HIPAA and HITECH

The relationship between HIPAA and HITECH began in 2009 with the American Recovery and Reinvestment Act – an Act introduced by the Obama administration to stimulate the economy by incentivizing investment in infrastructure, education, health, and renewable energy. Division A Title XIII and Division B Title IV of the American Recovery and Reinvestment Act – together known to as the Health Information Technology for Economic and Clinical Health Act (HITECH) – set aside funds for the creation of a nationwide network of Health Information Exchanges and signaled the start of the Meaningful Use program.

As the Meaningful Use program incentivized healthcare providers to adopt technology in the provision of healthcare, HITECH had to take into account the HIPAA Privacy and Security Rules. Subtitle D of HITECH addressed concerns about the electronic transmission and storage of medical records, strengthened existing HIPAA Privacy and Security Rule provisions and introduced measures for the effective enforcement of HIPAA.

Subsequent updates to both HIPAA and HITECH frequently take each other’s regulations into account. For example, the HITECH Act 2009 strengthened the civil and criminal enforcement of HIPAA by enabling State Attorney Generals to pursue cases for HIPAA violations on behalf of citizens and established the HIPAA Breach Notification Rule. The HIPAA Final Omnibus Rule 2013 expanded the Business Associate Breach Notification Rules by extending their criteria.

HIPAA and HITECH Act 2009: Enforcement

The most significant changes to HIPAA in the HITECH Act 2009 related to the Enforcement and Breach Notification Rules. Prior to HITECH, financial penalties for non-compliance with HIPAA were minor ($100 per violation up to a maximum of $25,000). Few fines were issued by the Office for Civil Rights (OCR) due to a lack of resources to investigate unauthorized uses and disclosures of Protected Health Information (PHI) and the failure to respond to patient access requests.

The introduction of “violation tiers” plus increased financial penalties meant it was no longer cheaper for covered entities to pay the fines rather than go through the process of becoming HIPAA compliant. The increased value of the fines (from $100 to $50,000 per violation up to a maximum of $1.5 million – subsequently adjusted for inflation) gave the OCR more resources to pursue non-compliant covered entities and enforce HIPAA. The penalties for HIPAA violations as of December 2025 are now:

Level of Culpability	Minimum Penalty per Violation Type	Maximum Penalty per Violation Type	Annual Penalty Limit
Lack of Knowledge	$141	$35,581	$35,581
Lack of Oversight	$1,424	$71,162	$142,355
Willful Neglect	$14,232	$71,162	$355,808
Willful Neglect not Corrected within 30 days	$71,162	$2,134,831	$2,134,831

However, as a further incentive for covered entities and business associates to take their compliance obligations seriously, an amendment to the HITECH Act in 2021 gave the Department of Health and Human Services’ Office for Civil Rights (OCR) the discretion to waive or reduce the financial penalties for HIPAA violations if it could be demonstrated that the offending party had implemented a recognized security framework prior to a data breach or other security-related violation.

HIPAA and HITECH Act 2009: Breach Notification

Business associates have always had an obligation to safeguard PHI, but no legal requirement. With the passage of the HITECH Act 2009, business associates now had the same legal requirement to comply with HIPAA and HITECH as covered entities, and are now required to inform the covered entity who has shared PHI with them of any disclosures of unsecured PHI.

The HIPAA Breach Notification Rule requires covered entities to notify individuals, OCR, and – in some cases – the media of an unauthorized disclosure of PHI. Notifications must be provided within sixty days of the discovery of a breach or when it is reported to the covered entity by the business associate. The exception to the sixty-day rule is when a breach affects fewer than 500 individuals. In these circumstances, individuals must be notified within sixty days, but notifications to OCR can be delayed until the end of the calendar year.

What is the Difference between HIPAA and HITECH?

The difference between HIPAA and HITECH is subtle. Both Acts address the security of electronic Protected Health Information (ePHI) and measures within HITECH support the effective enforcement of HIPAA – for example, the Breach Notification Rule and the HIPAA Enforcement Rule. However, there is a difference between HIPAA and HITECH with regards to patients’ rights.

Prior to HITECH, patients were unable to find out who their ePHI had been disclosed to (both authorized and unauthorized where known). In 2011, the Department of Health & Human Services published a HITECH-required Rule that allows patients to request an accounting of disclosures. These reports explain to patients who has accessed and viewed their ePHI and under what authority. The Rule was finalized in the HIPAA Omnibus Final Rule in 2013.

HIPAA vs HITECH: Which is Most Important?

When it comes to “HIPAA vs HITECH”, neither Act is more important than the other. Covered entities and business associates (since the HITECH Act 2009) have to comply with both Acts if they create, use, transmit, or store Protected Health Information. What the HITECH Act 2009 effectively did for HIPAA was give OCR the powers to enforce the Breach Notification Rule and extend it to business associates.

