HITECH Act Explained: Breach Notification, Enforcement, and Business Associate Obligations

Breach Notification Requirements

Who must comply

The Breach Notification Rule applies to Covered Entities—healthcare providers, health plans, and clearinghouses—and their Business Associates that create, receive, maintain, or transmit protected health information (PHI). Subcontractors of Business Associates are also in scope when they handle PHI on behalf of a Business Associate.

What counts as a breach

A breach is an impermissible use or disclosure of Unsecured Protected Health Information that compromises its security or privacy. “Unsecured” means the PHI has not been rendered unusable, unreadable, or indecipherable to unauthorized persons through approved encryption or destruction methods. Certain incidents are excluded, such as good-faith, unintentional access by a workforce member within scope, inadvertent disclosures within an organization if not further used or disclosed, and situations where the recipient could not reasonably retain the information.

Risk assessment standard

Before notifying, you must assess the probability of compromise using four factors: the nature and extent of PHI involved; the unauthorized person who used or received the PHI; whether the PHI was actually acquired or viewed; and the extent to which the risk has been mitigated. If the assessment shows more than a low probability of compromise, notification is required.

Timelines and discovery

Covered Entities must notify affected individuals without unreasonable delay and no later than 60 calendar days after discovery. Discovery occurs on the first day the breach is known or should have been known with reasonable diligence. Business Associates must notify the Covered Entity without unreasonable delay and no later than 60 days from discovery, providing the information the Covered Entity needs to notify individuals and authorities.

Who to notify and how

• Individuals: Notify by first-class mail or by email if the individual has agreed to electronic notice. If there is imminent risk of harm, you may also use telephone or other urgent means.
• Substitute notice: If contact information is insufficient for fewer than 10 people, use alternative means such as phone. If 10 or more cannot be reached, provide substitute notice via a conspicuous website posting for 90 days or through major print/broadcast media, and offer a toll-free number active for at least 90 days.
• Media: If a breach affects 500 or more residents of a state or jurisdiction, notify prominent media outlets serving that area without unreasonable delay and within 60 days.
• HHS: For breaches affecting 500 or more individuals, notify the Department of Health and Human Services within 60 days of discovery. For fewer than 500, log the incidents and submit to HHS within 60 days after the end of the calendar year.

Content of the notice

Notices must include a brief description of what happened (including dates of breach and discovery), the types of information involved, steps individuals should take to protect themselves, what your organization is doing to investigate and mitigate the breach and prevent recurrence, and how individuals can contact you for more information.

Enforcement of Breach Notification

HHS’s Office for Civil Rights (OCR) enforces the Breach Notification Rule through complaints, breach reports, compliance reviews, and audits. OCR may open investigations, require corrective actions, and publish HHS Enforcement Actions that detail resolution agreements and penalties.

Civil and criminal liability

Civil monetary penalties are tiered based on culpability—from lack of knowledge to willful neglect—with per-violation penalties and annual caps per violation category (adjusted for inflation). Willful neglect that is not corrected carries the highest penalties. The Department of Justice may pursue criminal cases for knowingly obtaining or disclosing PHI in violation of HIPAA.

State enforcement

State Attorneys General may bring civil actions on behalf of residents for violations, seek damages, and obtain injunctions. This HITECH authority adds a layer of accountability beyond federal oversight.

Resolution pathways

Many matters conclude with corrective action plans, monitoring, and, where appropriate, monetary settlements. Demonstrating timely breach response, solid Security Rule controls, and comprehensive remediation can positively influence enforcement outcomes.

Business Associate Compliance Obligations

Direct liability

Business Associates are directly liable for complying with the Security Rule and with certain Privacy Rule provisions, including breach notification to Covered Entities and limiting uses/disclosures to the minimum necessary. Subcontractors that handle PHI are held to the same standards.

Business Associate Agreements

• Define permitted and required uses/disclosures of PHI.
• Require administrative, physical, and technical safeguards consistent with the Security Rule.
• Mandate prompt breach reporting to the Covered Entity with all known details.
• Flow down obligations to subcontractors.
• Provide for PHI return or destruction at termination, if feasible.
• Allow HHS access to records relevant to compliance and establish termination rights for material breaches.

Operational expectations

Conduct risk analyses, train workforce members, manage vendors, monitor access, and document decisions—especially around encryption and other “addressable” controls. Maintain breach logs and cooperate with investigations initiated by the Covered Entity or HHS.

Documentation and Retention Standards

Maintain HIPAA-required policies, procedures, and related documentation for at least six years from the date of creation or last effective date, whichever is later. This recordkeeping underpins defensible compliance and speeds breach response.

