HITECH Act Compliance Guide: What Covered Entities and Business Associates Need

Covered Entities Overview

The HITECH Act strengthens HIPAA by expanding accountability for protecting Electronic Protected Health Information (ePHI). Covered entities include health plans, most health care providers that conduct standard electronic transactions, and health care clearinghouses. If you fit one of these categories, you are directly responsible for meeting HIPAA Privacy, Security, and Breach Notification Rule requirements.

Your core obligations focus on limiting uses and disclosures of PHI, safeguarding ePHI, honoring individual rights (access, amendments, and accounting of disclosures), and documenting policies, procedures, and decisions. If you are a hybrid entity, you must clearly designate your health care components and ensure protections extend to any unit that handles PHI.

Operationally, you should inventory where ePHI resides, map data flows, and identify all vendors and subcontractors that create, receive, maintain, or transmit ePHI on your behalf. This foundation drives your Security Rule compliance program and your Risk Assessment schedule.

Business Associates Responsibilities

The HITECH Act makes business associates (BAs) directly liable for many HIPAA requirements. If you provide services to a covered entity—such as cloud hosting, EHR support, billing, claims processing, analytics, or managed IT—you are a BA when you handle ePHI, even if access is incidental or data is encrypted and you cannot routinely view it.

As a BA, you must implement the HIPAA Security Rule, follow applicable Privacy Rule provisions (minimum necessary, permitted uses and disclosures, and support for individual rights where required), and report breaches and security incidents. You must also execute Business Associate Agreements (BAAs) with covered entities and flow the same obligations down to your subcontractors.

Expectations include documented safeguards, workforce training, timely breach notification to the covered entity, cooperation with investigations, and retention of required documentation. Strong vendor risk management, system monitoring, and access controls are essential to demonstrate due diligence.

Security Safeguards Implementation

Start with a Risk Assessment

The HIPAA Security Rule centers on a current and thorough Risk Assessment. Identify reasonably anticipated threats and vulnerabilities to ePHI, evaluate likelihood and impact, and prioritize mitigation. Update the analysis when your environment, systems, or vendors change, and at a regular cadence.

Administrative Safeguards

• Security management process: risk management plan, sanction policy, and ongoing oversight.
• Assigned security responsibility and defined roles to enforce least privilege and the minimum necessary standard.
• Workforce security: onboarding and termination checklists, background checks as appropriate, and periodic access reviews.
• Security awareness and training with phishing simulations, reminders, and role-based modules.
• Contingency planning: data backup, disaster recovery, and emergency mode operations; test your plans.
• Evaluation and vendor governance: due diligence, BAAs, and continuous monitoring of third parties.

Physical Safeguards

• Facility access controls with visitor management and secure areas for servers and networking gear.
• Workstation security, including screen locks, privacy filters, and secure telework guidelines.
• Device and media controls: encryption, secure disposal, re-use procedures, and chain-of-custody records.

Technical Safeguards

• Access controls: unique IDs, multi-factor authentication, role-based access, and session timeouts.
• Audit controls: centralized logging, alerts, and regular review of access to ePHI.
• Integrity protections: hashing, anti-malware, application allowlists, and change management.
• Transmission security: TLS for data in transit, VPN for remote access, and secure APIs.
• Encryption at rest for servers, databases, endpoints, and removable media (a powerful safeguard for breach risk reduction).

Tie these measures back to your Risk Assessment and document decisions, including rationale for addressable specifications. Continuous monitoring, vulnerability management, and timely patching keep your controls effective over time.

Breach Notification Procedures

The HITECH Act’s Breach Notification Rule requires notification after a breach of unsecured PHI. A breach generally means an impermissible use or disclosure that compromises the privacy or security of the information, unless a documented risk assessment shows a low probability of compromise.

Risk Assessment for Potential Breaches

• Nature and extent of PHI involved, including sensitivity and likelihood of re-identification.
• The unauthorized person who used the PHI or to whom the disclosure was made.
• Whether the PHI was actually acquired or viewed.
• The extent to which risk has been mitigated (for example, prompt recipient assurances or verified deletion).

Encryption and proper destruction can qualify as “secured” PHI, which may avoid notification obligations. Keep thorough documentation of your analysis and decisions.

Who Must Be Notified and When

• Individuals: without unreasonable delay and no later than 60 calendar days after discovery.
• Department of Health and Human Services (HHS): for breaches affecting 500 or more individuals, within 60 days; for fewer than 500, within 60 days of the end of the calendar year.
• Media: if a breach involves 500 or more residents of a state or jurisdiction.
• Business associates: must notify the covered entity without unreasonable delay and provide all available information.

