HIPAA Compliant Mon–Fri 9am–6pm ET 98% clean-claim rate
Compliance & Regulation

HITECH Act: Health IT and Strengthened HIPAA Enforcement

Reviewed by the ImmediCare RCM team Updated 3 min read
Quick answer

The HITECH Act (Health Information Technology for Economic and Clinical Health Act, 2009) promoted adoption of electronic health records and significantly strengthened HIPAA. It made business associates directly liable under HIPAA, created the Breach Notification Rule with tiered penalties, and expanded patients' rights to electronic copies of their records.

Enforced by
HHS Office for Civil Rights (OCR)
Applies to
Covered entities and business associates
Penalty
Tiered HIPAA civil penalties (by culpability)

What is the HITECH Act?

HITECH was enacted in 2009 as part of the economic-stimulus package. It had two thrusts: pour money into electronic health record adoption (the "meaningful use" incentive programs), and put real teeth into HIPAA, which until then had weak enforcement. For billing operations, the enforcement half is what matters most day to day.

How did HITECH change HIPAA?

  • Direct business-associate liability — vendors handling PHI are now directly accountable to OCR, not just to their clients by contract.
  • Tiered penalties — civil monetary penalties scale by culpability, from unknowing violations up to willful neglect, with substantial annual caps.
  • Breach Notification Rule — a formal duty to notify after breaches of unsecured PHI.
  • Electronic access — patients gained a stronger right to electronic copies of their records.

How does breach notification work?

If unsecured PHI is breached, you must notify affected individuals without unreasonable delay and within 60 days, notify HHS, and for breaches affecting 500+ individuals notify prominent media in the area. Encryption meeting HHS standards creates a safe harbor: lost encrypted data generally is not a reportable breach.

Working tip: Encrypt everything that leaves your walls — laptops, portable drives, and especially email carrying claim data or patient lists. A stolen encrypted laptop is a non-event; the same laptop unencrypted is a reportable breach with individual and HHS notifications.

What does HITECH mean for billing?

A billing company is a business associate and, post-HITECH, is squarely on the hook: it must implement Security Rule safeguards, sign BAAs, and can be investigated and fined directly by OCR. Practically, that means encrypted transmission of claims and remittances, access controls and audit logs, workforce training, and an incident-response plan. These controls also protect the integrity of your claims data, which matters when accuracy is a False Claims Act concern.

Frequently asked questions

HITECH, part of the 2009 stimulus (ARRA), funded the shift to electronic health records and toughened HIPAA. It made business associates directly liable for HIPAA compliance, established the Breach Notification Rule, set a tiered civil-penalty structure based on culpability, and strengthened patients' rights to obtain electronic copies of their health information.

Before HITECH, only covered entities faced direct HIPAA liability; billing companies were reached mainly through contracts. HITECH made business associates — including billing services and clearinghouses — directly liable to OCR for Security Rule compliance and certain Privacy Rule provisions. A billing company can now be investigated and penalized by OCR in its own right.

A breach of unsecured (unencrypted) protected health information triggers notification duties: notify affected individuals without unreasonable delay (and no later than 60 days), notify HHS, and for larger breaches notify prominent media. Properly encrypted data that is lost or stolen generally falls under a safe harbor and does not trigger notification, which is a strong reason to encrypt.

IC

Reviewed by the ImmediCare Solutions RCM team

Certified billers and coders handling claims across 50+ specialties nationwide. This entry is reviewed against current payer policy and CMS rules. Last review: Jul 5, 2026.

Stop losing revenue to problems like this.

A free billing audit shows exactly where your practice is leaking money — no cost, no commitment.

Get a free billing audit