top of page

What is the Relationship Between HITECH, HIPAA, and Electronic Health and Medical Records?

This post originally appeared on, a site that provides the most comprehensive coverage of HIPAA news anywhere online, in addition to independent advice about HIPAA compliance and the best practices to adopt to avoid data breaches, HIPAA violations and regulatory fines.

The Health Insurance Portability and Accountability Act (HIPAA) was signed into law in August 1996, and was updated by the HIPAA Privacy Rule in 2003 and the HIPAA Security Rule in 2005, but how did the Health Information Technology for Economic and Clinical Health (HITECH) Act change HIPAA and what is the relationship between HITECH, HIPAA, and electronic health and medical records?

What is the Relationship Between HITECH and HIPAA and Medical Records?

Title I of HIPAA is concerned with the portability of health insurance and protecting the rights of workers between jobs to ensure health insurance coverage is maintained, which have nothing to do with the HITECH Act. However, there is a strong relationship between HITECH and HIPAA Title II. Title II of HIPAA includes the administrative provisions, patient privacy protections, and security controls for health and medical records and other forms of protected health information (PHI).

One of the main aims of the HITECH Act was to encourage the adoption of electronic health and medical records by creating financial incentives for making the transition from paper to digital records. The HITECH Act also strengthened the HIPAA Privacy and Security Rules with respect to electronic health and medical records.

The HITECH Act required the Secretary of the HHS to ensure guidance was issued annually to covered entities and business associates to help them implement appropriate technical safeguards to ensure the confidentiality, integrity, and availability of PHI. The technologically neutral nature of HIPAA had led to confusion about how best to protect PHI.

How did the HITECH Act Change HIPAA?

The HITECH Act, which was published on January 25, 2013, made several changes to HIPAA and introduced new requirements for HIPAA-covered entities with notable changes for business associates. Some of the key updates to HIPAA by HITECH are detailed below:

Business Associates Directly Accountable for HIPAA Violations

The HITECH Act required business associates of HIPAA covered entities to enter into a business associate agreement (BAA) with HIPAA-covered entities and agree not to disclose PHI other than for reasons permitted by the HIPAA Privacy Rule. They were also required to agree to adhere to certain provisions of the HIPAA Security Rule, including the implementation of administrative, physical, and technical controls to safeguard the confidentiality, integrity, and availability of PHI.

The definition of business associate was also expanded to include all persons who receive PHI and subcontractors of business associates. The HITECH Act required business associates to enter into a BAA with their subcontractors. Business associates were made directly accountable for HIPAA violations and could be penalized financially for violating HIPAA Rules.

[PC] Basically, this means you have to have a business associate agreement in place for all the other business you work with. If you're reading this and realize you need a business associate agreement for your vendors, check out this one that HHS provides for free.

This is one of the most common HIPAA violations that results in a financial penalty. For example, this orthopedic clinic had to pay out a $750,000 settlement due to lack of a BAA.

Increased Penalties for HIPAA Violations

In addition to fines for business associates, HIPAA-covered entities could also be fined for violations of HIPAA Rules by their business associates. The HITECH Act also required the HHS to investigate breaches and complaints to determine if there had been willful violations of HIPAA Rules.

The penalty structure for HIPAA violations was also amended by HITECH. HITECH allowed penalties to be issued for HIPAA violations that occurred without the knowledge of the covered entity or business associate if the covered entity/business associate should have been aware that HIPAA was violated by exercising reasonable due diligence. However, the HITECH Act prohibited the issuing of financial penalties if a violation was corrected within 30 days, provided the violation was not due to willful neglect.

Patients Given Option of Obtaining Health and Medical Records in Electronic Form

While the HIPAA Privacy Rule gave patients and health plan members the right to obtain copies of their PHI, the HITECH Act increased those rights to include the option of being provided with copies of health and medical records in electronic form, if the covered entity maintains health and medical records in electronic form and the information was readily producible in that format.

HITECH also prohibited the sale of PHI except in limited circumstances and closed the marketing loophole, prohibiting providers from receiving compensation in return for making treatment recommendations.

HITECH, HIPAA, and Breach Notifications

The HITECH Act introduced a new requirement for issuing notifications to individuals whose electronic protected health information was exposed in a security breach if the information was not encrypted. The definition of a breach was also broadened to include any unauthorized acquisition, access, use or disclosure of unsecured PHI which compromised the security or privacy of that information.

These updates formed the basis for the HIPAA Breach Notification Rule which requires HIPAA covered entities to send notifications to affected individuals if there is a significant risk of financial, reputational or other harm as a result of a breach. Those notifications need to be issued without unnecessary delay and no later than 60 days following the discovery of a breach.

The Department of Health and Human Services’ Office for Civil Rights must also be notified of breaches within the same time frame if the breach impacts 500 or more individuals. Small breaches must also be reported to OCR, but within 60 days of the end of the calendar year in which the breach was discovered.

bottom of page