What Is the HITECH Act?
The Health Information Technology for Economic and Clinical Health (HITECH) Act was enacted as part of the American Recovery and Reinvestment Act of 2009 (ARRA). It represented the most significant expansion of HIPAA since the original law was passed in 1996. HITECH had two primary objectives: to promote the adoption and meaningful use of electronic health records (EHRs), and to strengthen the privacy and security protections for health information by dramatically increasing HIPAA enforcement.
EHR Incentives and Meaningful Use
HITECH authorized the Centers for Medicare and Medicaid Services (CMS) to provide financial incentives to healthcare providers who demonstrated "meaningful use" of certified EHR technology. Eligible professionals could receive up to $44,000 through Medicare or up to $63,750 through Medicaid for adopting and meaningfully using certified EHR systems. Providers who failed to demonstrate meaningful use by specified deadlines faced payment adjustments — effectively a financial penalty — under Medicare.
Meaningful use was phased through three stages: Stage 1 focused on data capture and sharing, Stage 2 on advanced clinical processes, and Stage 3 on improved outcomes. This program drove widespread EHR adoption across the U.S. healthcare system, which in turn created a much larger volume of ePHI requiring HIPAA Security Rule protection.
Expanded Business Associate Obligations
One of HITECH's most significant changes was making business associates directly liable under HIPAA. Prior to HITECH, the HIPAA Privacy and Security Rules applied only to covered entities; business associates were contractually required to comply but were not directly regulated. HITECH changed this by making business associates directly subject to the Security Rule and certain Privacy Rule provisions.
HITECH also extended these obligations to subcontractors of business associates — creating a chain of accountability flowing from covered entities through business associates to their subcontractors. Any entity that creates, receives, maintains, or transmits ePHI on behalf of a covered entity (or a business associate) must now comply with HIPAA directly.
Increased Civil Penalties
HITECH dramatically increased the civil monetary penalties for HIPAA violations. The Act established four tiers of penalties based on the level of culpability:
- Did not know — $100 to $50,000 per violation, up to $1.5 million annually for identical violations
- Reasonable cause — $1,000 to $50,000 per violation, up to $1.5 million annually
- Willful neglect, corrected — $10,000 to $50,000 per violation, up to $1.5 million annually
- Willful neglect, not corrected — $50,000 per violation, up to $1.5 million annually
These penalty tiers were a dramatic increase from the pre-HITECH maximum of $100 per violation and $25,000 annually for identical violations.
Breach Notification Requirements
HITECH introduced the Breach Notification Rule, which requires covered entities and business associates to notify affected individuals, HHS, and in some cases the media when unsecured PHI is breached. This was an entirely new obligation that did not exist under the original HIPAA framework. The Rule established the presumption that any impermissible use or disclosure constitutes a notifiable breach unless a risk assessment demonstrates a low probability of compromise.
Accounting of Disclosures Expansion
HITECH expanded individuals' right to an accounting of disclosures of their PHI. Under original HIPAA, the accounting right applied only to disclosures for purposes other than treatment, payment, and healthcare operations. HITECH directed HHS to expand the accounting right to include disclosures for TPO purposes from EHR systems — though this particular provision was proposed but never finalized into regulation as of the time of writing.
State Attorney General Enforcement
HITECH granted state attorneys general new authority to bring civil actions on behalf of state residents for HIPAA violations. This created a second enforcement authority in addition to OCR, enabling states to independently investigate and pursue penalties for violations affecting their residents.
The Omnibus Rule of 2013
HHS finalized most of the HITECH requirements through the Omnibus Rule, published in January 2013, which took effect in March 2013. The Omnibus Rule incorporated the HITECH modifications into the HIPAA regulations, including the strengthened enforcement provisions, direct applicability to business associates, the Breach Notification Rule, and expanded individual rights.