What is the HITECH Act?

The Health Information Technology for Economic and Clinical Health (HITECH) Act was enacted in 2009 as part of the American Recovery and Reinvestment Act. It strengthens HIPAA by requiring breach notification, increasing penalties for violations, extending HIPAA requirements directly to business associates, and promoting the adoption of electronic health records.

How does HITECH differ from HIPAA?

HIPAA established the rules. HITECH gave them teeth. HITECH made breach notification mandatory, created a four-tier penalty structure with significantly higher fines, extended HIPAA Security and Privacy Rules directly to business associates, and required HHS to conduct periodic audits of covered entities and business associates.

What are the HITECH breach notification requirements?

Covered entities must notify affected individuals within 60 days of discovering a breach of unsecured PHI. Breaches affecting 500+ individuals in a jurisdiction require media notification. All breaches affecting 500+ must be reported to HHS without unreasonable delay. Smaller breaches can be reported to HHS annually.

HIPAA with teeth since 2009

HITECH Act: breach notification, real penalties, BA liability

HITECH transformed HIPAA from a set of guidelines into an enforced regulation. Mandatory breach notification, a four-tier penalty structure reaching $1.5M per violation type, and direct liability for business associates. BlackSheep tracks every HITECH requirement alongside HIPAA.

Start Free Trial See HITECH requirements

$249/month · All frameworks included · No credit card to start

60 days

Breach notification deadline

$1.5M

Max annual penalty per violation type

4 tiers

Civil penalty structure

10 yrs

Max criminal imprisonment

What HITECH requires

HITECH didn't replace HIPAA — it strengthened it. These are the key areas where HITECH went further.

Breach Notification

HITECH made breach notification mandatory — not optional. Covered entities must notify individuals within 60 days, report to HHS, and notify media for large breaches.

Individual notification within 60 days of discovery
HHS notification for all breaches
Media notification if 500+ individuals in a state affected
Business associates must notify covered entities without unreasonable delay
Annual reporting to HHS for breaches under 500 individuals

Enhanced Enforcement & Penalties

HITECH created a four-tier civil penalty structure and authorized state attorneys general to bring HIPAA enforcement actions for the first time.

Tier A: Did not know — $100–$50,000 per violation
Tier B: Reasonable cause — $1,000–$50,000 per violation
Tier C: Willful neglect, corrected — $10,000–$50,000 per violation
Tier D: Willful neglect, not corrected — $50,000 per violation
Annual cap of $1.5M per identical violation type
Criminal penalties up to $250,000 and 10 years imprisonment

Business Associate Liability

HITECH extended HIPAA Security Rule and Privacy Rule requirements directly to business associates. BAs are now directly liable for compliance — not just through contracts.

HIPAA Security Rule applies directly to BAs
Certain Privacy Rule provisions apply directly
BAs subject to same penalties as covered entities
Subcontractor chain of liability
Business associate agreements (BAAs) are mandatory

Technology & Access Requirements

HITECH promotes meaningful use of electronic health records and strengthens patient rights to access their health information electronically.

Patients have right to electronic copies of their ePHI
Accounting of disclosures through EHR systems
Restrictions on sale of PHI without authorization
Minimum necessary standard strengthened
Marketing and fundraising restrictions tightened

Common questions about HITECH

If we're already HIPAA compliant, do we need to worry about HITECH separately?

HITECH is built on top of HIPAA — it's not a separate regulation you comply with independently. If your HIPAA program includes breach notification procedures, business associate agreements, and you understand the penalty structure, you're covering HITECH. BlackSheep tracks both together.

What makes a breach 'reportable' under HITECH?

Any acquisition, access, use, or disclosure of unsecured PHI in violation of HIPAA is presumed to be a breach unless you can demonstrate through a risk assessment that there is a low probability the PHI was compromised. The four factors: nature and extent of PHI involved, who accessed it, whether PHI was actually acquired or viewed, and the extent to which risk has been mitigated.

Are business associates really directly liable now?

Yes. Before HITECH, business associates were only liable through their contractual obligations (BAAs). HITECH made them directly subject to HIPAA Security Rule requirements and certain Privacy Rule provisions. HHS can — and does — bring enforcement actions directly against business associates.

Can state attorneys general enforce HIPAA because of HITECH?

Yes. HITECH authorized state AGs to bring civil actions on behalf of state residents for HIPAA violations. This created a second enforcement pathway beyond HHS, and several states have used it. It means you can face enforcement from both federal and state authorities.

Related frameworks

HIPAA Security Rule

The foundation that HITECH builds on. Administrative, physical, and technical safeguards for ePHI.

NIST CSF 2.0

The framework HHS references for implementing HIPAA/HITECH security requirements.

HITECH made the penalties real. Make your compliance real too.

BlackSheep tracks HIPAA and HITECH requirements together — breach notification timelines, business associate obligations, and every safeguard. One platform, audit-ready evidence.

Start Free Trial

$249/month. 30-day money-back guarantee.