HITECH Act and Medical Records: Breach Notification, EHR Access, and Penalties

Breach Notification Requirements

What triggers notification

A breach occurs when Protected Health Information is acquired, accessed, used, or disclosed in a manner not permitted by the HIPAA Privacy Rule. Notification is required only if the incident involves Unsecured Protected Health Information—PHI that has not been rendered unusable, unreadable, or indecipherable to unauthorized persons (for example, through strong encryption and proper key management).

Risk assessment before notifying

You must evaluate whether there is a low probability that PHI has been compromised. Consider: the nature and extent of the PHI; the unauthorized person who used or received it; whether the PHI was actually viewed or acquired; and the extent to which the risk has been mitigated. If the assessment shows a low probability of compromise, notification is not required, but you should document your analysis.

Who to notify and when

• Individuals: Notify each affected person without unreasonable delay and no later than 60 calendar days after discovery. “Discovery” is the first day the breach is known or should reasonably have been known to your organization.
• Secretary of HHS: For breaches affecting 500 or more individuals, notify the Secretary without unreasonable delay and no later than 60 days from discovery. For fewer than 500, log the incident and submit to the Secretary no later than 60 days after the end of the calendar year in which the breach occurred.
• Media: If 500 or more residents of a single state or jurisdiction are affected, provide notice to prominent media outlets in that area within the same 60-day period.
• Business associates: A business associate must notify the covered entity without unreasonable delay, and provide the identities of affected individuals and other known details.

Content and method of notices

Notices must include a brief description of the breach, the types of PHI involved, steps individuals should take to protect themselves, what you are doing to investigate and mitigate harm, and your contact information. Use first-class mail or email if the individual has agreed to Electronic Health Record Access via email. If contact information is insufficient for 10 or more individuals, provide substitute notice (e.g., website posting or media). For imminent misuse, provide urgent notice by telephone in addition to written notice.

Penalties for Noncompliance

Civil Monetary Penalties under the HIPAA Enforcement Rule

The HITECH Act created a four-tier structure for Civil Monetary Penalties based on culpability, with per‑violation amounts that escalate from “did not know” up to “willful neglect not corrected,” and with annual caps per violation type. HHS also updates penalty amounts for inflation and has applied enforcement discretion on annual caps for certain tiers in recent years. Your exposure depends on both the tier and the number of violations.

How OCR determines penalty amounts

• Nature and extent of the violation and resulting harm (including number of individuals and sensitivity of data).
• History of prior compliance, corrective actions, or violations.
• Timeliness of breach notification and cooperation with investigators.
• Mitigation efforts, such as rapid containment and remediation.
• Organizational size and financial condition, as relevant to penalty calculation.

Most matters resolve through resolution agreements and corrective action plans; OCR reserves formal penalties for egregious or uncorrected noncompliance.

Enforcement and Compliance Audits

Who enforces and how

The HHS Office for Civil Rights (OCR) enforces Privacy Standards Compliance through complaint investigations, breach reports, and proactive audits. OCR may conduct desk or on‑site reviews of your risk analysis, risk management, policies, workforce training, incident response, and Business Associate Agreements.

Audit focus areas and outcomes

• Security safeguards around EHR systems, access controls, audit logs, and encryption.
• Right‑of‑access processes, including response times, fees, and formats for Electronic Health Record Access.
• Vendor oversight, including signed and current Business Associate Agreements and downstream subcontractor compliance.

Outcomes range from technical assistance to corrective action plans, settlement agreements, or Civil Monetary Penalties. State attorneys general may also bring civil actions for violations affecting their residents.

Patient Rights Regarding EHR Access

Scope of the right

You must provide individuals with timely access to their designated record set, including Electronic Health Record Access. Upon request, supply copies in the form and format requested if readily producible (for example, a PDF or a machine‑readable export) and transmit to a designated third party if the patient directs you in writing.

