Home » HIPAA

HITECH Act


The HITECH Act is a component of the economic stimulus package enacted by the federal government in 2009. HITECH is an acronym for "Health Information Technology for Economic and Clinical Health". HITECH extends some of the patient privacy and security provisions of HIPAA in order to better protect patient information while transitioning to the use of electronic health records for all Americans. HITECH changed HIPAA in many ways, but the three most relevant to faculty and staff are that 1) Patient notification is now required if the patient’s unsecured protected health information (PHI) has been breached 2) Significant penalties, both civil and criminal, may now be levied against individuals and institutions for violating patient privacy laws; and 3) Consultants and vendors that handle our PHI must comply with HITECH and HIPAA just as we do.

HITECH Act: Frequently Asked Questions

Question: Does HITECH apply to me?

Answer: NYULMC (i.e., NYU Hospitals Center and NYU School of Medicine) is considered a Covered Entity ("CE") under HIPAA and the HITECH Act. This, means the law applies to all faculty, voluntary faculty and staff, students and volunteers. As a member of the NYULMC community, you are likely to either handle PHI directly, work in areas where PHI is being used and/or encounter a possible breach of PHI, regardless of who was responsible for the breach.

Question: Am I required to do HITECH Act training ?

Answer: HITECH Act training is required for every member of the NYULMC community: faculty, full- and part-time employees, students, and volunteers. Please click here to launch the online training. This is a web-based class, so please make sure you are logging in on a computer with full internet access. Some shared terminals only have intranet access.

To log in, you will need your Kerberos ID. If you do not know your Kerberos ID, ask your supervisor. Or, you can also get your Kerberos ID by going to the People Search Directory and enter your name. You also need your date of birth to log in. Please enter your date of birth in MMDD format. For example, if your birthday is on March 15, you must enter 0315. No abbreviations, slashes. DO NOT enter the year of your birth. Please make sure you have pop-up blockers and the Google toolbar disabled as these interfere with the courseware. If you need technical assistance during the on-line training, contact the MCIT Help Desk at 1-212-263-6868.

Question: What is a breach?

Answer: A breach is defined as “the unauthorized acquisition, access, use, or disclosure of protected health information (PHI) which compromises the security or privacy of the PHI. There are some exceptions, but you must report all actual and suspected breaches so the Office of Audit & Compliance can make a determination as to whether a breach has occurred.

Question: How can I prevent breaches of PHI from occurring ?

Answer: Be authorized to use PHI. You are authorized to use PHI if you are involved in a patient’s treatment, if you are involved in patient billing and payment, or if you are involved in health care operations and you have a legitimate business reason to access PHI. Use the minimum PHI necessary to do your job. For example, if you are treating a patient this month for a broken ankle, you probably do not need to look at the records of a previous stay relating to that person’s hand surgery. Keep PHI secure at all times. We cannot guarantee a patient’s information is private if we cannot keep it secure. Follow MCIT policies. Keep PHI confidential. Avoid discussing PHI in public places. Sign off of electronic records systems when you are finished accessing a record, especially if you share your workstation with others. Shred all paper medical records when they are no longer needed.

Question: How do we ensure that our consultants and vendors are complying with HITECH/HIPAA ?

Answer: Consultants and vendors are our Business Associates ("BA") and they must comply directly with HITECH and HIPAA. They must report breaches of our PHI and they must have their own security measures in place to protect the PHI they use. The current NYU Hospitals Center Business Associate Agreement (BAA) has been revised to comply with the new HITECH requirements. Click here for the current SOM Business Associate Agreement. Our Business Associates have received a copy of this new agreement as well as information about how our PHI-LOSS phone number to report a breach they discover. If you, or anyone in your department, work with consultants or vendors who handle our PHI, please contact the Office of Audit & Compliance at 212-404-4079 to ensure that the BA receives the new agreement.

Question: What is NYULMC doing to make sure that electronic PHI is protected ?

Answer: NYULMC recently enacted new policies that require protection for all mobile devices and portable storage media that connect to the NYULMC network or store business information. In addition, as we roll out the Epic system across the institution, we will see additional system-wide safeguards on patient data. However, protecting PHI requires more than technology; it requires each of us being vigilant about how and to whom we transmit Medical Center data.