Health Information Technology for Economics and Clinical Health (HITECH) Act

Impact on HIPAA Privacy and Security Provisions

The Health Information Technology for Economic and Clinical Health Act (HITECH) is part of the American Recovery and Reinvestment Act (ARRA) of 2009 and creates incentives related to health care information technology, including incentives for the use of electronic health record (EHR) systems among providers.

Because HITECH legislation results in an expansion in the exchange of electronic protected health information (ePHI), it also widens the scope of privacy and security protections under the Health Insurance Portability and Accountability Act (HIPAA), including increasing legal liability for non-compliance and more enforcement actions. The following are highlights of key HITECH provisions as they relate to HIPAA.


  • Historically, HIPAA was not rigorously enforced, but the adoption of the final rule [PDF] in 2013 clarified and strengthened enforcement activities. Both covered entities and business associates are subject to penalties for violations.
  • Civil money penalties for "willful neglect" are increased.
  • Although an individual can't bring a cause of action against a provider for violations under HITECH, a state attorney general can bring an action on behalf of a state's residents.
  • The Department of Health and Human Services (HHS) is required to conduct periodic audits of covered entities and business associates.

Notification of Breach

HITECH imposes data breach notification requirements for unauthorized uses and disclosure of unsecured or unencrypted PHI.

Electronic Health Record Access

For providers that have implemented an EHR system, individuals have a right to obtain their PHI in an electronic format. Only a fee equal to the labor cost can be charged for an electronic request.

Business Associates (BA) and Business Associate Agreements (BAA)

  • HITECH now applies HIPAA provisions to business associates, thus requiring business associates to comply with the HIPAA security rule.
  • Most, if not all, software vendors providing EHR systems will clearly qualify as business associates.
  • Business associates must report security breaches to covered entities consistent with notification requirements.
  • Business associates are subject to civil and criminal penalties, just as the covered entities are subject to these penalties.
  • Business associates and providers will now share more joint responsibilities than they have previously.

Other Requirements

There are additional requirements that address marking communications, restrictions, and accounting that modify HIPAA and affect HITECH as well. Additional information and resources related to HIPAA are available on ASHA's website.

ASHA Corporate Partners