Skip to main content
> HITECH

Health Information Technology for Economic and Clinical Health Act

Strengthening HIPAA enforcement and expanding breach notification requirements

Governing Body: U.S. Department of Health and Human Services (HHS)
Established: 2009 Last Updated: 2013 (incorporated into Omnibus Rule) Scope: United States Healthcare
$1.5M/year
Tier 4 Penalty

// What is HITECH?

HITECH was enacted as part of the American Recovery and Reinvestment Act of 2009, primarily to promote electronic health record (EHR) adoption. However, its most significant cybersecurity impact came through substantially strengthening HIPAA enforcement and creating mandatory breach notification requirements.

Before HITECH, HIPAA's Security Rule lacked meaningful enforcement teeth. HITECH established a tiered penalty structure, extended liability to business associates, and required notification of breaches affecting unsecured protected health information. The law fundamentally changed how healthcare organizations approach cybersecurity.

The 2013 Omnibus Rule formally incorporated HITECH requirements into HIPAA regulations, creating the enforcement framework that exists today. OCR enforcement actions since HITECH have resulted in settlements and judgments totaling hundreds of millions of dollars.

// Inside the Regulation

HITECH's cybersecurity-relevant provisions focus on breach notification, enhanced penalties, business associate liability, and enforcement mechanisms that transformed HIPAA from an aspirational framework to an enforced regulation.

1

Breach Notification Requirements

Section 13402

Mandatory notification requirements for breaches of unsecured protected health information—the most operationally significant HITECH provision.

Individual Notification

Notify affected individuals without unreasonable delay, no later than 60 days after breach discovery. Written notification by first-class mail or email if individual agreed.

HHS Notification

Notify HHS Secretary of all breaches. Breaches affecting 500+ individuals require notification within 60 days and are posted publicly.

Media Notification

Breaches affecting 500+ residents of a state/jurisdiction require notification to prominent media outlets serving that area.

Content Requirements

Notifications must describe the breach, types of information involved, protective steps, investigation status, and contact information.

Unsecured PHI Definition

PHI not rendered unusable/unreadable through encryption or destruction per HHS guidance. Encryption creates a breach safe harbor.

2

Tiered Penalty Structure

Section 13410

HITECH established the penalty tiers now used for all HIPAA enforcement, replacing the previous modest penalties.

Tier 1: Did Not Know

Violation the entity did not know about and could not have reasonably avoided. $100-$50,000 per violation.

Tier 2: Reasonable Cause

Violation due to reasonable cause, not willful neglect. $1,000-$50,000 per violation.

Tier 3: Willful Neglect (Corrected)

Violation due to willful neglect that is timely corrected. $10,000-$50,000 per violation.

Tier 4: Willful Neglect (Not Corrected)

Violation due to willful neglect not timely corrected. $50,000 per violation, up to $1.5 million per year per violation category.

3

Business Associate Liability

Section 13401

Extended HIPAA Security Rule requirements and enforcement directly to business associates, not just covered entities.

Direct Liability

Business associates directly liable for HIPAA Security Rule compliance, not just through contracts with covered entities.

Subcontractor Requirements

Business associates must ensure subcontractors with PHI access agree to same restrictions and conditions.

Independent Enforcement

OCR can investigate and penalize business associates directly for HIPAA violations, independent of covered entity actions.

4

Enforcement Enhancements

Additional enforcement mechanisms strengthening HIPAA compliance incentives.

State Attorney General Enforcement

State AGs can bring civil actions for HIPAA violations affecting state residents, with penalties up to $25,000 per violation category per year.

Percentage of Penalties to Harmed Individuals

HHS may share collected penalties with harmed individuals when appropriate.

Audits

Required periodic audits of covered entities and business associates for HIPAA compliance.

Note: The encryption safe harbor is critically important—properly encrypted PHI that is breached does not require notification. Organizations should implement encryption meeting NIST standards to qualify for this protection and reduce breach notification burdens.

// Who Must Comply

  • 1 HIPAA covered entities (healthcare providers, health plans, clearinghouses)
  • 2 Business associates of covered entities
  • 3 Subcontractors of business associates with PHI access
  • 4 Health information exchanges
  • 5 EHR and healthcare IT vendors

// Key Requirements

Breach Notification

Notify individuals, HHS, and media (for large breaches) within 60 days of discovering a breach

Encryption Safe Harbor

Implement encryption meeting NIST standards to avoid notification requirements for lost/stolen data

Business Associate Agreements

Execute compliant BAAs with all entities accessing PHI and ensure subcontractor compliance

Security Rule Compliance

Business associates must independently comply with HIPAA Security Rule requirements

Breach Documentation

Document all breaches including risk assessments, regardless of whether notification is required

Audit Readiness

Prepare for OCR audits with documented policies, risk assessments, and compliance evidence

// Enforcement & Penalties

HITECH's tiered penalty structure applies to all HIPAA violations. OCR enforcement has dramatically increased since HITECH, with major settlements and civil monetary penalties. Willful neglect violations carry the highest penalties and cannot be waived.

Maximum Penalty

$1.5 million per violation category per year

Examples:

  • Anthem - $16 million settlement, largest HIPAA penalty to date (2018)
  • Premera Blue Cross - $6.85 million for breach affecting 10.4 million (2020)
  • UCLA Health System - $865,000 for celebrity medical record snooping (2011)
  • MD Anderson Cancer Center - $4.3 million for unencrypted device losses (2018, later reduced on appeal)

// Cyber Insurance Impact

Cyber insurers heavily weight HIPAA/HITECH compliance for healthcare organizations. Breach notification costs, regulatory defense, and settlement coverage are key policy provisions. Encryption adoption directly reduces breach notification exposure. Business associate liability extends insurance considerations throughout the healthcare supply chain.

// How Breach Craft Helps

We help organizations achieve HITECH compliance through genuine security improvements—not checkbox exercises. Our services address the specific requirements and challenges of HITECH.

Gap Assessment

Measure your security against industry standards.

Learn more

Penetration Testing

Find the gaps before attackers do.

Learn more

Virtual CISO

Executive security leadership on demand.

Learn more

Tabletop Exercises

Practice your incident response.

Learn more

// Related Frameworks

HIPAA NIST CSF SOC 2

Ready to Strengthen Your Defenses?

Schedule a free consultation with our security experts to discuss your organization's needs.

Schedule Consultation Call Us

Or call us directly at (445) 273-2873