What Is HITECH Act?
HITECH is the 2009 federal law that strengthened HIPAA by extending direct liability to business associates, increasing breach notification requirements, and creating tiered civil monetary penalties for HIPAA violations.
- Billing companies onboarded after 2013 (when the HITECH Omnibus Final Rule took effect) are directly liable for Security Rule violations regardless of what the BAA says.
- Practices should verify that their billing partner conducts annual risk analyses and maintains breach notification procedures meeting 45 CFR 164.404.
HITECH Act
Also known as: Health Information Technology for Economic and Clinical Health Act; HITECH
HITECH is the 2009 federal law that strengthened HIPAA by extending direct liability to business associates, increasing breach notification requirements, and creating tiered civil monetary penalties for HIPAA violations.
Definition
The Health Information Technology for Economic and Clinical Health Act was enacted as Title XIII of the American Recovery and Reinvestment Act of 2009. HITECH made business associates directly liable for HIPAA Security Rule compliance and for impermissible uses and disclosures under the Privacy Rule. It introduced the Breach Notification Rule (now codified at 45 CFR 164.400-414) requiring notification to affected individuals, HHS, and in some cases media. It also established the four-tier civil penalty structure (from 'did not know' to 'willful neglect, not corrected') and created the Meaningful Use program that drove EHR adoption.
Example
Under HITECH, a clearinghouse that suffers a ransomware attack exposing 600 patient records must notify each affected individual within 60 days, notify HHS via the OCR breach portal, and notify prominent media outlets in the affected state because the breach exceeds 500 individuals.
Common Misconceptions
HITECH did not replace HIPAA — it amended and strengthened it. Many practices believe HITECH only applies to EHR vendors due to the Meaningful Use connection, but the breach notification and direct business associate liability provisions apply to every billing company, clearinghouse, and IT vendor that handles PHI.
Practical Application
Billing companies onboarded after 2013 (when the HITECH Omnibus Final Rule took effect) are directly liable for Security Rule violations regardless of what the BAA says. Practices should verify that their billing partner conducts annual risk analyses and maintains breach notification procedures meeting 45 CFR 164.404.
Related Terms
HIPAA
HIPAA is the 1996 federal law that establishes national standards for protecting the privacy and security of individually identifiable health information held by covered entities and their business associates.
Read definition arrow_forwardPHI (Protected Health Information)
PHI is any individually identifiable health information transmitted or maintained by a HIPAA covered entity or business associate, in any form or medium, that relates to a person's past, present, or future physical or mental health, treatment, or payment for care.
Read definition arrow_forwardBusiness Associate Agreement (BAA)
A Business Associate Agreement is a HIPAA-required written contract under 45 CFR 164.504(e) between a covered entity and any vendor that creates, receives, maintains, or transmits PHI on its behalf, establishing the vendor's permitted uses, safeguards, and breach notification obligations.
Read definition arrow_forwardWhere This Applies on MedPrecision
Need help with billing?
If this term is showing up in your denials, EOBs, or A/R aging, we can help. Get a free billing audit and we will trace the issue to its root cause.