HITECH Act Requirements Explained: What Covered Entities and Business Associates Need

Direct Applicability of HIPAA Rules to Business Associates

The HITECH Act makes business associates directly accountable for compliance with HIPAA. If you create, receive, maintain, or transmit Protected Health Information (PHI) for a covered entity, you must follow the HIPAA Security Rule and specific Privacy Rule provisions, not just the terms of your Business Associate Agreements.

Direct liability means the Department of Health and Human Services (HHS) can investigate and enforce violations against you, independent of the covered entity. You must limit uses and disclosures to what your agreement and HIPAA permit, safeguard electronic PHI, and provide timely breach notifications under the Breach Notification Rule.

What this means in practice

• Implement Security Rule requirements—administrative, physical, and technical safeguards—for all ePHI you handle.
• Use and disclose PHI only as permitted by HIPAA and your Business Associate Agreements, applying the minimum necessary standard.
• Report breaches to the covered entity and cooperate in individual and regulatory notifications.
• Maintain documentation and make records available to HHS upon request.

Expanded Definition of Business Associates

HITECH broadened who counts as a business associate. It’s not limited to billing or claims processors. Any vendor that creates, receives, maintains, or transmits PHI on behalf of a covered entity—or on behalf of another business associate—is within scope.

Examples include cloud storage and backup providers, EHR and analytics vendors, patient engagement platforms, e-prescribing gateways, health information organizations, transcription and medical scribing services, and secure disposal/shredding companies. Even if a service cannot practically view PHI, “maintaining” PHI makes it a business associate.

Common examples

• Cloud service providers and data centers hosting PHI.
• Revenue cycle, coding, collections, and eligibility vendors.
• IT support, managed security, and integration/API providers handling PHI.
• Consultants, attorneys, and auditors who access PHI to perform services.

Breach Notification Requirements

The HITECH Act established the Breach Notification Rule for unsecured PHI. A breach is an impermissible acquisition, access, use, or disclosure that compromises the security or privacy of PHI unless you document a low probability of compromise based on a risk assessment. Strong encryption can render PHI “secured,” taking incidents outside the rule’s scope.

Timelines and recipients

• Individuals: notify without unreasonable delay and no later than 60 calendar days after discovery.
• Secretary of HHS: for breaches affecting 500 or more individuals, notify without unreasonable delay and no later than 60 days after discovery; for fewer than 500, log and submit no later than 60 days after the end of the calendar year.
• Media: if a breach affects more than 500 residents of a state or jurisdiction, notify prominent media without unreasonable delay and within 60 days.
• Business associates: notify the covered entity without unreasonable delay and no later than 60 days after discovery, providing information needed for individual notices.

What to include in notices

• A brief description of what happened and the date of discovery.
• The types of information involved (for example, names, diagnoses, account numbers).
• Steps individuals should take to protect themselves.
• Actions you are taking to investigate, mitigate harm, and prevent recurrence.
• How individuals can contact you (toll-free number, email, or mailing address).

Risk assessment and exceptions

• Document a four-factor assessment: the nature and extent of PHI, the unauthorized person, whether PHI was actually acquired or viewed, and mitigation.
• Limited exceptions may apply to certain unintentional or inadvertent disclosures or when the recipient could not reasonably retain the information.

Enhanced Enforcement and Penalties

HITECH strengthened enforcement by creating tiered Civil Monetary Penalties that scale with culpability, from lack of knowledge to willful neglect. Penalties are mandatory for uncorrected willful neglect and can be accompanied by corrective action plans and monitoring.

Both covered entities and business associates face investigations for systemic noncompliance, repeated violations, or significant breaches. State attorneys general may bring civil actions, and regulators weigh factors such as the number of individuals affected, duration of the violation, and the effectiveness of your compliance program.

Penalty drivers

• Nature and extent of the violation and resulting harm.
• Size, resources, and compliance history of your organization.
• Speed of detection, breach notification, and corrective action.
• Strength of security governance, training, and documented controls.

Subcontractor Compliance

HITECH extends obligations down the chain. If you delegate work involving PHI, your subcontractors must comply with HIPAA and are directly liable for violations. You must execute Business Associate Agreements with each subcontractor that touches PHI and flow down all applicable restrictions and safeguards.

