meaningful use relies on these five priorities:

  • Improving quality, safety, efficiency, and reducing health disparities
  • Engaging patients and families in their health
  • Improving care coordination
  • Improving population and public health
  • Ensuring adequate privacy and security protection for personal health information

In everyday medical practice, this means that:

  • Patients can order and receive prescription medicine online.
  • Technology can safely support sending, receiving and incorporating electronic healthcare information.
  • Patients can safely access their health information electronically from their healthcare provider.

Business Associates HIPAA Compliance

HITECH compliance means that business associates must also be HIPAA compliant. Because PHI is always at risk when handled by business associates, HITECH created stricter compliance requirements for business associate agreements. HITECH enforces the liability of a business associate who:

  • Fails to meet information security standards
  • Fails to report a data breach
  • Retaliates against and individual who files a HIPAA compliant
  • Fails to cooperate with a compliance review or complaint

Breach Notification Rule

An increase of EHR usage leads to an increased risk of security threats, phishing and cyberattacks. For HITECH compliance, the Breach Notification Rule requires all HIPAA-covered entities and business associates to provide notification following a security breach involving protected health information.

The public must be notified whenever a breach occurs. A breach involving fewer than 500 people, the healthcare provider must notify individuals within 60 days with a letter covering:

  • A brief description of the breach
  • The types of information involved in the breach
  • Next steps for the affected individuals to take in order to protect themselves from potential harm
  • An explanation on how the healthcare provider is investigating this breach as well as how the healthcare provider plans to prevent future breaches

A breach involving more than 500 people must provide the above to individuals, in addition to notifying the Secretary of the HHS no later than 60 days following a breach. Some states of jurisdiction also require that covered entities provide notice to prominent media outlets within the area.

Willful Neglect and Auditing

To ensure that HIPAA HITECH compliance requirements are met, the HITECH Act allows the HHS’s Office for Civil Rights (OCR) to audit HIPAA covered entities and business associates. A tied violation penalty and fine system is in place for those found not in HITECH compliance:

  • Tier A: Penalties for offenders who didn’t know they violated the Act and would have handled the situation differently if they had. $100 fine for each violation (not to exceed $25,000 each calendar year).
  • Tier B: Penalties for violations due to reasonable cause. $1,000 fine for each violation (not to exceed $100,000 each calendar year).
  • Tier C: Penalties due to willful neglect that the entity ultimately corrects. $10,000 fine for each violation (not to exceed $250,000 each calendar year).
  • Tier D: Penalties due to willful neglect that the organization did not correct. $50,000 fine for each violation (not to exceed $1,500,000 each calendar year).

HIPAA Compliance Updates

In the past, it was often cheaper for some healthcare providers to pay the fines for violating HIPAA compliance requirements than to invest in their security measures within their electronic systems. The HITECH Act updates HIPAA through the HIPAA Omnibus Rule, making all modifications to HIPAA in accordance with guidelines created by the HITECH Act. The HIPAA Omnibus Rule also increased penalties for violations to a maximum of $1.5 million per incident so that covered entities are more willing to invest in enhanced security measures.

HIPAA & HITECH Compliance Act Compliance Checklist

Keep all HIPAA HITECH compliance requirements in mind throughout the development and testing process for your software product. In addition to these software testing strategies for healthcare applications, follow this HIPAA HITECH Act compliance checklist so that your healthcare software always upholds the strongest safety practices in handling patient information:

  • Standardize your coding and electronic transmissions by using a compliant EHR
  • Implement an information security network that ensures the integrity, confidentiality and availability of PHI
  • Limit the number of employees and third-party vendors who have access to sensitive data on an as-needed basis through access control and the principle of least privilege
  • Structure a testing framework that encompasses all HIPAA and HITECH compliance requirements
  • Execute all forms of security testing for your healthcare application
  • Enlist a QA team familiar with healthcare domain testing
  • Confirm all test cases that support your organization’s retention policy
  • Educate all testers and developers on HIPAA HITECH compliance requirements by creating a HIPAA and HITECH Act compliance guide for internal use
  • Review internal testing policies and procedures to ensure all practices maintain HITECH compliance

Is Your Healthcare Application HITECH Compliant?

We covered a lot of information through this HIPAA and HITECH compliance guide. While our HIPAA HITECH Act compliance checklist covers all best practices for software testing, there are many intricacies that require skilled healthcare domain expertise to ensure that your healthcare product meets HITECH compliance.

Verify that your healthcare application is HITECH compliant by partnering with a professional QA services provider like QASource. Our team of healthcare domain experts are skilled in all industry healthcare standards and can confirm that your platform complies with all HIPAA and HITECH compliance requirements. Get in touch with a QASource expert today.


This publication is for informational purposes only, and nothing contained in it should be considered legal advice. We expressly disclaim any warranty or responsibility for damages arising out of this information and encourage you to consult with legal counsel regarding your specific needs. We do not undertake any duty to update previously posted materials.