HITECH Act: Health IT and Strengthened HIPAA Enforcement
The HITECH Act (Health Information Technology for Economic and Clinical Health Act, 2009) promoted adoption of electronic health records and significantly strengthened HIPAA. It made business associates directly liable under HIPAA, created the Breach Notification Rule with tiered penalties, and expanded patients' rights to electronic copies of their records.
- Enforced by
- HHS Office for Civil Rights (OCR)
- Applies to
- Covered entities and business associates
- Penalty
- Tiered HIPAA civil penalties (by culpability)
What is the HITECH Act?
HITECH was enacted in 2009 as part of the economic-stimulus package. It had two thrusts: pour money into electronic health record adoption (the "meaningful use" incentive programs), and put real teeth into HIPAA, which until then had weak enforcement. For billing operations, the enforcement half is what matters most day to day.
How did HITECH change HIPAA?
- Direct business-associate liability — vendors handling PHI are now directly accountable to OCR, not just to their clients by contract.
- Tiered penalties — civil monetary penalties scale by culpability, from unknowing violations up to willful neglect, with substantial annual caps.
- Breach Notification Rule — a formal duty to notify after breaches of unsecured PHI.
- Electronic access — patients gained a stronger right to electronic copies of their records.
How does breach notification work?
If unsecured PHI is breached, you must notify affected individuals without unreasonable delay and within 60 days, notify HHS, and for breaches affecting 500+ individuals notify prominent media in the area. Encryption meeting HHS standards creates a safe harbor: lost encrypted data generally is not a reportable breach.
What does HITECH mean for billing?
A billing company is a business associate and, post-HITECH, is squarely on the hook: it must implement Security Rule safeguards, sign BAAs, and can be investigated and fined directly by OCR. Practically, that means encrypted transmission of claims and remittances, access controls and audit logs, workforce training, and an incident-response plan. These controls also protect the integrity of your claims data, which matters when accuracy is a False Claims Act concern.
Frequently asked questions
HITECH, part of the 2009 stimulus (ARRA), funded the shift to electronic health records and toughened HIPAA. It made business associates directly liable for HIPAA compliance, established the Breach Notification Rule, set a tiered civil-penalty structure based on culpability, and strengthened patients' rights to obtain electronic copies of their health information.
Before HITECH, only covered entities faced direct HIPAA liability; billing companies were reached mainly through contracts. HITECH made business associates — including billing services and clearinghouses — directly liable to OCR for Security Rule compliance and certain Privacy Rule provisions. A billing company can now be investigated and penalized by OCR in its own right.
A breach of unsecured (unencrypted) protected health information triggers notification duties: notify affected individuals without unreasonable delay (and no later than 60 days), notify HHS, and for larger breaches notify prominent media. Properly encrypted data that is lost or stolen generally falls under a safe harbor and does not trigger notification, which is a strong reason to encrypt.
Sources & further reading
Reviewed by the ImmediCare Solutions RCM team
Certified billers and coders handling claims across 50+ specialties nationwide. This entry is reviewed against current payer policy and CMS rules. Last review: Jul 5, 2026.
Stop losing revenue to problems like this.
A free billing audit shows exactly where your practice is leaking money — no cost, no commitment.