Upstream entities remain responsible for oversight. You should verify subcontractor capabilities, monitor performance, and require timely breach reporting and cooperation during incident response.

Flow-down essentials

• Define permitted uses/disclosures and minimum necessary access to PHI.
• Require implementation of Administrative Safeguards and Technical Safeguards under the HIPAA Security Rule.
• Mandate prompt incident and breach reporting and support for investigations.
• Prohibit further delegation without written approval and equivalent agreements.

Implementing Security Safeguards

The HIPAA Security Rule organizes protections for electronic PHI into administrative, physical, and technical categories. HITECH’s emphasis on demonstrable safeguards means you should be able to show how controls reduce risk, not just list policies.

Administrative Safeguards

• Conduct organization-wide risk analysis and maintain a risk management plan.
• Establish role-based access, workforce security, and a sanction policy.
• Provide ongoing security awareness and phishing-resistant training.
• Develop contingency plans: backups, disaster recovery, and emergency mode operations.
• Manage vendors with rigorous due diligence and robust Business Associate Agreements.

Physical Safeguards

• Control facility access and escort visitors in sensitive areas.
• Secure workstations and portable devices; apply device and media disposal procedures.
• Track hardware inventory and protect environments housing systems with ePHI.

Technical Safeguards

• Enforce unique IDs, least privilege, and multi-factor authentication.
• Encrypt ePHI in transit and at rest with sound key management.
• Enable audit controls and centralized logging; monitor for anomalous activity.
• Maintain integrity controls, timely patching, and anti-malware defenses.
• Protect transmissions with secure protocols and segment networks handling ePHI.

Reporting and Documentation Obligations

HITECH and HIPAA are documentation-heavy. You must be able to prove what you did and when—during audits, investigations, and after incidents. Retain required documentation, including policies and procedures, for at least six years from the date of creation or last effective date.

What to maintain

• Policies and procedures for the HIPAA Security Rule and Breach Notification Rule.
• Risk analyses, risk treatment plans, and security testing results.
• Business Associate Agreements and an up-to-date vendor and subcontractor inventory.
• Training records, sanction decisions, and system activity review logs.
• Incident response files, breach risk assessments, and notification copies.
• Accounting of disclosures when required and records of access requests.

Operational reporting

• Escalate suspected incidents promptly and document investigation outcomes.
• File required reports to HHS and, if applicable, media within mandated timelines.
• Coordinate closely with covered entities and update affected individuals as facts develop.
• Review and update documentation after material changes and on a defined cadence.

Conclusion

The HITECH Act tightened the privacy and security framework for PHI by making business associates directly liable, expanding who qualifies as a business associate, creating robust breach notification duties, and strengthening enforcement. Subcontractor compliance, disciplined safeguards, and meticulous documentation are essential for both covered entities and business associates.

FAQs.

What entities qualify as business associates under the HITECH Act?

Any entity that creates, receives, maintains, or transmits PHI for a covered entity—or for another business associate—is a business associate. Typical examples include cloud and data hosting providers, EHR and analytics vendors, revenue cycle companies, consultants and attorneys who access PHI, transcription services, and health information organizations. Mere conduits that only transport data without persistent storage generally are not business associates.

What are the breach notification timelines required by the HITECH Act?

Notify affected individuals without unreasonable delay and no later than 60 calendar days after discovery. Notify HHS within 60 days of discovery if 500 or more individuals are affected; for fewer than 500, submit to HHS no later than 60 days after the end of the calendar year. If more than 500 residents of a state or jurisdiction are affected, notify prominent media within 60 days. Business associates must notify the covered entity without unreasonable delay and no later than 60 days after discovery.

How does the HITECH Act enhance enforcement of HIPAA violations?

HITECH created tiered Civil Monetary Penalties that increase with culpability and made penalties mandatory for uncorrected willful neglect. It also empowered regulators to pursue business associates directly and enabled state attorneys general to bring civil actions. Enforcement commonly includes corrective action plans and, in serious cases, ongoing monitoring.

What responsibilities do subcontractors have under the HITECH Act?

Subcontractors that handle PHI are directly subject to HIPAA. They must sign Business Associate Agreements, implement the HIPAA Security Rule’s safeguards, limit uses and disclosures to the minimum necessary, report breaches upstream promptly, and flow down equivalent obligations to any further subcontractors. They must also maintain documentation and cooperate with investigations.