Home > Articles > Certification > CompTIA

CompTIA Healthcare IT Technician HIT-001 Cert Guide: Regulatory Requirements

This chapter identifies and explains the roles of some important agencies and laws, HIPAA controls and compliance issues, types of health records and rules of record retention and disposal, and finally legal best practices, requirements, and documentation.
This chapter is from the book

Regulatory requirements don’t sound like fun to read about. No matter how boring this topic is, it is relevant to HIT. The requirements keep you and others out of trouble. The agencies and laws are in place to protect patients’ rights and privacy and help you find resources.

Laws and regulations change and can be updated, so the most important point of this chapter is to know where to go to find current information. Also agencies, laws, and regulations vary from state to state, so you need to be aware of local policies in your state.

Use government websites and Internet search engines to find information. The government or .gov sites are the authoritative sources. Other websites might offer insight about where to look for answers or how other facilities handle issues. If you cannot fin what you need, look within your facility. Often all it takes to find information about a policy is to visit the department in your hospital that handles matters of policy on a daily basis.

This chapter begins by identifying and explaining the roles of some important agencies and laws.

Identifying Standard Agencies, Laws, and Regulations

Each of the agencies, laws, and regulations described in the following sections play a role in healthcare. The agencies of the U.S. government are responsible for implementing the laws and regulations created by Congress and enacted by the President. The common goal of the agencies, laws, and regulations is to improve the healthcare available to citizens. First, learn about the agencies.

Agencies Governing Healthcare

With changes in the government over the last few years, generous resources have been provided for the development and implementation of HIT. The government has focused funding toward advancing healthcare technology in the United States. The government created agencies to filter the monies to covered entities. Covered agencies work toward this same goal to advance healthcare technology. The government and covered agencies are tasked with ensuring the laws and regulations have compliance by healthcare providers and facilities.

Following is a list of agencies that govern healthcare in the United States:

  • Department of Health and Human Services (HHS)
  • National Institute of Standards and Technology (NIST)

Department of Health and Human Services

The Department of Health and Human Services (HHS)—http://www.hhs.gov—is an agency of the U.S. government tasked with the following responsibilities:

  • Protect the health of Americans.
  • Provide a means for Americans who are least able to help themselves to access healthcare.
  • Contain and treat any national health emergencies.
  • Test and regulate food and drug supplies.

Figure 3-1 shows the HHS website.

Figure 3-1

Figure 3-1 The HHS website is current and informative with the need-to-know facts and how to access resources the HHS provides.

Photo credit: http://www.hhs.gov

The HHS contains several operating divisions, as shown in Table 3-1.

Table 3-1 Operating Divisions of the HHS



Administration for Children and Families


Administration on Children, Youth, and Families


Administration on Aging


Agency for Healthcare Research and Quality


Centers for Disease Control and Prevention


Centers for Medicare & Medicaid Services


Food and Drug Administration


Health Resources and Services Administration


Indian Health Service


National Institutes of Health


National Cancer Institute


Office of the Inspector General


Substance Abuse and Mental Health Services Administration


The more notable divisions of the HHS include the Food and Drug Administration (FDA), Centers for Disease Control and Prevention (CDC), and the National Institutes of Health (NIH). Now take a closer look at the divisions of the HHS involved in healthcare:

  • Centers for Medicare & Medicaid Services (CMS)
  • Office of the National Coordinator for HIT (ONC)
  • Office for Civil Rights (OCR)
Centers for Medicare & Medicaid Services (CMS)

The Centers for Medicare & Medicaid Services (CMS) branch—http://www.cms.gov—of the HHS is responsible for administrating Medicare and Medicaid. CMS also regulates the transaction standards of billing codes used to price healthcare expenses, such as electronic claims, remittance, eligibility, and claims status requests/responses. The current version of HIPAA transaction standards is Version 5010. All HIPAA-compliant facilities adopted this version January 1, 2012. CMS regulates medical diagnosis and inpatient procedure coding in healthcare. The current version is ICD-9. The new version, ICD-10, is required to be adopted by HIPAA-compliant facilities by October 1, 2013. Figure 3-2 shows the CMS website homepage.

