Skip to main content

Health Information Technology for Economic and Clinical Health Act

HITECH strengthened HIPAA by adding breach notification, extending direct liability to business associates, and creating tiered penalties, while promoting electronic health record adoption. It significantly raised enforcement stakes for mishandling protected health information.

Jurisdiction
United States

What HITECH Is and Why It Exists

The Health Information Technology for Economic and Clinical Health (HITECH) Act was enacted in 2009 as part of the American Recovery and Reinvestment Act. It had two reinforcing goals: to accelerate the adoption of electronic health records (EHRs) across US healthcare, and to strengthen the privacy and security protections for health information under the Health Insurance Portability and Accountability Act (HIPAA). HITECH provided incentives for "meaningful use" of EHRs while raising the stakes for mishandling protected health information.

It exists because digitizing health records promised major efficiency and quality gains, but those benefits depended on patients trusting that their sensitive data would be protected.

Who It Applies To

HITECH applies to the same universe as HIPAA: covered entities such as healthcare providers, health plans, and clearinghouses. Crucially, it extended direct statutory liability to business associates, the vendors and contractors that handle protected health information on behalf of covered entities. This brought a large ecosystem of technology and service providers squarely within enforcement reach.

Key Requirements

  • Breach notification: covered entities and business associates must notify affected individuals, the Department of Health and Human Services, and, for large breaches, the media, within defined timeframes.
  • Business-associate liability: business associates must comply directly with key HIPAA Security Rule provisions and face penalties for violations.
  • Stronger enforcement: HITECH introduced tiered penalties based on culpability and mandated investigations of willful neglect.
  • EHR adoption: incentive programs encouraged certified EHR use, with security and audit-control expectations.
  • Patient access to electronic copies of health information was reinforced.

Penalties for Non-Compliance

HITECH established tiered civil penalties scaled by the level of culpability, from unknowing violations to willful neglect, with substantial per-violation amounts and high annual caps. State attorneys general gained authority to bring actions. Egregious violations can also lead to criminal penalties. The breach-notification requirement, in particular, has driven significant settlements and reputational harm following large health-data breaches.

How to Comply

  • Treat business associates as directly accountable; use compliant agreements and verify their safeguards.
  • Implement HIPAA Security Rule controls, including access management, audit controls, and encryption of electronic protected health information.
  • Build a breach-detection and notification process that meets the statutory deadlines.
  • Maintain risk analyses and remediate findings to avoid "willful neglect" exposure.
  • Ensure EHR systems support security, auditing, and patient access requirements.

Encryption is especially valuable, since properly encrypted data that is lost or stolen may qualify for a breach-notification safe harbor.

The Encryption Safe Harbor in Practice

A practical cornerstone of HITECH is the breach-notification safe harbor for properly encrypted data. If protected health information is encrypted to the standards specified by HHS guidance and the encryption keys are not also compromised, the loss of that data is generally not a reportable breach. This single provision makes strong, well-managed encryption one of the highest-value investments a covered entity or business associate can make, reducing both breach risk and the costly, reputation-damaging notification process. Effective key management is essential, since encryption only provides the safe harbor when keys remain protected and separate from the encrypted data.