Skip to main content
> HITECH

Health Information Technology for Economic and Clinical Health Act

Strengthening HIPAA enforcement and expanding breach notification requirements

Established: 2009 Last Updated: 2013 (incorporated into Omnibus Rule) Scope: United States Healthcare
$1.5M/year
Tier 4 Penalty

What did HITECH change about HIPAA enforcement?

The Health Information Technology for Economic and Clinical Health Act (HITECH), enacted in 2009, gave HIPAA's Security Rule real enforcement power. Before HITECH, penalties were modest and business associates faced no direct liability. HITECH created the tiered penalty structure now in use (up to $1.5 million per violation category per year), made business associates directly liable for Security Rule compliance, and introduced the mandatory Breach Notification Rule requiring covered entities to notify affected individuals, HHS, and in large breaches the media within 60 days of discovery. The 2013 HIPAA Omnibus Rule folded these HITECH provisions into the standing HIPAA regulations. HHS published a [proposed HIPAA Security Rule update](https://www.hhs.gov/hipaa/for-professionals/security/hipaa-security-rule-nprm/index.html) in December 2024 that would further strengthen technical requirements; that rulemaking is still pending as of mid-2026. See our [HIPAA compliance page](/compliance/hipaa/) for the current Security Rule requirements.

// What is HITECH?

HITECH was enacted as part of the American Recovery and Reinvestment Act of 2009, primarily to promote electronic health record (EHR) adoption. However, its most significant cybersecurity impact came through substantially strengthening HIPAA enforcement and creating mandatory breach notification requirements.

Before HITECH, HIPAA's Security Rule lacked meaningful enforcement teeth. HITECH established a tiered penalty structure, extended liability to business associates, and required notification of breaches affecting unsecured protected health information. The law fundamentally changed how healthcare organizations approach cybersecurity.

The 2013 Omnibus Rule formally incorporated HITECH requirements into HIPAA regulations, creating the enforcement framework that exists today. OCR enforcement actions since HITECH have resulted in settlements and judgments totaling hundreds of millions of dollars.

// Inside the Regulation

HITECH's cybersecurity-relevant provisions focus on breach notification, enhanced penalties, business associate liability, and enforcement mechanisms that transformed HIPAA from an aspirational framework to an enforced regulation.

1

Breach Notification Requirements

Section 13402

Mandatory notification requirements for breaches of unsecured protected health information, the most operationally significant HITECH provision.

Individual Notification

Notify affected individuals without unreasonable delay, no later than 60 days after breach discovery. Written notification by first-class mail or email if individual agreed.

HHS Notification

Notify HHS Secretary of all breaches. Breaches affecting 500+ individuals require notification within 60 days and are posted publicly.

Media Notification

Breaches affecting 500+ residents of a state/jurisdiction require notification to prominent media outlets serving that area.

Content Requirements

Notifications must describe the breach, types of information involved, protective steps, investigation status, and contact information.

Unsecured PHI Definition

PHI not rendered unusable/unreadable through encryption or destruction per HHS guidance. Encryption creates a breach safe harbor.

2

Tiered Penalty Structure

Section 13410

HITECH established the penalty tiers now used for all HIPAA enforcement, replacing the previous modest penalties.

Tier 1: Did Not Know

Violation the entity did not know about and could not have reasonably avoided. $100-$50,000 per violation.

Tier 2: Reasonable Cause

Violation due to reasonable cause, not willful neglect. $1,000-$50,000 per violation.

Tier 3: Willful Neglect (Corrected)

Violation due to willful neglect that is timely corrected. $10,000-$50,000 per violation.

Tier 4: Willful Neglect (Not Corrected)

Violation due to willful neglect not timely corrected. $50,000 per violation, up to $1.5 million per year per violation category.

3

Business Associate Liability

Section 13401

Extended HIPAA Security Rule requirements and enforcement directly to business associates, not just covered entities.

Direct Liability

Business associates directly liable for HIPAA Security Rule compliance, not just through contracts with covered entities.

Subcontractor Requirements

Business associates must ensure subcontractors with PHI access agree to same restrictions and conditions.

Independent Enforcement

OCR can investigate and penalize business associates directly for HIPAA violations, independent of covered entity actions.

4

Enforcement Enhancements

Additional enforcement mechanisms strengthening HIPAA compliance incentives.

State Attorney General Enforcement

State AGs can bring civil actions for HIPAA violations affecting state residents, with penalties up to $25,000 per violation category per year.

Percentage of Penalties to Harmed Individuals

HHS may share collected penalties with harmed individuals when appropriate.

Audits

Required periodic audits of covered entities and business associates for HIPAA compliance.

