HITECH Act Privacy Rule Explained: Requirements, Breach Notifications, Compliance Guide

Breach Notification Requirements

The HITECH Act’s breach notification rule requires covered entities to notify affected individuals after any breach of unsecured protected health information. Notice must be provided without unreasonable delay and no later than 60 calendar days from discovery. “Discovery” occurs on the first day the breach is known, or would have been known with reasonable diligence.

• Individuals: Notify by first-class mail or email (if the individual has opted in). If there is imminent risk of harm, you may supplement with telephone or other urgent methods.
• Substitute notice: If contact information is insufficient for 10 or more individuals, post a website notice for at least 90 days or use major print/broadcast in the relevant area, including a toll-free number.
• Health and Human Services Secretary: For breaches affecting 500 or more individuals, notify the Health and Human Services Secretary without unreasonable delay and no later than 60 days. For fewer than 500, log the incident and submit to the Secretary within 60 days after the end of the calendar year.
• Media: If 500 or more residents of a single state or jurisdiction are affected, notify prominent media outlets in that area within the same 60-day timeframe.

Include in each notice: what happened (including dates), the types of data involved, steps individuals should take, your mitigation strategies, and how you are addressing the incident. Maintain documentation of decisions and timelines for compliance audits.

Not every incident is a “breach.” Exceptions include good-faith, unintentional access by a workforce member within scope; inadvertent disclosure between authorized recipients; and disclosures where you reasonably believe the recipient could not retain the information. Data that are encrypted or properly destroyed are not unsecured protected health information.

Risk Assessment Procedures

When an incident occurs, you must conduct a documented risk analysis to determine whether there is a low probability that PHI has been compromised. This four-factor assessment drives whether notification is required and supports defensible decisions.

• Nature and extent of PHI: Sensitivity, identifiability, and volume of data exposed.
• Unauthorized person: Who received or accessed the information and their obligations to protect confidentiality.
• Whether the PHI was actually acquired or viewed: Evidence of exfiltration, misuse, or viewing.
• Mitigation strategies: Steps taken to reduce risk, such as retrieving data, obtaining recipient attestations, remote wipe, or resetting credentials.

Act quickly: contain the incident, preserve logs, verify whether data were encrypted or otherwise rendered unreadable, and determine the scope. Your written analysis should explain conclusions, the rationale for notification or non-notification, and any remediation plans. Retain all records for at least six years for potential compliance audits.

Business Associate Obligations

Business associates are directly liable for safeguarding PHI and for impermissible uses or disclosures. They must notify the covered entity without unreasonable delay and no later than 60 days after discovery, providing the identities of affected individuals and sufficient detail to enable compliant notices.

• Agreements: Execute and maintain business associate agreements that define permitted uses, breach reporting duties, subcontractor flow-down obligations, and the minimum necessary standard.
• Security: Implement administrative, physical, and technical safeguards; perform periodic risk analysis; monitor access; and correct identified gaps.
• Subcontractors: Ensure subcontractors that handle PHI agree in writing to the same protections and breach notification requirements.
• Documentation: Keep incident records, investigation results, and communications to support investigations and demonstrate compliance.

Enforcement and Penalties

The Office for Civil Rights enforces the HITECH Act and HIPAA through investigations, resolution agreements, corrective action plans, and compliance audits. Penalties follow a tiered structure based on culpability, with amounts adjusted annually for inflation.

• Tier 1—No knowledge and reasonable diligence: lowest penalties, with an annual cap per violation category typically set at the lowest tier cap.
• Tier 2—Reasonable cause: higher per-violation amounts and a higher annual cap.
• Tier 3—Willful neglect corrected within the required period: substantial penalties with a significant annual cap.
• Tier 4—Willful neglect not corrected: up to the maximum per-violation amount and an annual cap commonly up to $1,500,000 per violation category.

Serious cases may be referred for criminal prosecution under 42 U.S.C. § 1320d-6, with fines and potential imprisonment for offenses committed under false pretenses or for personal gain. Corrective actions, monitoring, and restitution are common outcomes even where civil monetary penalties are not imposed.

Media Notification Protocols

If a breach involves 500 or more residents of a single state or jurisdiction, you must notify prominent media outlets serving that area without unreasonable delay and no later than 60 days from discovery. This media notice supplements, and does not replace, individual notifications and the report to the Health and Human Services Secretary.

• Content: Describe what happened, the types of PHI involved, steps individuals should take, your mitigation strategies, and your contact information. Do not include PHI in the media notice.
• Coordination: Align timing and content across individual notices, media statements, call-center scripts, and your website posting to avoid inconsistencies.
• Documentation: Keep copies of press materials, distribution lists, and publication dates to demonstrate compliance during audits.

Compliance Best Practices

Build a proactive program that reduces breach risk and positions you to meet the breach notification rule if needed. Start with a current risk analysis, prioritized remediation, and clear governance.

• Technical safeguards: Encrypt data at rest and in transit, enforce multi-factor authentication, apply least privilege, and monitor for anomalous access.
• Administrative safeguards: Train workforce members, run phishing and tabletop exercises, and keep an incident response plan with defined roles.
• Vendor governance: Maintain up-to-date business associate agreements, assess subcontractors, and verify their breach reporting pathways.
• Operational readiness: Create notification templates, maintain accurate contact data, and prearrange call-center and media relationships.
• Continuous improvement: Track metrics, verify mitigation strategies are effective, and perform periodic compliance audits to validate controls.

Effective preparation—grounded in encryption, disciplined incident response, and vendor oversight—lets you protect patients, meet timelines, and demonstrate compliance when it matters most.

FAQs.

What are the timelines for breach notifications under the HITECH Act?

Notify affected individuals without unreasonable delay and no later than 60 calendar days after discovery. Business associates must notify the covered entity within the same outer limit. For breaches affecting 500 or more individuals, notify the Health and Human Services Secretary within 60 days; for fewer than 500, report to the Secretary within 60 days after the end of the calendar year. Media notices are required within 60 days if 500 or more residents of a single state or jurisdiction are affected.

How does the HITECH Act enhance HIPAA privacy protections?

HITECH strengthened HIPAA by creating the federal breach notification rule, extending direct liability to business associates and their subcontractors, increasing enforcement and penalty tiers, and promoting adoption of security controls such as encryption that remove data from the “unsecured protected health information” category.

What are the penalties for non-compliance with the HITECH Act?

Penalties are tiered by culpability, from lower amounts for violations where the entity exercised reasonable diligence to maximum penalties for uncorrected willful neglect. Annual caps apply per violation category, with the highest cap commonly up to $1,500,000, and amounts adjust for inflation. OCR may also require corrective action plans and conduct compliance audits, and severe cases can face criminal prosecution.

When must media notifications be issued for a breach?

Issue media notifications when a breach affects 500 or more residents of a state or jurisdiction. The notice must be provided without unreasonable delay and no later than 60 days from discovery, and it should align with individual notices and the report to the Health and Human Services Secretary.