HITECH Meaningful Use and Promoting Interoperability
HITECH's EHR Incentive Programs evolved into the Medicare Promoting Interoperability program under MIPS; SRA attestation remains an annual requirement.
Primary source
CMS Promoting Interoperability Programs →https://www.cms.gov/regulations-guidance/promoting-interoperability/medicare-promoting-interoperability-program/about-medicare-promoting-interoperability-program
Verified May 23, 2026 · This is the authoritative regulator URL. The summary below is a research aid; the linked source controls.
Additional sources
HITECH's Subtitle B authorized Medicare and Medicaid EHR Incentive Programs that paid eligible professionals and hospitals for adopting and demonstrating "meaningful use" of certified EHR technology. The programs ran from 2011 through transitions in 2017-2019 into the Medicare Promoting Interoperability Program (hospitals) and the Promoting Interoperability performance category of MIPS (eligible clinicians).
Annual SRA attestation remains a Promoting Interoperability measure. The attestation ties the HIPAA Security Rule risk analysis at 164.308(a)(1)(ii)(A) to a CMS payment program — a missing or stale risk analysis can fail the Promoting Interoperability measure and reduce MIPS scoring or, for hospitals, the Annual Payment Update.
Recent Promoting Interoperability rule updates (FY2024, FY2025) added measures for SAFER guides, public health reporting, and patient information exchange. The SRA measure has stayed structurally consistent: protect ePHI by conducting (and reviewing and updating) a security risk analysis.
The CMS Promoting Interoperability page maintains the current-year measure specifications, scoring weights, and submission deadlines.
Use this in your workspace
D3rx assembles the documentation linked to this regulation, walks the practical decisions in plain English, and stores the artifacts against the .gov sources cited above. It is an administrative research aid, not a substitute for counsel.
Related regulations
D3rx is a healthcare-billing and compliance research aid maintained by D3rx Inc. Articles are drafted by an LLM (Anthropic Claude) against primary HHS, OCR, CMS, eCFR, NIST, and state-regulator publications, and reviewed for restraint and source fidelity by the D3rx team.
Reviewer status: a named credentialed reviewer (CHC, CHPC, or healthcare attorney) is being engaged. Until that engagement is finalized, this page does not claim credentialed review.
Related across the archive
- RegulationHITECH Act Overview (Pub. L. 111-5, Title XIII)Title XIII of the American Recovery and Reinvestment Act amended HIPAA in 2009 to add breach notification, direct business associate liability, increased penalties, and the Meaningful Use program.
- RegulationHIPAA Security Risk Analysis Standard (45 CFR 164.308(a)(1)(ii)(A))Required implementation specification: conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI.
- RegulationHIPAA Security Rule: General Rules (45 CFR 164.306)Required objectives — confidentiality, integrity, and availability of ePHI — plus the flexibility provisions that govern how covered entities select and implement specific safeguards.
- GlossaryPromoting InteroperabilityThe CMS program (formerly Meaningful Use) that rewards demonstrated use of CEHRT to improve patient care.
- RegulationHITECH Business Associate Direct Liability (45 CFR 160.103, 164.502(a)(3))Business associates are directly liable for Security Rule compliance, breach notification, certain Privacy Rule provisions, and BAA flow-down to subcontractors.
- RegulationHITECH Electronic Copy Right and Sale-of-PHI ProhibitionTwo HITECH-era patient-rights expansions: the right to an electronic copy of EHR-resident PHI and the general prohibition on remuneration for PHI absent authorization.
- RegulationHITECH Enforcement Changes (42 USC 17939)HITECH expanded HIPAA enforcement with state attorney general civil actions, four-tier penalties, willful neglect mandatory investigation, and a percentage of CMPs to harmed individuals.
Last reviewed May 23, 2026 · Citation verified May 23, 2026
Research aid, not legal advice. This summary is an administrative research aid prepared by D3rx. It does not certify compliance, provide legal advice, replace counsel, or guarantee an audit outcome. For authoritative regulatory text follow the primary source link at the top of this page. The practice remains responsible for reviewing, adopting, and maintaining its compliance program.