HITECH and HIPAA: Breach Penalties, Reporting Timelines, and Enforcement Trends

If you handle protected health information, HITECH and HIPAA work together to set the rules for preventing, detecting, and reporting breaches. The Breach Notification Rule created by HITECH established strict duties for Covered Entities and their Business Associates, while the Office for Civil Rights (OCR) enforces HIPAA Compliance with Civil Monetary Penalties and Corrective Action Plans when organizations fall short.

This guide explains what the HITECH Act changed, how breach notifications must be handled, what penalties look like, where enforcement is heading, and exactly when and how to notify individuals, regulators, and the media.

HITECH Act Overview

What HITECH added to HIPAA

• Created the federal Breach Notification Rule, requiring notification after breaches of Unsecured Protected Health Information (PHI).
• Expanded direct liability for Business Associates and their subcontractors for HIPAA violations.
• Strengthened enforcement tools for the Office for Civil Rights, including higher Civil Monetary Penalties and greater use of resolution agreements and Corrective Action Plans.
• Encouraged adoption of recognized security practices (for example, NIST-aligned controls) that OCR may consider when assessing penalties and corrective actions.

Key terms you will see

• Covered Entities: health plans, health care clearinghouses, and most health care providers that transmit health information electronically.
• Business Associate: a person or entity that performs functions or services for a Covered Entity that involve PHI (and their subcontractors).
• Unsecured Protected Health Information: PHI that is not rendered unusable, unreadable, or indecipherable to unauthorized persons (for example, PHI not properly encrypted or destroyed).

Breach Notification Requirements

What counts as a breach

A breach is an impermissible acquisition, access, use, or disclosure of PHI that compromises the security or privacy of the information. To decide if notification is required, you must complete a documented risk assessment that considers:

• The nature and extent of PHI involved (types and sensitivity).
• The unauthorized person who used or received the PHI.
• Whether the PHI was actually acquired or viewed.
• The extent to which the risk has been mitigated (for example, prompt retrieval, reliable destruction, or confirmed non-use).

Three exceptions mean an incident is not a breach: unintentional access by a workforce member acting in good faith within scope; inadvertent disclosure between authorized persons within the same organization; and disclosures where the recipient could not reasonably retain the information.

Notification to individuals

• Timing: Without unreasonable delay and no later than 60 calendar days after discovery of the breach.
• Method: First-class mail to the individual’s last known address, or email if the individual has agreed to electronic notice.
• Content: A plain-language description of what happened (including dates of breach and discovery), the types of PHI involved, steps individuals should take to protect themselves, what you are doing to investigate, mitigate, and prevent future incidents, and how to contact you for more information.

Substitute notice and special cases

• If contact information is insufficient for fewer than 10 people, use an alternative form of notice (for example, telephone or other means).
• If contact information is insufficient for 10 or more people, provide substitute notice via a conspicuous website posting or major print/broadcast media in the affected area for at least 90 days, and include a toll-free number active for the same period.
• Law enforcement delay: If a law enforcement official determines that notification would impede a criminal investigation or threaten national security, delay notification as requested. Oral requests permit a 30-day delay (unless extended in writing); written requests specify the allowed delay period.

Secured PHI safe harbor

If PHI is secured (for example, encrypted consistent with HHS guidance), the incident does not involve Unsecured Protected Health Information and breach notification is not required. You should still investigate, mitigate, and document.

Penalties for Noncompliance

Civil Monetary Penalties and settlements

OCR enforces HIPAA through investigations that can lead to Civil Monetary Penalties or settlements with Corrective Action Plans. Penalties are tiered based on culpability—from violations where the entity did not know and could not reasonably have known, to willful neglect not corrected— with per-violation amounts and annual caps adjusted for inflation.

How OCR calculates penalties

• Nature and extent of the violation and resulting harm (including number of individuals and duration).
• Organization size, financial condition, and prior compliance history.
• Timeliness of breach detection, reporting, and mitigation efforts.
• Implementation of recognized security practices and adherence to risk analysis and risk management requirements.

Corrective Action Plans

Most settlements include multi-year Corrective Action Plans requiring an enterprise-wide risk analysis, risk management plan, updates to policies and procedures, workforce training, Business Associate oversight, reporting to OCR, and independent monitoring. Failure to meet a CAP can trigger additional penalties.

Criminal exposure

In egregious cases (for example, knowingly obtaining or disclosing PHI without authorization), the Department of Justice may pursue criminal penalties separate from OCR’s civil enforcement.

Enforcement Trends

Top issues driving cases

• Right of Access: OCR continues to prioritize timely patient access to records, issuing numerous settlements for delays or denials.
• Risk analysis and risk management: Repeated findings cite missing or incomplete enterprise-wide risk analyses and failure to remediate known risks.
• Business Associate management: Absent or outdated Business Associate Agreements and weak subcontractor oversight are frequent root causes.
• Hacking and ransomware: Breaches involving compromised credentials, unpatched systems, and lack of multifactor authentication remain prevalent.

Recognized security practices matter

OCR may consider whether you maintained recognized security practices for at least 12 months when determining the outcome of an investigation. Being able to show documented, operational security controls can lessen the likelihood or severity of Civil Monetary Penalties and the scope of any Corrective Action Plan.