Timelines and fees

• Timing: Fulfill requests within 30 calendar days; one 30‑day extension is allowed with written notice explaining the delay.
• Fees: Only a reasonable, cost‑based fee is permitted—limited to labor for copying, supplies, and postage when applicable; retrieval or verification fees are not allowed, and per‑page fees do not apply to e‑copies.

Practical access standards

You cannot require patients to pick up records in person or to use a portal if they prefer another readily producible format. Limited grounds exist for denial (e.g., psychotherapy notes or information compiled for legal proceedings), and many denials must be reviewable by a licensed professional not involved in the original decision.

Business Associates' Responsibilities

Who is a business associate

Vendors that create, receive, maintain, or transmit PHI on your behalf—such as EHR hosting, billing, cloud storage, or analytics—are business associates. Subcontractors that handle PHI are held to the same standards.

Business Associate Agreements

You must execute written Business Associate Agreements specifying permitted uses and disclosures, required safeguards, breach reporting duties, ensuring subcontractor compliance, individual access/support obligations, return or destruction of PHI at termination, and the right to authorize audits or obtain assurances.

Direct liability and breach obligations

Business associates have direct liability for impermissible uses or disclosures, insufficient safeguards, failing to provide breach notification to the covered entity, failing to execute required agreements, and not cooperating with OCR. They must perform risk analyses, implement security controls, maintain audit trails, and promptly report incidents involving Unsecured Protected Health Information.

Criminal Penalties for Wrongful Disclosure

When conduct becomes criminal

Criminal Disclosure Penalties apply when an individual knowingly obtains or discloses PHI in violation of HIPAA. Penalties escalate for offenses committed under false pretenses and for those committed for commercial advantage, personal gain, or malicious harm.

• Knowing violation: fines and imprisonment up to 1 year.
• False pretenses: higher fines and imprisonment up to 5 years.
• Commercial advantage/personal gain/malicious harm: highest fines and imprisonment up to 10 years.

These provisions apply to workforce members and to individuals at business associates. HHS refers potential criminal cases to the Department of Justice for prosecution.

Bottom line: build a defensible compliance program—encrypt PHI, monitor EHR access, execute strong Business Associate Agreements, test your incident response, and meet access and breach‑notice deadlines—to reduce risk across civil and criminal exposure.

FAQs

What are the breach notification requirements under the HITECH Act?

Notify affected individuals without unreasonable delay and no later than 60 days after discovery of a breach involving Unsecured Protected Health Information. For incidents affecting 500 or more individuals, also notify the Secretary of HHS and, if 500 or more residents of a state or jurisdiction are affected, prominent media in that area. If fewer than 500 are affected, log the breach and report it to HHS no later than 60 days after the end of the calendar year. Notices must include what happened, the PHI involved, protective steps, your mitigation efforts, and contact information.

How are penalties for HITECH Act violations determined?

OCR applies the HIPAA Enforcement Rule’s four-tier Civil Monetary Penalties framework, which scales penalties by culpability and number of violations, subject to annual caps and periodic inflation adjustments. Aggravating and mitigating factors include the scope of harm, history of compliance, cooperation, corrective actions, and organizational size. Many cases resolve with a settlement and corrective action plan; formal penalties are used for serious or uncorrected noncompliance.

What rights do patients have regarding electronic health record access?

Patients have the right to timely Electronic Health Record Access to their designated record set in the requested form and format if readily producible, and to have records sent to a third party they designate. You must respond within 30 days (with one possible 30-day extension) and may charge only a reasonable, cost-based fee limited to labor, supplies, and postage when applicable.

What are the responsibilities of business associates under the HITECH Act?

Business associates must sign Business Associate Agreements, implement appropriate administrative, physical, and technical safeguards, perform risk analyses, and report breaches to the covered entity without unreasonable delay. They are directly liable for impermissible uses/disclosures, for lacking required safeguards or agreements, and for failing to cooperate with OCR, including during breach investigations and audits.