Figure 3-2

Figure 3-2 The CMS website is current and informative with the need-to-know facts and how to access resources the CMS provides.

Photo credit: http://www.cms.gov

The purpose of coding is to equate expenses in a hospital into numbers. For example, whenever a doctor examines a patient, a nurse uses a syringe to administer a drug, or a patient receives a diagnosis, a code must be generated to represent the expense associated with providing this patient care. When healthcare providers enter information into a patient’s chart, that information eventually is sent to a medical coding specialist. This person is responsible for translating charted documentation about a patient’s stay in a hospital into codes so that insurance companies can be properly billed for the hospital’s expenses.

Covered entities must upgrade to Version 5010 billing codes to be prepared for the ICD-10 diagnostic and procedure codes. ICD-10 codes accommodate Version 5010. The reason for the transition to Version 5010 over a year and a half before the transition to ICD-10 is to make sure any kinks in the transition to Version 5010 have been addressed to reduce the possibilities of problems in the transition to ICD-10.

The need for the transition from ICD-9 to ICD-10 is because ICD-9 is too restrictive in the amount of information the code can communicate. With ICD-10, a code can report more specifically what was wrong with a patient and how the patient was treated. ICD-10 uses more character fields in the code and approximately 55,000 more available codes. For example, if a physician charts “initial encounter for a stress fracture of the right tibia,” in ICD-9, a coder could use only the code 733.9 to mean the limited information “stress fracture of the tibia.” This ignores a lot of specific information about this patient’s condition. Because this was the first encounter and of the right tibia would be coded using separate codes. With ICD-10, the coder can report more details in a single code using a longer code with more options to choose from. To report “initial encounter for a stress fracture of the right tibia” in ICD-10, a coder would report M84.361A as the code.

Office of the National Coordinator for Health Information Technology (ONC)

Office of the National Coordinator for Health Information Technology (ONC)—http://www.healthit.hhs.gov: This office of the HHS was created to promote national HIT infrastructure and oversee its development. The ONC was created by executive order in 2004 and written into legislation by the HITECH Act in 2009, which requires healthcare providers to move toward using electronic solutions to store and process patient data. The ONC tests and certifies all EMR/EHR solutions to be HIPAA-compliant. Healthcare providers and hospitals may use only the certified EMR/EHR solutions if they want to qualify for monetary incentives. Figure 3-3 shows the ONC website.

Figure 3-3

Figure 3-3 The ONC website is current and informative with the need-to-know facts and how to access resources the ONC provides.

Photo credit: http://www.healthit.hhs.gov

The U.S. government provides funding through various venues to encourage covered entities to transition to advanced healthcare technology. Covered entities are encouraged to meet deadlines for stages in the transition, for example, to EMR/EHR information systems. If they meet these goals, they are given money. The deadlines for the incentives are set before the deadlines of when covered entities are required to transition to advanced healthcare technology. If a covered entity misses the latter required deadline, the U.S. government starts applying penalties for not complying with the required deadline. It serves the covered entities well to be ahead of the game by transitioning to advanced healthcare technologies sooner rather than later.

Office of Civil Rights (OCR)

Office of Civil Rights (OCR)—http://www.hhs.gov/ocr: This office of the HHS is responsible to protect Americans against discrimination and enforce the Privacy and Security Rules of HIPAA. The OCR fulfills this responsibility through education to prevent violations and through investigation of complaints about violations of these rules. The OCR usually enables a covered entity to enforce rules and reprimand violations without intervening. Complaints about violations are filed through the OCR. See Figure 3-4 to see the OCR website.

Figure 3-4

Figure 3-4 The OCR website is current, informative, and offers instructions on how to file a complaint about a privacy violation.

Photo credit: http://www.hhs.gov/ocr

National Institute of Standards and Technology (NIST)

National Institute of Standards and Technology (NIST)—http://www.nist.gov—This agency is part of the U.S. Department of Commerce. The goal of the NIST is to promote U.S. innovation and industrial competition. The NIST aims to advance standards and technology to improve American economic security and quality of life. In healthcare, the NIST aims to do the following:

  • Create opportunities for accelerated research and development of HIT.
  • Improve the usefulness of HIT and remote healthcare.
  • Develop the security of HIT.

