What Is the HITECH Act? Definition, Key Requirements, and Breach Notification

HITECH Act Overview

Definition and purpose

The Health Information Technology for Economic and Clinical Health (HITECH) Act is a 2009 law that strengthened HIPAA by accelerating electronic health record (EHR) adoption and tightening privacy and security protections for protected health information (PHI). It created the HIPAA Breach Notification Rule and expanded enforcement by the Department of Health and Human Services (HHS).

Who it applies to

HITECH applies to covered entities—health plans, health care clearinghouses, and most health care providers—and to their business associates that handle PHI on their behalf. Business associates became directly liable for many HIPAA Security Rule and Privacy Rule requirements under HITECH.

Why it matters

For your organization, HITECH raises the stakes: stronger security expectations, mandatory breach notifications, higher penalties, and a clearer paper trail of compliance documentation to prove you met your obligations.

Breach Notification Requirements

Who must notify and when

When a breach of unsecured PHI is discovered, covered entities must notify affected individuals without unreasonable delay and no later than 60 calendar days after discovery. Business associates must notify the covered entity so it can notify individuals; the timing is “without unreasonable delay” and typically earlier if your business associate agreement (BAA) sets a shorter window.

Content of the individual notice

• A brief description of what happened, including dates of the breach and discovery.
• The types of PHI involved (for example, names, addresses, Social Security numbers, medical information).
• Steps affected individuals should take to protect themselves.
• What you are doing to investigate, mitigate harm, and prevent future incidents.
• Contact information (toll-free number, email, or postal address) for questions.

How to provide notice

Send written notice by first-class mail or by email if the individual agreed to electronic notices. If you have insufficient contact information for fewer than 10 individuals, use alternative means (e.g., telephone). If you lack sufficient contact information for 10 or more individuals, provide substitute notice such as a conspicuous website posting or major media announcement and a toll-free number.

Large-scale breaches

For breaches affecting 500 or more residents of a state or jurisdiction, you must also notify prominent media outlets in that area and report to HHS contemporaneously with individual notices.

Breach Definition

What counts as a breach

A breach is an impermissible use or disclosure of unsecured PHI that compromises the privacy or security of that information. There is a presumption of breach unless you can demonstrate a low probability that the PHI has been compromised based on a documented risk assessment.

Four-factor risk assessment

• Nature and extent of PHI involved (types of identifiers and likelihood of re-identification).
• Unauthorized person who used the PHI or to whom the disclosure was made.
• Whether the PHI was actually acquired or viewed.
• The extent to which the risk has been mitigated (for example, satisfactory assurances of destruction or return).

Exceptions

• Unintentional acquisition, access, or use by a workforce member acting in good faith within scope of authority, not further used or disclosed improperly.
• Inadvertent disclosure between authorized persons within the same covered entity, business associate, or organized health care arrangement, not further used improperly.
• Good-faith belief that the unauthorized recipient could not reasonably have retained the information.

Practical examples

• Lost, unencrypted laptop containing PHI—likely a breach requiring notification.
• Misdirected email to a provider within the same clinic who is authorized to access the patient’s record—often an exception if not further used.
• Ransomware encrypts a server with PHI—generally presumed a breach unless you can demonstrate low probability of compromise after investigation.

Reporting to HHS

Thresholds and timelines

• 500 or more individuals: report to HHS without unreasonable delay and no later than 60 calendar days from discovery (often submitted via the HHS online portal). Media notice is also required.
• Fewer than 500 individuals: log the breach and report to HHS no later than 60 days after the end of the calendar year in which the breach was discovered.

Law enforcement delay

If a law enforcement official determines that notification would impede a criminal investigation or damage national security, you may delay individual and HHS notifications for the time period specified by that official.

Recordkeeping

Maintain auditable compliance documentation—investigation notes, risk assessments, copies of notices, mailing or email logs, and HHS submissions—to substantiate that you met all reporting obligations.

Business Associates' Responsibilities

Direct compliance duties

Business associates must implement administrative, physical, and technical safeguards aligned with the HIPAA Security Rule, conduct periodic risk analyses, follow the minimum necessary standard, and maintain workforce training and sanction policies.

Contractual and downstream obligations

BAAs must set breach reporting timelines, permitted uses, and safeguards. Business associates must “flow down” comparable requirements to subcontractors that create, receive, maintain, or transmit PHI.

Breach reporting to covered entities

Upon discovering a breach, a business associate must notify the covered entity without unreasonable delay and provide, to the extent possible, identification of each affected individual and information needed for the covered entity’s notices.

Penalties for Non-Compliance

Civil monetary penalties

HITECH created a four-tier penalty structure based on culpability: (1) no knowledge, (2) reasonable cause, (3) willful neglect corrected, and (4) willful neglect not corrected. Penalties are assessed per violation with annual caps by violation category, and amounts are adjusted for inflation periodically by HHS.

Corrective actions and monitoring

In addition to fines, HHS’s Office for Civil Rights (OCR) may require corrective action plans, ongoing reporting, or monitoring to verify sustained compliance.

Criminal exposure

Knowingly obtaining or disclosing PHI in violation of HIPAA can trigger criminal penalties enforced by the Department of Justice. Factors include intent, false pretenses, and commercial advantage or malicious harm.

Recognized security practices

During investigations, OCR considers whether you had “recognized security practices” in place for the previous 12 months (for example, implementing widely accepted frameworks). Demonstrating such practices can mitigate penalties and the scope of remedies.

Safe Harbor Provision

Encryption and destruction safe harbor (breach notification rule)

If PHI is secured—rendered unusable, unreadable, or indecipherable to unauthorized individuals—breach notification is generally not required. This typically means encrypting PHI in transit and at rest using encryption standards referenced by HHS (for example, NIST-recommended algorithms and FIPS 140-validated cryptographic modules) or properly destroying PHI consistent with data sanitization guidance.

What safe harbor does—and does not—do

• It eliminates notification when PHI was properly secured at the time of the incident.
• It does not waive your duty to investigate, perform a risk assessment, or document decisions.
• It does not apply if encryption keys were compromised or if PHI was not secured according to recognized methods.

Proving eligibility for safe harbor

Keep detailed compliance documentation: system inventories, encryption configurations, key management logs, screen captures, vendor attestations (e.g., FIPS validation), and destruction certificates. During audits, this evidence substantiates your safe harbor claim.

Conclusion

The HITECH Act amplifies HIPAA by mandating timely breach notifications, expanding business associate accountability, increasing penalties, and rewarding strong security practices. By encrypting PHI, documenting controls, and following clear reporting workflows to individuals and HHS, you reduce risk and improve trust while meeting the law’s core requirements.

FAQs

What is the main purpose of the HITECH Act?

To strengthen HIPAA by promoting EHR adoption and enhancing privacy and security protections for PHI, including creating the Breach Notification Rule and expanding enforcement by HHS.

How soon must breaches be reported to affected individuals?

Without unreasonable delay and no later than 60 calendar days after discovery of a breach of unsecured PHI. Faster notice is encouraged when feasible.

What penalties exist for violating the HITECH Act?

OCR may impose tiered civil monetary penalties per violation with annual caps by violation category, require corrective action plans, and—where conduct is willful or criminal—refer matters for potential criminal enforcement.

When is breach notification not required under the Safe Harbor provision?

When the PHI was properly secured—typically encrypted using HHS-referenced encryption standards or destroyed according to accepted methods—so that it was unusable, unreadable, or indecipherable to unauthorized individuals at the time of the incident.