What to retain

• Policies and procedures for the Privacy Rule, Security Rule, and Breach Notification Rule.
• Risk analyses, risk management plans, audit reports, and mitigation records.
• Business Associate Agreements and subcontractor assurances.
• Training materials, attendance logs, and sanctions documentation.
• Notices of Privacy Practices and versions issued to patients.
• Accounting of disclosures, access logs, and incident/breach logs.
• Copies of individual, media, and HHS breach notices and supporting risk assessments.

Recordkeeping for breaches

Document discovery dates, assessment findings, decision rationales, notification timelines, content of notices, and corrective actions. Preserve evidence to demonstrate diligence during any HHS Enforcement Actions or audits.

Implementation of Security Safeguards

Administrative safeguards

• Perform an enterprise-wide risk analysis and implement a documented risk management program.
• Train the workforce, apply sanctions for violations, and manage vendors with security due diligence.
• Develop contingency and incident response plans, including ransomware playbooks.

Physical safeguards

• Control facility access, secure workstations, and protect servers and network closets.
• Track devices and media, and dispose of PHI securely through destruction or approved sanitization methods.

Technical safeguards

• Use unique user IDs, role-based access, and multifactor authentication for remote and privileged access.
• Encrypt PHI in transit and at rest where feasible; document any addressable decisions.
• Enable audit logging and regular review, integrity controls, automatic logoff, and patch/vulnerability management.

Security Rule alignment

Differentiate “required” from “addressable” implementation specifications, but treat addressable controls seriously—implement them when reasonable and document alternatives when not. Strong encryption can convert PHI to a secured state, avoiding breach notification if an incident occurs.

Cooperation with HHS Investigations

Investigation readiness

Designate Privacy and Security Officers, maintain an up-to-date compliance program, and keep evidence organized. Clear roles and documented procedures reduce response time and errors during inquiries.

Responding to requests

Respond timely to data requests, produce relevant documents, and facilitate interviews or site visits. Failure to cooperate can escalate scrutiny and penalties; transparent engagement often narrows the scope and duration of investigations.

Corrective action and mitigation

When gaps are identified, implement corrective action plans, monitor effectiveness, and document closure. Offer mitigation to affected individuals when appropriate, such as credit monitoring or identity theft protection, and record these efforts.

Privacy Rule Compliance

Core principles

Use and disclose PHI for treatment, payment, and healthcare operations, apply the minimum necessary standard where required, and obtain valid authorizations for other purposes. De-identify data according to HIPAA methods when feasible to reduce privacy risk.

Individual rights

Honor rights to access and obtain copies, request amendments and restrictions, receive confidential communications, and obtain an accounting of disclosures. Processes should be timely, consistent, and well-documented.

Notices and transparency

Issue a clear Notice of Privacy Practices that explains uses, disclosures, rights, and contacts. Update and redistribute the notice when material changes occur, and ensure it’s readily available across your patient touchpoints.

Marketing, sale, and fundraising

Obtain authorizations for most marketing communications and for sales of PHI, and provide easy opt-outs for fundraising. Align vendor activities with your Privacy Rule commitments via contracts and oversight.

Interplay with breach notification

Privacy Rule violations can trigger Breach Notification Rule obligations. Strong Privacy Rule compliance reduces breach risk, and robust Security Rule safeguards limit incidents to secured PHI that does not require notification.

Conclusion

The HITECH Act strengthened the Breach Notification Rule, expanded enforcement, and imposed direct responsibilities on Business Associates. By aligning Privacy Rule practices with Security Rule safeguards, documenting consistently, and responding decisively to incidents, you can meet obligations and reduce the likelihood and impact of HHS Enforcement Actions.

FAQs.

What is the HITECH Act?

The Health Information Technology for Economic and Clinical Health (HITECH) Act is a U.S. law that promotes health IT adoption and enhances HIPAA by adding breach notification duties, expanding enforcement, and making Business Associates directly accountable for safeguarding PHI.

How does the HITECH Act affect breach notifications?

HITECH established the Breach Notification Rule, requiring Covered Entities to notify affected individuals, HHS, and in some cases the media, when Unsecured Protected Health Information is compromised. Notices must be issued without unreasonable delay and within 60 days of discovery.

What are the obligations of business associates under the HITECH Act?

Business Associates must comply directly with the Security Rule, follow certain Privacy Rule requirements, notify the Covered Entity of breaches, flow down protections to subcontractors, and maintain Business Associate Agreements that define safeguards and reporting duties.

What penalties apply for non-compliance with the HITECH Act?

OCR can impose tiered civil monetary penalties per violation with annual caps, increasing for willful neglect and failures to correct. Serious cases may involve corrective action plans, public HHS Enforcement Actions, and potential criminal liability for intentional misconduct.