If your business qualifies as a covered entity or business associate, and it is not up to speed with the requirements of both Acts, it is recommended the business undergoes HIPAA HITECH training. OCR can issue fines for non-compliance with either Act even if there is no breach of PHI or impermissible disclosure. A lack of knowledge about HIPAA vs HITECH is not an acceptable excuse.

What Does HIPAA HITECH Training Consist Of?

There is no set HIPAA HITECH training prescribed by OCR and, in order to be compliant with HIPAA and HITECH, each individual covered entity and business associate will have to conduct risk assessments in order to determine where gaps in their compliance efforts exist. HIPAA Security Rule risk assessments are now also a condition of acceptance in the Promoting Interoperability program (the new name for the Meaningful Use program).

Covered entities and business associates are required by law to provide training to members of their workforces. Covered entities and business associates have to train members of their workforces on policies and procedures developed to comply with the HIPAA Privacy Rule and provide an ongoing security and awareness program to all members of their workforces – even if some members of the workforce have no interaction with PHI.

HIPAA and HITECH Privacy and Security Rules

In conclusion, it is sometimes stated that business associates only have to comply with the HIPAA Security Rule. That is not the case. Since the passage of HITECH and the amendments to HIPAA introduced by the Final HIPAA Omnibus Rule, business associates have to comply with the HIPAA Security Rule, the HIPAA Breach Notification Rule, and applicable standards of the HIPAA Privacy Rule “where provided”.

It may also be the case that organizations not covered by HIPAA are subject to the FTC’s Health Breach Notification Rule. Vendors of Personal Health Records (PHRs), PHR-related entities, and third party service providers are required to report disclosures of unsecured PHI to the Federal Trade Commission, and it is advisable that any organization with access to PHI is aware of the HIPAA and HITECH Privacy and Security Rules.

HIPAA and HITECH FAQS

What are the four violation tiers for non-compliance with HIPAA?

The four violation tiers relate to the level of culpability following a HIPAA violation. They range from violations that realistically could not have been avoided with a reasonable amount of care to willful neglect where no attempt has been made to correct the violation. Each tier has its own minimum and maximum penalty range, which is adjusted each year to account for inflation. You can find out more information about the violation tiers and their respective penalties in this article.

Can covered entities be fined even when no data breach has occurred?

Although the Office for Civil Rights prefers to resolve HIPAA violations with corrective action when no data breach has occurred, the agency has recently cracked down on covered entities that fail to provide patients with access to their PHI within the 60 days allowed. In November 2020, the University of Cincinnati was fined $65,000 for the failure to provide timely access to patient records. This was the twelfth financial penalty in 2020 for right of access failures.

Which report allows patients to know who accessed and viewed their ePHI?

Under HIPAA, patients can request an “Accounting of Disclosures” report which lists any disclosures made to third parties over the previous six years for purposes other than treatments, payments, or operations. This list can include (but is not limited to) disclosures made to public health agencies, law enforcement officers, workers´ compensation programs, and coroners. Many states have additional requirements for what can be included in an accounting of disclosures document.

What HIPAA HITECH training are employees required to have by law?

Employee training is covered by 45 CFR § 164.530 and 45 CFR § 164.308. Respectively these standards stipulate staff must be trained on HIPAA policies and procedures, and that all members of the workforce must undergo security and awareness training. It is recommended by compliance professionals that refresher training is provided at least annually on HIPAA policies and procedures, while security and awareness training should be an ongoing program.

How is it possible to tailor HIPAA HITECH training to individual employees´ roles?

Although it may be impractical to tailor training to each individual´s role in a large organization, groups of employees with similar roles can be trained on common policies and procedures. For example, employees with public-facing roles should be trained on policies relating to the minimum necessary standard and patients’ rights, while office-based employees should receive training to reduce susceptibility to phishing and other online threats.

How Did HITECH Change Workforce Penalties for Non-Compliance with HIPAA?

Prior to the passage of the HITECH Act workforce non-compliance with HIPAA most often resulted in internal sanctions, referrals to licensing bodies, or – in the most serious cases – the involvement of law enforcement. The HITECH Act added a further level of penalties for non-compliance by “clarifying” that workforce members who knowingly and wrongfully disclosed individually identifiable health information would be in violation of §1177 of the Social Security Act.

In such cases, qualifying breach notifications received by HHS’ Office for Civil Rights are forwarded to the Department of Justice for investigation and prosecution. If a workforce member is found to be in violation of §1177 of the Social Security Act the Department of Justice can pursue civil or criminal convictions – with the maximum penalties being a fine of up to $250,000 and imprisonment for up to ten years depending on the motive for the violation.