Common pitfalls to avoid

• Delaying breach investigations or notifications beyond the 60-day maximum.
• Underestimating incidents by skipping the required four-factor risk assessment.
• Failing to encrypt portable devices or remote endpoints that store PHI.
• Not training workforce members or documenting training and sanctions.

Reporting Timelines

When the 60-day clock starts

A breach is “discovered” on the first day it is known—or by exercising reasonable diligence would have been known—to the Covered Entity (or to a Business Associate for BA-to-CE notice). Calendar days count; weekends and holidays do not pause the clock.

Who you must notify and when

• Individuals: Without unreasonable delay and no later than 60 calendar days after discovery.
• HHS (OCR):
  • 500 or more individuals affected: Notify without unreasonable delay and in no case later than 60 calendar days after discovery.
  • Fewer than 500 individuals affected: Maintain a log and submit to HHS within 60 days after the end of the calendar year in which the breaches occurred.
• Media: If the breach involves 500 or more residents of a single state or jurisdiction, notify prominent media outlets without unreasonable delay and within 60 calendar days.
• Business Associates: Must notify the Covered Entity without unreasonable delay and no later than 60 calendar days after discovery, including the information needed for individual and agency notifications.

State breach laws may impose shorter deadlines or additional content requirements; when both apply, you should follow the stricter timeline while ensuring HIPAA’s elements are met.

Media Notification

Who, when, and how

• Threshold: 500 or more residents of a single state or jurisdiction are affected.
• Timing: Without unreasonable delay and no later than 60 calendar days after discovery.
• Method: A press release or similar communication to prominent media outlets serving the affected area, in addition to individual notices and any HHS reporting.

What the media notice should include

• Clear summary of the incident and the types of PHI involved.
• Dates of the breach and its discovery.
• Steps individuals can take to protect themselves (for example, monitoring or fraud alerts).
• Actions your organization has taken to investigate, mitigate, and prevent recurrence.
• Contact information (phone, email, or website) for questions.

Best practices

• Coordinate legal, privacy, security, and communications teams to ensure accuracy and consistency with individual notifications.
• Avoid disclosing more PHI than necessary while still providing meaningful information.
• Document the content, timing, and distribution list for your compliance file.

Business Associate Responsibilities

Core obligations under HITECH and HIPAA

• Execute and honor Business Associate Agreements that define permitted uses/disclosures, safeguards, reporting duties, and breach cooperation.
• Implement administrative, physical, and technical safeguards appropriate to the risks, and perform a documented risk analysis and risk management program.
• Flow down HIPAA privacy and security requirements to subcontractors that handle PHI.
• Report breaches of Unsecured Protected Health Information to the Covered Entity without unreasonable delay and within 60 days, identifying each affected individual and supplying available incident details.
• Maintain incident logs, evidence, and remediation records to support the Covered Entity’s notifications and any OCR investigation.

Working with Covered Entities after an incident

• Provide forensics and scope details promptly (systems affected, data elements, timeframe, mitigation steps).
• Assist with individual, HHS, and media notifications and with responding to inquiries.
• Address root causes through policy updates, workforce training, technology hardening, and vendor oversight.

Conclusion

HITECH tightened HIPAA’s breach response by defining when and how you must notify individuals, HHS, and—when large incidents occur—the media. OCR enforces these obligations through investigations, Civil Monetary Penalties, and Corrective Action Plans, with a growing emphasis on risk analysis, recognized security practices, and timely reporting.

Build disciplined detection, investigation, and notification workflows; maintain strong Business Associate oversight; and document every decision. Doing so strengthens HIPAA Compliance, reduces breach impact, and positions your organization well if OCR reviews your response.

FAQs

What are the breach notification requirements under HITECH?

You must notify affected individuals without unreasonable delay and within 60 calendar days of discovering a breach of Unsecured Protected Health Information. If 500 or more individuals are affected, notify HHS (OCR) within the same 60-day window; for fewer than 500, submit an annual log to HHS within 60 days after year-end. If 500 or more residents of a single state or jurisdiction are affected, notify prominent media outlets within 60 days as well. Business Associates must notify the Covered Entity, supplying the information needed for these notices. A documented four-factor risk assessment determines whether an incident requires notification.

How are penalties for HIPAA violations determined?

OCR applies a four-tier penalty structure based on culpability, with per-violation amounts and annual caps adjusted for inflation. Factors include the nature and extent of the violation and harm, how long the issue persisted, the number of individuals affected, organizational size and history, mitigation and cooperation, and whether recognized security practices were in place. Outcomes range from resolution agreements with multi-year Corrective Action Plans to Civil Monetary Penalties.

When must media be notified of a data breach?

When a breach affects 500 or more residents of a single state or jurisdiction, you must notify prominent media outlets serving that area without unreasonable delay and no later than 60 calendar days after discovery. This media notice supplements, and does not replace, individual notifications and required reporting to HHS (OCR).

What responsibilities do business associates have under HITECH?

Business Associates are directly liable for compliance with applicable HIPAA provisions. They must implement safeguards, perform risk analysis and risk management, execute and enforce Business Associate Agreements (and flow requirements to subcontractors), and notify the Covered Entity of breaches without unreasonable delay and within 60 days, identifying affected individuals and sharing incident details. They must also support mitigation, notifications, and any OCR investigation, and document corrective actions to restore and improve security and privacy controls.