The Health Information Technology for Clinical and Economic Health Act (“HITECH”) was passed on February 17, 2009, through 111 Public Law 5 as part of stimulus package legislation.  It was passed as a monetary incentive plan for hospitals to begin converting to electronic health records.  The idea was for any hospital to be able to access all of your medical records; however, because of increased concerns associated with electronic records containing protected health information (“PHI”), heightened enforcement and sanctions provisions in the Health Insurance Portability and Accountability Act (“HIPAA”) Privacy and Security Rules were implemented as well.  PHI is defined under HIPAA in 45 C.F.R. §164.402.  It includes medical records and patient information whether in oral, paper, or electronic form.

HITECH significantly changes both enforcement and sanctions with regard to health care privacy and security requirements under HIPAA.  Prior to HITECH, HIPAA was solely a regulatory scheme promulgated by the Department of Health and Human Services.  45 C.F.R. Parts 160, 162, & 164.  Now, portions of the Privacy and Security Rules are codified in the United States Code as a result of HITECH.


The Office for Civil Rights (“OCR”) of the United States Department of Health and Human Services (“HHS”) is the primary enforcement authority for HITECH.  Prior to HITECH, the OCR enforced the HIPAA privacy rules and the Centers for Medicare and Medicaid Services (“CMS”) enforced the security rules. Other federal agencies, such as CMS with the Electronic Health Record (“EHR”) Incentive, may continue to have interests in ensuring in HITECH compliance, but HHS has the primary enforcement authority.

As an alternative form of enforcement, state attorneys general also may bring suit in federal courts on behalf of their residents to enforce HITECH.  42 U.S.C. § 1320d-5(d). 


HITECH applies to covered entities (“CEs”) which primarily consist of hospitals and physicians.  It also applies to business associates (“BAs”) which are people or entities that conduct work on behalf of CEs and handle PHI.

Lawyers who handle PHI through their work for CEs or other BAs are considered BAs.  As a result, most health care and medical malpractice attorneys are subject to these regulations.


            A.  Preempts State Law

HITECH preempts any contrary provisions of state law.  The only exceptions occur when the OCR determines that the state law is necessary, the state law involves controlled substances, or the state law is stricter than the HITECH requirements.

            B.  Imposes HIPAA Privacy and Security Regulations on BAs

Under HITECH, HIPAA privacy and security regulations are codified to apply not only to CEs, but also to BAs.  Prior to HITECH, BAs were not subject to the HIPAA security rules.  BAs are now subject to the administrative, physical, and technical security requirements under HIPAA.  This is a substantial change because BAs will be required to implement new policies and procedures to ensure compliance with HITECH.  An extensive analysis of what used to be required of BAs and the new security compliance requirements for BAs can be found in the HITECH Task Force’s Security Compliance for Business Associates cross-walk located at:


BAs must comply with the privacy requirements as well.  BA compliance with the privacy regulations is typically handled through entering into a business associate contracts (“BAC”).  BACs are used by CEs and BAs to ensure that any BAs working for CEs are in compliance with the HITECH Act.  42 U.S.C. § 17938.

Additional changes to the HIPAA privacy provisions under HITECH include: expanded accounting disclosures (42 U.S.C. § 17935(c)), changes to the minimum necessary standard for disclosures (42 U.S.C. § 17935(b)), restrictions on disclosures to health plans (42 U.S.C. § 17935(a)), a prohibition on the sale of PHI (42 U.S.C. § 17935(d)), mandated access for patients to electronic PHI in EHR (42 U.S.C. § 17935(e)), new restrictions on marketing (42 U.S.C. § 17936(a)), and changes to the fundraising rule (42 U.S.C. § 17936(b)). HIPAA had regulations in most of these areas; however, HITECH increased and expanded the requirements. 

            C.  Imposes Security Breach Notification Requirements

HITECH also creates new security breach notification requirements.  A breach notification obligation occurs when there is a breach of unsecured PHI by a CE or a BA.  Both the term “breach” and “unsecured PHI” have specific definitions that help CEs and BAs to understand when certain timing and notifications requirements under HITECH kick in.  A “breach” is defined in 42 U.S.C. § 17921(1) as “the unauthorized acquisition, access, use or disclosure of protected health information which compromises the security or privacy of such information, except where an unauthorized person to whom such information is disclosed would not reasonably have been able to retain such information.”  Unsecured PHI is defined as PHI that is not secured “through the use of a technology or methodology, specified by the [HHS] Secretary in guidance that renders PHI ‘unusable, unreadable, or indecipherable to unauthorized individuals’”  45 C.F.R. § 164.402.

CEs and BAs will look to attorneys for assistance to understand when timing and notification restrictions have been triggered.  Attorneys will also advise their clients about reducing the risk of a potential breach. 


If you practice in the area of health law, and have any medical provider like a physician, nurse or hospital as a client, it is highly likely that HITECH applies to you.  You will need to take the appropriate steps to ensure you are in compliance with HITECH.

Your clients who qualify as CEs and BAs will also look to you for assistance in complying with the HITECH requirements.  More specifically, your clients will need assistance in understanding HITECH’s application due to its recent implementation, continuing tweaks to compliance deadlines, and ongoing clarifications.  Failure to comply with the HITECH provisions will likely result in significant sanctions, including: civil penalties (42 U.S.C. § 17939(c) – (d)), criminal prosecution and audits (42 U.S.C. § 17940). 


HITECH Act – 42 U.S.C. § 300jj et seq.

                          42 U.S.C. § 17921 et seq.
                          111 P.L. 5

HITECH Breach Rule  - 45 C.F.R. Parts 160 and 164

HIPAA Privacy and Security Rules – 45 C.F.R. Parts 160, 162, and 164


The following websites provide additional assistance on understanding HITECH:

The ABA HITECH task force:


The Office of Civil Rights:                


The Office of the National