HITECH Act and 42 U.S.C. HIPAA Requirements Explained for Organizations

If you create, receive, maintain, or transmit Protected Health Information, the HITECH Act and HIPAA (codified at 42 U.S.C. 1320d et seq.) set the guardrails for privacy, security, and enforcement. The implementing Privacy Rule, Security Rule, Breach Notification Rule, and Enforcement Rule define what you must do, how quickly you must act, and how penalties are applied. This guide explains the essentials for organizations and their business associates handling Electronic Protected Health Information.

Breach Notification Requirements

What triggers a reportable breach

A reportable breach is an acquisition, access, use, or disclosure of unsecured PHI that compromises privacy or security. You must conduct a risk assessment considering the nature and extent of PHI involved, the unauthorized person, whether PHI was actually viewed or acquired, and the extent of mitigation achieved. If PHI is secured (for example, properly encrypted), notification is generally not required.

Who you must notify and when

• Individuals: Notify affected people without unreasonable delay and no later than 60 calendar days after discovery.
• HHS: For breaches affecting 500 or more individuals, notify the Secretary contemporaneously with individual notice; for fewer than 500, log and report within 60 days after the end of the calendar year.
• Media: If 500+ residents of a state or jurisdiction are affected, provide notice to prominent media outlets in that area.
• Business associates: BAs must notify the covered entity without unreasonable delay and include, to the extent possible, each affected individual and the nature of the breach.

How to notify and what to include

Send written notices by first-class mail or electronically when the individual has agreed to electronic delivery. If contact information is insufficient for 10 or more individuals, provide substitute notice (such as a website posting) for at least 90 days. Notices should describe what happened, the types of PHI involved, steps individuals should take, what you are doing to mitigate harm and prevent recurrence, and how to reach you for more information.

Documentation and readiness

Maintain breach risk assessments, decision rationales, proof of notices, and timelines. Test your incident response plan, define decision-making authority, and pre-draft templates for individual, media, and HHS notifications to meet the Breach Notification Rule timelines.

Business Associate Compliance Obligations

Who is a business associate

A business associate (BA) is any non-workforce entity that performs functions or services for you involving PHI. Examples include EHR vendors, cloud providers, billing and coding firms, and analytics partners. Subcontractors that handle ePHI are also business associates.

Direct obligations under HITECH

• Implement Security Rule safeguards for ePHI and comply with applicable Privacy Rule provisions (such as minimum necessary and permissible uses/disclosures).
• Report breaches of unsecured PHI to the covered entity and support individual and HHS notifications.
• Provide access, amendment, and accounting of disclosures where required, and flow down the same restrictions to subcontractors.
• Maintain policies, workforce training, and documentation demonstrating compliance.

Business Associate Agreements (BAAs)

Execute written Business Associate Agreements specifying permitted uses/disclosures, breach reporting timeframes, safeguard requirements, subcontractor obligations, and termination/return-or-destruction terms. Review BAAs periodically and align them with your risk management program.

Oversight and lifecycle management

Perform due diligence before onboarding a BA, including security questionnaires and evidence reviews. Assign owners for each BA, track services and data flows, monitor performance and incidents, and offboard with verified data return or destruction.

Enhanced Enforcement and Penalties

Tiered civil penalties and factors

The Enforcement Rule applies a tiered structure based on culpability: unknowing, reasonable cause, willful neglect corrected, and willful neglect not corrected. Penalty amounts and annual caps vary by tier and are adjusted for inflation. OCR also weighs factors like harm, mitigation, organization size, prior history, and the presence or absence of a risk analysis.

Investigations, audits, and settlements

Enforcement can include compliance reviews, audits, corrective action plans, and multi-year monitoring. Many matters resolve via resolution agreements requiring targeted remediation, leadership accountability, and regular reporting to OCR.

State attorneys general and criminal exposure

HITECH authorizes state attorneys general to bring civil actions on behalf of residents for HIPAA violations. Separately, criminal penalties may apply for knowingly obtaining or disclosing PHI in violation of HIPAA, with enhanced sanctions for false pretenses or commercial advantage.

Patient Access to Electronic Health Records

Timeliness and format

You must provide individuals access to their records within 30 days of a valid request, with one 30-day extension if necessary and explained in writing. Provide ePHI in the form and format requested if readily producible (for example, secure email, portal download, or direct transmission to a third party designated by the individual).

Reasonable, cost-based fees

Any fee must be reasonable and cost-based, limited to labor for copying, supplies, and postage when applicable. Do not charge per-page fees for ePHI or impose retrieval fees. Fees cannot be used to discourage or delay access requests.

No unnecessary barriers

You cannot require individuals to use only a portal, make in-person trips, or use proprietary forms when a valid request contains the necessary elements. Verify identity reasonably, communicate securely, and clearly inform patients of any risks if they request unencrypted transmission.