Figure 3-5 shows the NIST website.

Figure 3-5

Figure 3-5 The NIST website is current and informative of its activities.

Photo credit: http://www.nist.gov

Now that you have learned about the agencies for healthcare, turn your attention to the programs and laws that these agencies offer and enforce.

Healthcare Programs

Government agencies use social programs to fulfill responsibilities tasked to the agency. Programs ensure accessibility of benefits to those who qualify. The two most significant healthcare programs are Medicare and Medicaid. Medicare and Medicaid are impressive by the numbers of beneficiaries and expense.

The Medicare—http://www.medicare.gov—social insurance program is for hospital and medical care for elderly and certain disabled citizens. Medicare is provided by the U.S. government. Medicare was created as an amendment to the Social Security Act in 1965. Medicare is regulated and administered at the federal level. Figure 3-6 shows the Medicare website homepage.

Figure 3-6

Figure 3-6 The Medicare website is current and informative with the need-to-know facts and how to access resources Medicare provides.

Photo credit: http://www.medicare.gov

The Medicaid—http://www.medicaid.gov—social welfare program is for health and medical services for certain citizens and families with low incomes and few resources. Medicaid is provided by the U.S. government. Medicaid was created as an amendment to the Social Security Act in 1965. Primary oversight of Medicaid is regulated at the federal level. All states participate in Medicaid; however, state participation to use Medicaid funding is voluntary. Each state administers this program using Medicaid funding. States also have control over eligibility standards, scope of services, and rate of payment for services. Figure 3-7 shows the Medicaid website.

Figure 3-7

Figure 3-7 The Medicaid website is current and informative with the need-to-know facts and how to access resources Medicaid provides.

Photo credit: http://www.medicaid.gov

Healthcare Laws

Government agencies use laws to define the scope of responsibilities tasked to the agency. Laws clarify the manner and intent of the government. HIPAA, ARRA, and HITECH are all acts of Congress meant to improve healthcare in the United States.

Health Insurance Portability and Accountability Act (HIPAA)

The Health Insurance Portability and Accountability Act (HIPAA)—http://www.hhs.gov/ocr/privacy—was created in 1996 to provide a standard set of rules for all covered entities to follow to protect patient health information and to help healthcare providers transition from paper to electronic health records. The Office of Civil Rights (OCR) enforces the following HIPAA rules:

  • Privacy Rule: Establishes national standards to protect individuals’ health information whenever a covered entity accesses this information. This rule establishes safeguards to regulate who can access e-PHI (electronic protected health information) and the reasons why someone needs to access e-PHI.
  • Security Rule: Establishes national standards to protect the e-PHI of an individual. This rule establishes safeguards for how e-PHI is accessed.
  • Breach Notification Rule: Requires covered entities to notify affected individuals, the HHS secretary, and possibly the media when protected health information (PHI) has been breached.
  • Enforcement Rule: Establishes penalties for violations to HIPAA rules and procedures following a violation, such as investigations and hearings.

Figure 3-8 shows the enforcement activities and results on the HIPAA website.

Figure 3-8

Figure 3-8 The HIPAA website is current and informative of the need-to-know facts.

Photo credit: http://www.hhs.gov/ocr/privacy/hipaa/enforcement

American Recovery and Reinvestment Act (ARRA)

The American Recovery and Reinvestment Act (ARRA)—http://www.recovery.gov—was created in 2009 at the urging of President Obama to help citizens through the economic recession. This act is called the Recovery Act. The Recovery Act provided hundreds of billions of dollars for tax cuts, funding for entitlement programs, and federal contracts, grants, and loans. Specific to healthcare, the Recovery Act provides funding to HHS branches, such as the CMS and ONC. The Recovery Act is intended to help preserve and improve affordable healthcare in the United States. The Recovery Act also creates plans and incentives to assist Americans through challenges faced as a nation. Figure 3-9 shows the Recovery Act website.

Figure 3-9

Figure 3-9 The Recovery Act website is current and informative with the need-to-know facts and how to access resources the Recovery Act provides.

