Healthcare Compliance

What is HITECH?

The 2009 law that gave HIPAA teeth — mandatory breach notification, direct liability for your IT vendors, and penalties high enough to close a practice.

The Short Version

HITECH stands for the Health Information Technology for Economic and Clinical Health Act. Think of it as HIPAA 2.0. Before HITECH, HIPAA was widely ignored because enforcement was weak and penalties were small. HITECH changed that.

It did three things that matter to you: required you to notify patients of breaches, made your IT vendors directly liable for HIPAA violations (not just you), and raised penalties to $1.9M per violation category per year.

Who Needs to Comply?

If HIPAA applies to you, HITECH applies to you. But HITECH also expanded the rules to cover:

  • Business Associates — your IT company, cloud provider, billing service, EHR vendor, email host
  • Subcontractors of Business Associates — their vendors too
  • Anyone who touches patient health information in any form

Before HITECH, if your IT vendor caused a breach, only you were on the hook. After HITECH, they are directly liable to the government. This is why a proper Business Associate Agreement (BAA) matters.

What Does HITECH Require From Your IT?

HITECH builds on HIPAA's Security Rule and adds specific breach-related requirements:

  • Breach detection: You must be able to detect when patient data has been accessed improperly
  • Breach notification: Patients notified within 60 days of discovery
  • HHS notification: Any breach reported to HHS; breaches of 500+ patients reported within 60 days
  • Media notification: Breaches of 500+ patients in a state require notifying prominent media outlets
  • Encryption safe harbor: If stolen data was properly encrypted, no breach notification required
  • Access reports: Patients can request an accounting of who has accessed their records
  • Audit logs: Full audit trails across every system that touches patient data
  • Stricter authentication: Multi-factor authentication on systems with electronic health records

What Happens When You Don't Comply?

HITECH dramatically expanded HIPAA's penalty structure and added new enforcement avenues:

  • Tier 4 — Willful neglect, not corrected: $50,000 per violation, up to $1.9M per year
  • State Attorneys General: Can now sue on behalf of residents, independent of HHS
  • Criminal penalties: Up to 10 years in prison for knowing misuse of patient data
  • Breach Wall of Shame: HHS publicly posts breaches of 500+ patients at ocrportal.hhs.gov — permanent reputational damage
  • Patient lawsuits: Many states now allow private right of action for HIPAA/HITECH violations

How Digital Armor Helps

HITECH compliance is not a checkbox — it's continuous. We handle:

  • Breach detection with monitored audit logs across every system
  • Encryption at rest and in transit, so stolen data falls under safe harbor
  • Multi-factor authentication on EHR and email systems
  • Incident response plan — tested, not just written
  • Business Associate Agreements with every vendor that touches patient data
  • Breach notification procedures documented and rehearsed
  • Annual risk assessment and remediation tracking

Could Your Practice Detect a Breach Today?

Most small practices can't — because nobody configured the logging. Under HITECH, "we didn't know" is not a defense; it's Tier 4 willful neglect. We can show you exactly what's being logged right now, and what isn't.

Book Your Assessment