Earlier this year, the Obama Administration introduced the HITECH Act, which offers up to $44,000 in total incentives per physician for meaningful use of a certified EHR starting in 2011. This incentive has prompted much discussion on the true definition of “meaningful use” and “certified EHR.”

However a major component of the HITECH Act is being overlooked: Under the HITECH Act, healthcare providers are now directly subject to HIPAA security and privacy requirements, as well as to the same civil and criminal penalties hospitals, pharmacies and other HIPAA-covered entities face for violations. This means that physicians who implement an EHR that then results in HIPAA violations can face fines as hefty as $50,000 per occurrence.

For small medical practices that have no experience with implementing IT systems, let alone secure networks, this should be a major concern. To make matters worse, many EHR software companies often compound the situation by allowing physicians to set up a storage server, insecurely in the office, to store these sensitive electronic medical records, assuring them “not to worry about IT.”

Therefore, before taking advantage of HITECH, it is imperative for physicians to ask themselves and their service providers: “Are my patient records secure?” This includes all service providers working with the physician, such as IT support and medical billing services. Not only do physicians need to be concerned that they are successfully securing their own internal infrastructure, but also that their service providers interacting with that infrastructure are secure as well.

The challenges at hand are new for healthcare providers that are nascent to the “IT world”; however, we can look to industries that have traveled this ground before. The finance industry is well familiar with these challenges. As a result, the industry now has several certifications available to ensure data security and the security of IT services. Financial services require that any IT service provider that will be hosting data, providing IT services or accessing IT systems, must have a combination of SAS-70 Type II certification and SysTrust certification.

SAS 70 and SysTrust are certifications developed and maintained by the American Institute of Certified Public Accountants that ensure service organizations such as IT companies, billing services and EHR hosting providers have control policies and procedures in place to guarantee the security and confidentiality of data.

For financial companies, it ensures that financial data is stored securely and, likewise, for healthcare in regards to patient information. SAS-70 certification is a must-have for any company that will be hosting electronic health records for medical practices. Systrust is a must-have for companies that will be interacting with the physician’s computer and EHR system (such as IT service companies and medical billing companies.)

To ensure compliance with HIPAA and avoid the stiff penalties of the HITECH Act, healthcare providers should demand the same of their healthcare IT service providers. The financial industry has a long history of lessons learned in regards to security of IT systems and the sensitivity of financial data. Why should healthcare reinvent the wheel and not learn from these lessons? Physicians today need to demand SAS-70 and SysTrust certification from their service providers to ultimately protect the confidentially of the patient information – and their own business viability.

John O’Keefe is CEO of ITelagen, a leading provider of healthcare IT services for practices that utilize electronic medical records.