HITECH Act Definition for Covered Entities: Compliance Basics, Examples, and Risks

Definition of Covered Entities

Core definition

Under HIPAA, covered entities include health plans, health care clearinghouses, and health care providers that transmit health information electronically for standard transactions. The HITECH Act builds on this foundation by strengthening protections for Electronic Protected Health Information and tightening accountability for all parties who create, receive, maintain, or transmit such data.

Examples of covered entities

• Hospitals, physician practices, community clinics, dental offices, pharmacies, and laboratories that bill electronically.
• Health plans such as commercial insurers, HMOs, employer-sponsored group health plans, and government programs.
• Health care clearinghouses that transform or route nonstandard data into standard formats.

What covered entities handle

Covered entities handle PHI in paper, verbal, and electronic forms. Because ePHI moves quickly across networks and systems, safeguards for Electronic Protected Health Information are central to HITECH-driven compliance.

Expansion of Covered Entities to Business Associates

Direct liability for business associates

The HITECH Act extends direct HIPAA liability to business associates for Security Rule provisions and certain Privacy Rule obligations. That liability also flows down to subcontractors that create, receive, maintain, or transmit ePHI on behalf of a business associate.

Common business associate examples

• EHR and practice management vendors, cloud and data center providers, and IT managed service providers.
• Billing services, claims processors, transcription services, and document destruction firms.
• Consultants, accountants, and law firms that access PHI to provide services.

Business Associate Agreements (BAAs)

You must execute BAAs that define permitted uses and disclosures, require appropriate safeguards, mandate prompt breach reporting, and impose the same protections on downstream subcontractors. Keep a complete inventory of BAAs and review them whenever services or data flows change.

Compliance Requirements for Covered Entities

Administrative Safeguards

Implement governance structures, designate security and privacy leads, perform an enterprise-wide Risk Analysis, and develop policies for data handling, sanctions, contingency planning, and vendor oversight. Maintain documentation and review policies at least annually or upon major changes.

Physical Safeguards

Control facility and device access, secure workstations and portable media, and manage hardware lifecycle from acquisition through disposal. Use locked areas, visitor logs, and secure destruction methods for devices that stored ePHI.

Technical Safeguards

Use unique user IDs, role-based access, multi-factor authentication where feasible, and automatic logoff. Encrypt ePHI in transit and at rest, maintain audit logs, and monitor for anomalous activity. Segment networks and apply least-privilege principles consistently.

Privacy Rule essentials

Apply the minimum necessary standard, honor individual rights (access, amendments, and accounting of disclosures), and obtain valid authorizations when required. Limit uses and disclosures to treatment, payment, and health care operations unless another lawful basis applies.

Breach Notification Procedures

Determining whether a breach occurred

Follow the Breach Notification Rule by conducting a documented four-factor risk assessment: the nature and extent of PHI involved, the unauthorized person who used or received the PHI, whether the PHI was actually acquired or viewed, and the extent of mitigation. If there is more than a low probability of compromise, notification is required.

Timelines and recipients

• Individuals: Notify without unreasonable delay and no later than 60 calendar days after discovery.
• HHS: For incidents affecting 500 or more individuals, notify within 60 days of discovery; for fewer than 500, record and submit within 60 days after the calendar year ends.
• Media: If 500 or more residents of a state or jurisdiction are affected, provide notice to prominent media outlets in that area.

Content and method of notice

Communications must describe what happened, the types of information involved, steps individuals should take, what you are doing to investigate and mitigate, and how to contact you. Use first-class mail or agreed electronic notice, with substitute notice if contact information is insufficient.

Business associate responsibilities

Business associates must notify the covered entity without unreasonable delay (no later than 60 days), identify affected individuals if known, and provide information needed for patient notices. Law enforcement requests may temporarily delay notifications when properly documented.

Penalties for Non-Compliance

Civil Monetary Penalties and enforcement

HHS’s Office for Civil Rights enforces HIPAA and the HITECH Act using tiered Civil Monetary Penalties based on culpability—from reasonable cause to willful neglect. Penalty amounts and annual caps are adjusted for inflation, and may be assessed per violation, per day, or per individual record.

Aggravating and mitigating factors

OCR considers the number of individuals affected, duration and scope of noncompliance, prior history, and corrective actions. Outcomes may include corrective action plans, monitoring, and settlement payments in addition to monetary penalties.

State and criminal exposure

State attorneys general may bring civil actions under HITECH. Separate criminal penalties can apply for knowingly obtaining or disclosing PHI without authorization, especially for personal gain or malicious harm.

Risk Assessment and Workforce Training

Risk Analysis vs. risk management

Perform a comprehensive Risk Analysis to identify threats and vulnerabilities to ePHI across people, processes, and technology. Use the results to drive risk management—prioritize controls, assign owners, set timelines, and track remediation to closure.

Training and culture

Provide role-based workforce training on privacy, security awareness, phishing, incident reporting, and secure handling of ePHI. Reinforce with regular refreshers, document attendance, and apply sanctions consistently for violations.

Practical compliance checklist

• Maintain an up-to-date asset and data flow inventory for ePHI.
• Encrypt data at rest and in transit; enable audit logging and centralized monitoring.
• Implement access controls, MFA, and timely termination of access.
• Test backups and disaster recovery; document contingency plans.
• Review BAAs, vet vendors, and manage subcontractor security.
• Run tabletop exercises for incident response and breach notification.
• Schedule periodic Risk Analysis updates and policy reviews.

Conclusion

To meet the HITECH Act’s intent, you must know whether you are a covered entity or business associate, build safeguards around ePHI, and be ready to execute the Breach Notification Rule. A living Risk Analysis, disciplined vendor management, and targeted training reduce exposure to Civil Monetary Penalties and strengthen patient trust.

FAQs.

What entities are considered covered under the HITECH Act?

Covered entities are the HIPAA-regulated health plans, health care clearinghouses, and health care providers that conduct standard electronic transactions. The HITECH Act does not change that definition; it heightens duties around Electronic Protected Health Information and expands accountability to business associates and their subcontractors.

How does the HITECH Act affect business associates?

Business associates are directly liable for Security Rule compliance and certain Privacy Rule provisions. They must implement Administrative Safeguards, Physical Safeguards, and Technical Safeguards, sign and honor BAAs, conduct Risk Analysis, and notify covered entities of breaches without unreasonable delay.

What are the mandatory breach notification requirements?

If your risk assessment shows more than a low probability that ePHI was compromised, you must notify affected individuals without unreasonable delay and no later than 60 days after discovery. You must also notify HHS (immediately for 500+ individuals; annually for fewer) and, for large incidents, the media. Notices must include required details and be delivered via approved methods.

What penalties apply for non-compliance with the HITECH Act?

HHS OCR may impose tiered Civil Monetary Penalties based on the nature and extent of noncompliance and harm. Remedies can include corrective action plans, monitoring, and settlements. State attorneys general can pursue civil actions, and separate criminal penalties may apply for intentional misuse of PHI.