Photo credit: http://www.recovery.gov

Health Information Technology for Economic and Clinical Health (HITECH) Act

The Health Information Technology for Economic and Clinical Health (HITECH) Act—http://www.healthit.hhs.gov—focuses on creating incentive and opportunity for the advancement of HIT through the ONC. The programs funded in the HITECH Act collectively aim to make EMRs/EHRs relevant and beneficial resources to all Americans. The HITECH Act provides grants for education programs and monetary incentives. The HITECH Act also encourages communication within the healthcare community, within a state, and between states as HIT is advanced and implemented.

Now that you are familiar with programs and laws about healthcare, the following sections explain how these programs and laws are regulated.

Regulations of Healthcare Laws

Government agencies use regulations to ensure the intent of the government is carried out. It is in these regulations that healthcare providers and hospitals begin to understand the means and extent of the laws’ intent.

Two new buzzwords in HIT are meaningful use and eligible provider. The Recovery Act requires covered entities to use HIT in a meaningful way, which is where the term “meaningful use” came from. The meaningful use of HIT justifies the push to advance in technology and offer incentives to accomplish this goal. Starting in 2011, grants from the HITECH Act provide incentives with deadlines for healthcare providers to comply with the regulations identified by meaningful use. By 2015, all healthcare entities must demonstrate meaningful use to avoid financial penalties. Eligible providers are covered entities that want to receive monetary incentives by meeting meaningful use criteria. This qualification makes them eligible to receive incentive money.

Now that you know some background on the agencies, laws, and regulations, the following section shifts the focus to how the agencies and acts from the government regulate privacy.

InformIT Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from InformIT and its family of brands. I can unsubscribe at any time.


Pearson Education, Inc., 221 River Street, Hoboken, New Jersey 07030, (Pearson) presents this site to provide information about products and services that can be purchased through this site.

This privacy notice provides an overview of our commitment to privacy and describes how we collect, protect, use and share personal information collected through this site. Please note that other Pearson websites and online products and services have their own separate privacy policies.

Collection and Use of Information

To conduct business and deliver products and services, Pearson collects and uses personal information in several ways in connection with this site, including:

Questions and Inquiries

For inquiries and questions, we collect the inquiry or question, together with name, contact details (email address, phone number and mailing address) and any other additional information voluntarily submitted to us through a Contact Us form or an email. We use this information to address the inquiry and respond to the question.

Online Store

For orders and purchases placed through our online store on this site, we collect order details, name, institution name and address (if applicable), email address, phone number, shipping and billing addresses, credit/debit card information, shipping options and any instructions. We use this information to complete transactions, fulfill orders, communicate with individuals placing orders or visiting the online store, and for related purposes.


Pearson may offer opportunities to provide feedback or participate in surveys, including surveys evaluating Pearson products, services or sites. Participation is voluntary. Pearson collects information requested in the survey questions and uses the information to evaluate, support, maintain and improve products, services or sites, develop new products and services, conduct educational research and for other purposes specified in the survey.

Contests and Drawings

Occasionally, we may sponsor a contest or drawing. Participation is optional. Pearson collects name, contact information and other information specified on the entry form for the contest or drawing to conduct the contest or drawing. Pearson may collect additional personal information from the winners of a contest or drawing in order to award the prize and for tax reporting purposes, as required by law.


If you have elected to receive email newsletters or promotional mailings and special offers but want to unsubscribe, simply email information@informit.com.

Service Announcements

On rare occasions it is necessary to send out a strictly service related announcement. For instance, if our service is temporarily suspended for maintenance we might send users an email. Generally, users may not opt-out of these communications, though they can deactivate their account information. However, these communications are not promotional in nature.

Customer Service

We communicate with users on a regular basis to provide requested services and in regard to issues relating to their account we reply via email or phone in accordance with the users' wishes when a user submits their information through our Contact Us form.

Other Collection and Use of Information

Application and System Logs

Pearson automatically collects log data to help ensure the delivery, availability and security of this site. Log data may include technical information about how a user or visitor connected to this site, such as browser type, type of computer/device, operating system, internet service provider and IP address. We use this information for support purposes and to monitor the health of the site, identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents and appropriately scale computing resources.