Note: The encryption safe harbor is critically important: properly encrypted PHI that is breached does not require notification. Organizations should implement encryption meeting NIST standards to qualify for this protection and reduce breach notification burdens.

// Who Must Comply

  • 1 HIPAA covered entities (healthcare providers, health plans, clearinghouses)
  • 2 Business associates of covered entities
  • 3 Subcontractors of business associates with PHI access
  • 4 Health information exchanges
  • 5 EHR and healthcare IT vendors

// Key Requirements

Breach Notification

Notify individuals, HHS, and media (for large breaches) within 60 days of discovering a breach

Encryption Safe Harbor

Implement encryption meeting NIST standards to avoid notification requirements for lost/stolen data

Business Associate Agreements

Execute compliant BAAs with all entities accessing PHI and ensure subcontractor compliance

Security Rule Compliance

Business associates must independently comply with HIPAA Security Rule requirements

Breach Documentation

Document all breaches including risk assessments, regardless of whether notification is required

Audit Readiness

Prepare for OCR audits with documented policies, risk assessments, and compliance evidence

// Enforcement & Penalties

HITECH's tiered penalty structure applies to all HIPAA violations. OCR enforcement has dramatically increased since HITECH, with major settlements and civil monetary penalties. Willful neglect violations carry the highest penalties and cannot be waived.

Maximum Penalty

$1.5 million per violation category per year

Examples:

  • Anthem - $16 million settlement, largest HIPAA penalty to date (2018)
  • Premera Blue Cross - $6.85 million for breach affecting 10.4 million (2020)
  • UCLA Health System - $865,000 for celebrity medical record snooping (2011)
  • MD Anderson Cancer Center - $4.3 million for unencrypted device losses (2018, later reduced on appeal)

// Cyber Insurance Impact

Cyber insurers heavily weight HIPAA/HITECH compliance for healthcare organizations. Breach notification costs, regulatory defense, and settlement coverage are key policy provisions. Encryption adoption directly reduces breach notification exposure. Business associate liability extends insurance considerations throughout the healthcare supply chain.

// How Breach Craft Helps

We help organizations achieve HITECH compliance through genuine security improvements, not checkbox exercises. Our services address the specific requirements and challenges of HITECH.

// Common Questions

What is the difference between HIPAA and HITECH?

HIPAA (1996) established the Privacy Rule and Security Rule framework for protecting patient health information. HITECH (2009) strengthened that framework by adding teeth: it created mandatory breach notification, raised civil penalties into tiered amounts, and made business associates directly liable for Security Rule compliance rather than relying solely on contracts with covered entities. The 2013 Omnibus Rule merged HITECH's provisions into HIPAA regulations, so today the two operate as one enforcement regime. In practice, when people refer to HIPAA compliance for cybersecurity purposes they are describing obligations shaped largely by HITECH.

What are HITECH's breach notification requirements?

When a breach of unsecured protected health information (PHI) occurs, covered entities must notify affected individuals without unreasonable delay, no later than 60 days after discovery. Breaches affecting 500 or more individuals in a state also require notification to prominent local media. All breaches must be reported to HHS; those affecting 500 or more go on the public HHS breach portal within 60 days. Smaller breaches can be batched in an annual report to HHS. Encrypted PHI that is lost or stolen is not a reportable breach, making encryption a practical compliance tool.

Are business associates directly liable under HITECH?

Yes. Before HITECH, business associates (vendors, IT providers, billing services) were bound only through contractual Business Associate Agreements (BAAs) with covered entities. HITECH changed that: business associates are now directly subject to the HIPAA Security Rule and face the same tiered penalties as covered entities. The HHS Office for Civil Rights can investigate and penalize a business associate independently of any action against the covered entity. That liability flows down: business associates must require their own subcontractors with PHI access to meet the same obligations.

What are HITECH's penalty tiers?

HITECH set four tiers based on culpability. Tier 1 (no knowledge, could not have avoided): $100 to $50,000 per violation. Tier 2 (reasonable cause): $1,000 to $50,000. Tier 3 (willful neglect, corrected): $10,000 to $50,000. Tier 4 (willful neglect, not corrected): $50,000 per violation, up to $1.5 million per violation category per calendar year. Willful neglect penalties cannot be waived. The Anthem settlement ($16 million in 2018) and Premera Blue Cross settlement ($6.85 million in 2020) illustrate how large enforcement actions have grown since HITECH took effect.

// Related Frameworks

// Industries That Need HITECH

These industries commonly require HITECH compliance as part of their regulatory obligations.

Guide last reviewed: June 16, 2026

Ready to Strengthen Your Defenses?

Schedule a free consultation with our security experts to discuss your organization's needs.

Or call us directly at (445) 273-2873