Comparing HITECH and HIPAA: Requirements for Business Associates and Covered Entities

Covered Entities Overview

Covered entities include health plans, health care clearinghouses, and health care providers that transmit health information electronically in connection with standard transactions. These entities create, receive, maintain, and transmit Protected Health Information (PHI) and must comply with the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule.

HIPAA sets baseline national standards for safeguarding PHI and individual rights. The HITECH Act strengthened these standards by enhancing enforcement, creating federal breach notification requirements, and expanding obligations that affect how covered entities manage vendors and data flows.

Business Associates Responsibilities

A business associate is any person or organization that performs services for a covered entity involving PHI—such as billing, claims processing, IT support, analytics, or cloud hosting. Under HITECH, business associates have Direct Liability for complying with the Security Rule and for certain Privacy Rule provisions, not just contractual promises.

Core responsibilities include implementing administrative, physical, and technical safeguards for ePHI; limiting uses and disclosures to what the Business Associate Agreement permits; supporting minimum necessary practices; and assisting covered entities with access, amendment, and accounting requests when the business associate maintains the relevant records.

Business Associate Agreements

A Business Associate Agreement (BAA) is a required written contract that specifies permitted and required uses and disclosures of PHI by the business associate. It must require safeguards aligned with the Security Rule and commitment to the Privacy Rule’s limitations, including minimum necessary standards.

Effective BAAs also require prompt breach reporting; ensure subcontractors agree to the same restrictions; address access, amendment, and accounting support; mandate return or secure destruction of PHI upon termination; and allow termination for a material breach. Many BAAs set notification timeframes shorter than HIPAA’s outer limits to accelerate response and mitigation.

Breach Notification Obligations

The Breach Notification Rule requires notices “without unreasonable delay” and no later than 60 calendar days after discovery. Business associates must notify the covered entity; covered entities must notify affected individuals, the Department of Health and Human Services, and, for breaches affecting 500 or more residents of a state or jurisdiction, prominent media outlets.

Risk assessment focuses on the nature and volume of PHI, the unauthorized recipient, whether the PHI was actually acquired or viewed, and mitigation steps taken. If strong encryption or other controls prevent readable access, notification may not be required. Notices to individuals must outline what happened, the PHI involved, recommended steps to protect themselves, what the organization is doing, and contact information.

Penalties for Non-Compliance

HIPAA and HITECH use a tiered civil penalty framework based on culpability—ranging from lack of knowledge to willful neglect, with higher penalties when violations are uncorrected. Amounts are set per violation with annual caps and are adjusted for inflation. Criminal penalties may apply for intentional wrongful disclosures of PHI.

Enforcement considers factors such as the nature and extent of the violation, harm to individuals, the organization’s size and resources, and remediation. HITECH also authorizes state attorneys general to bring civil actions. Demonstrating recognized security practices over time can reduce the scope of penalties and corrective action expectations.

Subcontractor Compliance

Subcontractors that create, receive, maintain, or transmit PHI for a business associate are themselves business associates. They carry Direct Liability for compliance, and the primary business associate must execute BAAs that flow down all required Privacy Rule and Security Rule obligations.

Practical controls include vendor due diligence, documented risk assessments, least-privilege access, encryption of ePHI, logging and monitoring, and incident response coordination. Clear contractual language and periodic reviews help ensure continuous compliance across the vendor chain handling PHI.

Documentation and Training Requirements

Both covered entities and business associates must document policies, procedures, risk analyses, risk management plans, sanction policies, BAAs, and breach assessments, and retain documentation for at least six years. Audit-ready records demonstrate how decisions were made and how controls operate in practice.

Workforce Training is essential. Train employees initially and periodically on Privacy Rule principles, Security Rule safeguards, the Breach Notification Rule, phishing and social engineering, device security, and incident reporting. Reinforce roles and accountability, and document completion and comprehension to support compliance and culture.

In short, HIPAA sets the standards, and HITECH amplifies them—imposing Direct Liability on business associates, mandating breach notifications, and strengthening enforcement. Align your contracts, controls, and Workforce Training to protect PHI and to demonstrate compliance end to end.

FAQs

What entities are considered covered entities under HIPAA and HITECH?

Covered entities are health plans, health care clearinghouses, and health care providers who transmit health information electronically in standard transactions. These organizations must protect PHI and comply with the Privacy Rule, Security Rule, and Breach Notification Rule. HITECH reinforces these obligations and affects how covered entities oversee vendors.

How does HITECH extend liability to business associates?

HITECH makes business associates directly liable for complying with the Security Rule and for certain Privacy Rule requirements. They can face enforcement for impermissible uses or disclosures, failure to safeguard ePHI, and failure to report breaches to the covered entity, among other violations.

What are the key requirements for business associate agreements?

BAAs must define permitted uses and disclosures of PHI, require Security Rule–level safeguards, mandate timely breach reporting, flow down obligations to subcontractors, support individual rights (access, amendment, accounting), ensure PHI is returned or destroyed at contract end, and allow termination for material breach.

When must breaches of PHI be reported?

Notifications must occur without unreasonable delay and no later than 60 calendar days after discovery. Business associates notify the covered entity; the covered entity notifies individuals, HHS, and, if 500 or more residents of a state or jurisdiction are affected, the media. Encrypted data that remains unreadable may not trigger notification.

What penalties apply for non-compliance with HIPAA and HITECH?

Penalties follow a tiered structure that scales with culpability, with per-violation amounts and annual caps that adjust for inflation. Agencies can also require corrective actions. Serious or intentional misconduct can lead to criminal penalties, and state attorneys general may bring civil actions under HITECH.