HIPAA and the HITECH Act

The American Recovery and Reinvestment Act’s Title XIII has had a significant relationship with HIPAA since its introduction in 2009. ARRA’s Title XIII-more commonly known as the Health Information Technology for Economic and Clinical Health (HITECH)-introduced important changes to HIPAA’s Rules, such as the Enforcement Rule, and significantly updated practices surrounding electronic health records in the healthcare system.


Before HITECH, OCR was only able to issue fines of $100 per HIPAA violation up to a maximum of $25,000. OCR was unable to investigate many reports they received of HIPAA non-compliance due to a lack of resources. Therefore, few fines were issued, and they were not acting as the incentive for HIPAA compliance that they were anticipated to be.

HITECH introduced ‘violation tiers’, meaning that the size of the penalty levied against the organisation could be determined using

several different factors. These factors included the size of the organisation, if appropriate safeguards were in place before the violation, and if the organisation had any knowledge of the breach. HITECH also increased the penalties that OCR could charge by a considerable amount; a minimum of $50,000 per violation with a maximum of $1.5 million.

These increased fines allowed OCR to accrue more resources to pursue claims of HIPAA non-compliance and acted as a greater incentive for organisations to follow HIPAA’s Rules.


HITECH also provides Medicare and Medicaid monetary incentives for hospitals and physicians to adopt electronic health records (EHRs). HITECH also set funds aside to provides grants to healthcare organisations to develop a health information exchange (HIE).

Healthcare organisations can improve efficiency and patient experience by adopting these technological solutions. A more streamlined healthcare system reduces the administrative burden on an already strained healthcare system while simultaneously reducing overhead costs.

HITECH made $30 billion available to healthcare organisations for the development of this electronic healthcare infrastructure. According to the Act, physicians are eligible to receive up to $44,000 per physician from Medicare for “meaningful use” of a certified EHR system starting in 2015.

HITECH also addresses the security concerns involved with the electronic storage and transmission of healthcare data, as per HIPAA’s Security and Privacy Rules.


Before HITECH, Business Associates of HIPAA Covered Entities (CEs) has a contractual, but not legal, requirement to comply with HIPAA. HITECH rendered BAs legally required to comply with HIPAA’s laws. BAs now have a legal obligation to inform any CE of a breach of PHI and must implement the same privacy and security requirements to protect patient data.

Summary of HIPAA and HITECH

HITECH is integral to the effective implementation of HIPAA. HITECH grants OCR more powers to pursue HIPAA violations by strengthening and updating HIPAA’s Rules, most notably the Enforcement Rule and Breach Notification Rule. By improving the OCR’s ability to enforce HIPAA, HITECH improves the cybersecurity landscape in the US healthcare industry. Organisations now have more reasons to mitigate the risks of a HIPAA violation due to the increased size of the penalties and the OCR’s ability to pursue BAs who may be violating HIPAA. Additionally, HITECH has provided incentives to organisations to improve efficiency in the healthcare industry by adopting new electronic solutions to administrative tasks.