Web Analytics

Pearson may use third party web trend analytical services, including Google Analytics, to collect visitor information, such as IP addresses, browser types, referring pages, pages visited and time spent on a particular site. While these analytical services collect and report information on an anonymous basis, they may use cookies to gather web trend information. The information gathered may enable Pearson (but not the third party web trend services) to link information with application and system log data. Pearson uses this information for system administration and to identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents, appropriately scale computing resources and otherwise support and deliver this site and its services.

Cookies and Related Technologies

This site uses cookies and similar technologies to personalize content, measure traffic patterns, control security, track use and access of information on this site, and provide interest-based messages and advertising. Users can manage and block the use of cookies through their browser. Disabling or blocking certain cookies may limit the functionality of this site.

Do Not Track

This site currently does not respond to Do Not Track signals.


Pearson uses appropriate physical, administrative and technical security measures to protect personal information from unauthorized access, use and disclosure.


This site is not directed to children under the age of 13.


Pearson may send or direct marketing communications to users, provided that

  • Pearson will not use personal information collected or processed as a K-12 school service provider for the purpose of directed or targeted advertising.
  • Such marketing is consistent with applicable law and Pearson's legal obligations.
  • Pearson will not knowingly direct or send marketing communications to an individual who has expressed a preference not to receive marketing.
  • Where required by applicable law, express or implied consent to marketing exists and has not been withdrawn.

Pearson may provide personal information to a third party service provider on a restricted basis to provide marketing solely on behalf of Pearson or an affiliate or customer for whom Pearson is a service provider. Marketing preferences may be changed at any time.

Correcting/Updating Personal Information

If a user's personally identifiable information changes (such as your postal address or email address), we provide a way to correct or update that user's personal data provided to us. This can be done on the Account page. If a user no longer desires our service and desires to delete his or her account, please contact us at customer-service@informit.com and we will process the deletion of a user's account.


Users can always make an informed choice as to whether they should proceed with certain services offered by InformIT. If you choose to remove yourself from our mailing list(s) simply visit the following page and uncheck any communication you no longer want to receive: www.informit.com/u.aspx.

Sale of Personal Information

Pearson does not rent or sell personal information in exchange for any payment of money.

While Pearson does not sell personal information, as defined in Nevada law, Nevada residents may email a request for no sale of their personal information to NevadaDesignatedRequest@pearson.com.

Supplemental Privacy Statement for California Residents

California residents should read our Supplemental privacy statement for California residents in conjunction with this Privacy Notice. The Supplemental privacy statement for California residents explains Pearson's commitment to comply with California law and applies to personal information of California residents collected in connection with this site and the Services.

Sharing and Disclosure

Pearson may disclose personal information, as follows:

  • As required by law.
  • With the consent of the individual (or their parent, if the individual is a minor)
  • In response to a subpoena, court order or legal process, to the extent permitted or required by law
  • To protect the security and safety of individuals, data, assets and systems, consistent with applicable law
  • In connection the sale, joint venture or other transfer of some or all of its company or assets, subject to the provisions of this Privacy Notice
  • To investigate or address actual or suspected fraud or other illegal activities
  • To exercise its legal rights, including enforcement of the Terms of Use for this site or another contract
  • To affiliated Pearson companies and other companies and organizations who perform work for Pearson and are obligated to protect the privacy of personal information consistent with this Privacy Notice
  • To a school, organization, company or government agency, where Pearson collects or processes the personal information in a school setting or on behalf of such organization, company or government agency.


This web site contains links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects Personal Information. This privacy statement applies solely to information collected by this web site.

Requests and Contact

Please contact us about this Privacy Notice or if you have any requests or questions relating to the privacy of your personal information.

Changes to this Privacy Notice

We may revise this Privacy Notice through an updated posting. We will identify the effective date of the revision in the posting. Often, updates are made to provide greater clarity or to comply with changes in regulatory requirements. If the updates involve material changes to the collection, protection, use or disclosure of Personal Information, Pearson will provide notice of the change through a conspicuous notice on this site or other appropriate way. Continued use of the site after the effective date of a posted revision evidences acceptance. Please contact us if you have questions or concerns about the Privacy Notice or any objection to any revisions.

Last Update: November 17, 2020