What the Notice Must Include

• A brief description of what happened and discovery date.
• Types of PHI involved (for example, names, diagnoses, account numbers).
• Steps individuals should take to protect themselves.
• What you are doing to investigate, mitigate harm, and prevent recurrence.
• Contact methods for questions: toll-free number, email, or postal address.

Use first-class mail unless individuals have agreed to electronic notice. Provide substitute notice if contact information is insufficient, and maintain detailed incident and notification logs.

Business Associate Agreements

Business Associate Agreements formalize how BAs protect ePHI and support compliance. Your BAA should define permitted uses and disclosures, require compliance with the HIPAA Security Rule, and impose breach and security incident reporting obligations with clear timeframes.

Core BAA Elements You Should Expect

• Safeguards: Administrative Safeguards, Physical, and Technical Safeguards aligned to your Risk Assessment.
• Subcontractor flow-down: require downstream BAs to sign equivalent agreements.
• Support for individual rights: cooperation with access, amendments, and accounting of disclosures when applicable.
• HHS access: agreement to provide records relevant to compliance reviews.
• Termination: return or destroy PHI upon contract end and allow termination for material breach.
• Documentation and audit rights: evidence of controls, training, and incident handling.

Maintain a living inventory of all BA relationships, track contract expirations, and align service-level objectives (for example, incident reporting within a set number of days) with your internal procedures.

Training and Policy Requirements

Effective compliance depends on clear policies and ongoing education. Train all workforce members on privacy, security, and breach reporting at hire and regularly thereafter, with role-based refreshers for high-risk functions. Reinforce awareness through reminders and real-world scenarios.

Develop, approve, and publish policies that cover acceptable use, access management, device and media handling, encryption, remote work, incident response, change management, and vendor oversight. Keep version-controlled documentation and evidence of acknowledgment.

Test readiness with tabletop exercises and technical drills (for example, ransomware response and data restoration). Capture lessons learned, update your Risk Assessment, and revise procedures accordingly. Document everything—training rosters, sign-offs, incident logs, and corrective actions.

Penalties for Noncompliance

HITECH introduced tiered civil monetary penalties that scale with the level of culpability and whether violations are corrected. Enforcement actions may include corrective action plans, independent monitoring, and monetary settlements. State attorneys general can also bring actions under HIPAA/HITECH, and criminal penalties may apply for knowingly obtaining or misusing PHI.

OCR considers multiple factors—such as the nature and extent of the violation, number of individuals affected, duration, harm caused, and your financial condition—when determining outcomes. Strong documentation of your Risk Assessment, safeguards, training, and incident response can significantly mitigate exposure.

Conclusion

Compliance under the HITECH Act means building a living program: know your data and vendors, perform rigorous Risk Assessments, implement Administrative Safeguards and Technical Safeguards, prepare for breaches, and memorialize expectations in Business Associate Agreements. With disciplined training, policies, and monitoring, you protect ePHI, meet HIPAA Security Rule and Breach Notification Rule obligations, and reduce legal, financial, and operational risk.

FAQs

What entities are considered covered entities under the HITECH Act?

Covered entities include health plans, most health care providers that conduct standard electronic transactions (such as electronic claims or eligibility checks), and health care clearinghouses. These organizations must comply with HIPAA and the HITECH Act for safeguarding PHI and ePHI.

How does the HITECH Act affect business associates?

The HITECH Act makes business associates directly liable for compliance with the HIPAA Security Rule and certain Privacy Rule provisions. BAs must implement safeguards, execute and honor Business Associate Agreements, flow obligations to subcontractors, and provide timely breach notifications to covered entities.

What are the breach notification requirements under the HITECH Act?

After an impermissible use or disclosure of unsecured PHI, you must conduct a risk assessment. If a breach is confirmed, notify affected individuals without unreasonable delay and no later than 60 days, notify HHS as required by breach size, and notify the media if 500 or more residents of a state or jurisdiction are affected. Business associates must promptly inform the covered entity and share available incident details.

What penalties exist for noncompliance with the HITECH Act?

Penalties are tiered based on culpability and can include significant civil monetary penalties, corrective action plans, and monitoring. State attorneys general may also enforce HIPAA/HITECH, and serious misconduct can lead to criminal charges. Demonstrable due diligence—documented safeguards, training, and timely breach response—can reduce potential penalties.