What is the HITECH Act?
What is the HITECH Act?
The Health Information Technology for Economic and Clinical Health (HITECH) Act was enacted in 2009 as part of the American Recovery and Reinvestment Act. It significantly strengthened HIPAA by extending compliance requirements to business associates, establishing mandatory breach notification rules, increasing penalties for violations, and promoting the adoption of electronic health records (EHRs).
Key provisions of HITECH
The HITECH Act introduced several major changes to the HIPAA regulatory landscape:
Direct liability for business associates — before HITECH, business associates were only bound by their contractual obligations under BAAs. HITECH made business associates directly subject to HIPAA Security Rule requirements and certain Privacy Rule provisions, with the same penalties that apply to covered entities.
Mandatory breach notification — HITECH established the Breach Notification Rule, requiring covered entities and business associates to notify affected individuals, HHS, and in some cases the media when a breach of unsecured PHI occurs. This was a major shift from the pre-HITECH environment where breach notification was not consistently required.
Increased penalties — HITECH introduced a tiered penalty structure with significantly higher fines:
- Tier 1: Lack of knowledge — $100 to $50,000 per violation
- Tier 2: Reasonable cause — $1,000 to $50,000 per violation
- Tier 3: Willful neglect (corrected) — $10,000 to $50,000 per violation
- Tier 4: Willful neglect (not corrected) — $50,000 per violation
- Annual maximum of $1.5 million per violation category
State attorney general enforcement — HITECH granted state attorneys general the authority to bring civil actions against entities that violate HIPAA, adding another layer of enforcement beyond the federal OCR.
EHR adoption incentives — HITECH provided financial incentives for healthcare providers to adopt certified electronic health record systems through the Medicare and Medicaid EHR Incentive Programs (later renamed the Promoting Interoperability Programs).
The Omnibus Rule
In 2013, HHS issued the HIPAA Omnibus Rule to implement many of HITECH's provisions. The Omnibus Rule:
- Finalized the breach notification requirements
- Modified the Privacy Rule to strengthen individual rights
- Updated the enforcement provisions with the tiered penalty structure
- Extended Security Rule requirements directly to business associates
- Required updates to BAAs to reflect the new requirements
Impact on business associates
The HITECH Act fundamentally changed the compliance landscape for business associates. Before HITECH, a business associate's HIPAA obligations were primarily contractual. After HITECH, business associates face direct regulatory liability, including:
- OCR audits and enforcement actions
- Civil and criminal penalties
- Breach notification obligations
- Full compliance with the HIPAA Security Rule
This shift motivated many technology companies and service providers to invest in formal HIPAA compliance programs for the first time.
Impact on breach response
The mandatory breach notification requirements changed how organizations respond to security incidents involving PHI:
- Individual notification must occur within 60 days of breach discovery
- HHS notification is required for all breaches (immediately for breaches affecting 500+ individuals, annually for smaller breaches)
- Media notification is required for breaches affecting 500+ individuals in a single state or jurisdiction
- Business associates must notify the covered entity of breaches, which then triggers the covered entity's notification obligations
How episki helps
episki incorporates HITECH requirements into its HIPAA compliance framework, including breach notification workflows, business associate tracking, and the enhanced security controls required under the act. The platform helps both covered entities and business associates maintain compliance with the full scope of HIPAA and HITECH obligations. Learn more on our HIPAA compliance page.