Security Risk Assessment Procedures

An actionable, repeatable method

• Define scope: include all systems, locations, vendors, devices, and workflows that create, receive, maintain, or transmit ePHI.
• Inventory and map data flows: identify where ePHI resides and how it moves (EHR, cloud storage, email, backups, mobile, medical devices).
• Identify threats and vulnerabilities: consider ransomware, misdirected mail/email, misconfigurations, lost devices, insider misuse, and third-party failures.
• Assess likelihood and impact: apply a consistent scale, then calculate inherent risk for each scenario.
• Evaluate existing controls: document administrative, physical, and technical safeguards already in place and their effectiveness.
• Determine residual risk and prioritize: assign risk owners and due dates; record decisions to mitigate, accept, transfer, or avoid risk.
• Document thoroughly: keep methods, findings, evidence, and remediation plans; this documentation is critical in Enforcement Rule reviews.
• Review and update: reassess at least annually and upon major changes, incidents, or new vendors.

Risk Analysis and Mitigation Strategies

From findings to a living plan

Translate assessment results into a risk register with ranked items, risk owners, target dates, and measurable success criteria. Establish acceptance thresholds and require executive approval for any accepted high risks.

Practical, high-impact controls

• Identity and access: enforce least privilege, unique IDs, multifactor authentication, and rapid offboarding.
• Data protection: encrypt ePHI at rest and in transit, apply data loss prevention for email and cloud, and use vetted key management.
• Hardening and patching: standard builds, prompt security updates, vulnerability scanning, and penetration testing focused on ePHI flows.
• Network safeguards: segment clinical systems, restrict remote access, and monitor with centralized logging and alerting.
• Resilience: maintain tested, offline-capable backups; practice disaster recovery and ransomware tabletop exercises.
• People and process: role-based HIPAA training, phishing simulations, clear sanction policy, and rapid incident reporting channels.
• Third-party risk: pre-contract due diligence, strong Business Associate Agreements, and continuous monitoring of vendors and subcontractors.
• Privacy operations: apply the Privacy Rule’s minimum necessary standard, data minimization, retention schedules, and secure disposal.

Implementation of Safeguards for PHI

Administrative safeguards

• Assign security and privacy officials; publish policies aligned to the Security Rule, Privacy Rule, and Breach Notification Rule.
• Conduct ongoing Risk Analysis and risk management; implement security awareness and training with documented completion.
• Manage workforce access, sanctions, and incident response; maintain contingency and emergency operations plans.
• Execute and manage Business Associate Agreements; ensure subcontractor compliance mirrors your requirements.

Physical safeguards

• Control facility access; log visitors; secure wiring closets and server rooms.
• Protect workstations and portable devices; enable automatic screen locks and secure device storage.
• Define device and media controls for receipt, transfer, reuse, and disposal, including certified destruction of drives and media.

Technical safeguards

• Access controls: unique user IDs, emergency access procedures, automatic logoff, and encryption/decryption mechanisms.
• Audit controls: centralized logging, regular review of access to ePHI, and alerting on anomalous behavior.
• Integrity and transmission security: hashing or checksums to detect alteration and strong encryption for data in motion.
• Authentication: verify the person or entity accessing ePHI and restrict API/service credentials to least privilege.

Conclusion

The HITECH Act strengthens HIPAA’s framework in 42 U.S.C. by clarifying breach duties, elevating business associate accountability, expanding patient access to electronic health records, and sharpening enforcement. When you pair disciplined Risk Analysis with layered safeguards, you reduce exposure and demonstrate a defensible compliance posture.

FAQs

What are the breach notification timelines under the HITECH Act?

You must notify affected individuals without unreasonable delay and no later than 60 calendar days after discovering a breach of unsecured PHI. For breaches affecting 500 or more individuals, notify HHS at the same time; for fewer than 500, report to HHS within 60 days after the end of the calendar year. If 500+ residents of a state or jurisdiction are impacted, notify the media. Business associates must notify covered entities promptly and provide details needed for individual and HHS notices.

How does the HITECH Act affect business associate responsibilities?

HITECH makes business associates directly liable for complying with the Security Rule and certain Privacy Rule provisions. They must implement safeguards for Electronic Protected Health Information, execute Business Associate Agreements that mirror HIPAA limitations, report breaches, flow down requirements to subcontractors, and maintain documentation and training. Violations can result in civil and, in some cases, criminal penalties.

What penalties exist for non-compliance with HIPAA under the HITECH Act?

Penalties are tiered by culpability, with per-violation amounts and annual caps that vary by tier and are adjusted for inflation. OCR may also impose corrective action plans and monitoring. State attorneys general can bring civil actions, and criminal penalties may apply for knowingly obtaining or disclosing PHI in violation of HIPAA, especially when done under false pretenses or for personal gain.

How must organizations provide patient access to electronic health records?

Provide access within 30 days of a valid request, with one 30-day extension if necessary and explained in writing. Supply records in the requested form and format if readily producible (for example, secure email, portal export, or direct transmission to a third party). You may charge only a reasonable, cost-based fee for copying; do not impose per-page charges for ePHI or retrieval fees, and avoid barriers that delay or discourage patient access.