HITECH ACT and Impact on HIPAA | Introduction and Overview

6. What is HITECH?

Answer: The Health Information Technology for Economic and Clinical Health (HITECH) Act, as defined by the United States Department of Health and Human Services was "...enacted as part of the American Recovery and Reinvestment Act of 2009...and signed into law on February 17, 2009, to promote the adoption and meaningful use of health information technology." Additionally, Subtitle D of the HITECH Act addresses the privacy and security concerns associated with the electronic transmission of health information via several provisions that strengthen the civil and criminal enforcement of the HIPAA rules.
Source: http://www.hhs.gov/ocr/privacy/hipaa/administrative/enforcementrule/hitechenforcementifr.html

Specific elements for which Covered Entities (CE) and Business Associates (BA) need to be aware of regarding the HITECH Act are the following:

  • There are four (4) categories of violations that reflect increasing levels of culpability.
  • There are four (4) corresponding tiers of penalty amounts that significantly increase the minimum penalty amount for each violation.
  • A maximum penalty amount of $1.5 million for all violations of an identical provision.
  • Strikes the previous bar on the imposition of penalties if a Covered Entity did not know and with the exercise of reasonable diligence would not have known of the violation (such violations are now punishable under the lowest tier of penalties); and
  • Provides a prohibition on the imposition of penalties for any violation that is corrected within a 30-day time period, as long as the violation was not due to willful neglect.


So what’s really important to know about the HITECH Act for Covered Entities (CE) and Business Associates (BA)? That there are major fines for non-compliance with HIPAA and the entire notion of “breaches” is now assessed in a different light than before – more realistic – some would argue. But what it also really means is that the days of HIPAA non-compliance are over, enforcement of fines and penalties are very real, thus Covered Entities (CE) and Business Associates (BA) need to get serious – once and for all – about complying with the Health Insurance Portability and Accountability Act (HIPAA).

Additional points to note regarding HITECH for purposes of HIPAA compliance are the following:

  • Data breach notification requirements are now imposed for unauthorized uses and disclosures of "unsecured PHI."
  • Under the HITECH Act "unsecured PHI" in essence means "unencrypted PHI."
  • Business Associates, unlike in the past, have direct compliance mandates for HIPAA, thanks to HITECH (and the Final Omnibus Ruling, January of 2013).

Download HIPAA Policies and Compliance Toolkits Today
hipaapoliciesandprocedures.com also offers industry leading HIPAA toolkits for both Covered Entities (CE) and Business Associates (BA) consisting of high-quality security policies and procedures, training material, readiness checklists and templates, essential legal forms, a HIPAA specific disaster recovery manual, and so much more. Learn about our industry leading HIPAA compliance toolkits today.

If your organization is in need of a HIPAA audit, and or SSAE 16 SOC 1, and SOC 2 assessments that include testing of HIPAA provisions & mandates, please contact Charles Denyer at This email address is being protected from spambots. You need JavaScript enabled to view it., or at 1-800-277-5415, ext. 705 with the NDB Alliance of Firms. Learn more about NDB by visiting ndbcpa.com today.