What is the HITECH Act?

The Health Information Technology for Economic and Clinical Health (HITECH) Act is a U.S. federal law that was enacted in 2009 as part of the American Recovery and Reinvestment Act (ARRA).

The HITECH Act was created to encourage the adoption and implementation of electronic health records (EHRs) by providing incentives to healthcare providers who could demonstrate meaningful use of certified EHR technology. It also includes provisions to enhance the security and privacy of health information and enforcement of these rules. Specifically, it strengthened the Health Insurance Portability and Transparency Act, better known as HIPAA, by expanding its requirements to include business associates of covered entities, and by establishing higher penalties for noncompliance. HITECH also established new requirements for breach notifications and for patients to access and control their health information. Besides for updating HIPAA, the Act amended several other laws including the Public Health Service Act and the Social Security Act.

HITECH compliance is required for covered entities and their business associates. A covered entity is one of the following: A healthcare provider, a health plan, or a healthcare clearinghouse. A business associate is commonly described as an organization that creates, maintains, transmits or receives protected health information (PHI) on behalf of a covered entity. Additionally, vendors of personal health records (PHR) and any other entity that maintains or stores PHI are also subject to certain provisions of the Act.

This law has had a significant impact on the healthcare industry, with many providers adopting EHRs and improving their use of health information technology to upgrade patient care and outcomes.

The HITECH Act was most recently updated in 2021, influenced by a Request for Information (RFI) from the Department of Health and Human Services (HHS) in 2018. This RFI aimed to explore ways to reduce the administrative burden of complying with HIPAA and improve healthcare coordination through better data sharing.

In 2021, after receiving feedback, the HIPAA Safe Harbor law was introduced as an amendment to the HITECH Act. This amendment empowers the Office for Civil Rights at the HHS to exercise discretion in enforcing HIPAA violations. They may refrain from taking enforcement action, reduce the severity of the penalty, or shorten the duration of a Corrective Action Plan if the entity has adopted and implemented ‘recognized security practices’ and can prove they were in place continuously for the 12 months prior to the occurrence of a data breach or other violation.

What are the HITECH Act Requirements?

The HITECH requirements are split between two divisions as follows:


Subtitle A—Promotion of Health Information Technology

Subtitle B—Testing of Health Information Technology

Subtitle C—Grants and Loans Funding

Subtitle D—Privacy


Subtitle A—Medicare Incentives

Subtitle B—Medicaid Incentives

Subtitle C—Miscellaneous Medicare Provisions

Division A focuses specifically on the provisions related to health information technology (HIT) and electronic health records. Divison A is currently part of US law and its many amendments to other Acts are included in the official text of those Acts as well. 

Division B contains provisions related to the promotion and adoption of HIT by Medicare and Medicaid programs, as well as other miscellaneous provisions related to Medicare. Division B is less relevant today because many of its provisions have been sunsetted, are no longer in effect, or have been replaced by other Acts. However, covered entities should still carefully review the provisions and determine which of them are still applicable and if any of the replacement laws are relevant to the entity.

All organizations with access to PHI are required to comply with the HITECH provisions. This involves ensuring Security Rule risk assessments are performed routinely, developing policies and procedures to report breaches to the Department of HHS Office for Civil Rights (OCR) or to the Federal Trade Commission (FTC), and creating formal Business Associate Agreements or contracts whenever protected health information is shared between a covered entity and a business associate – or even between a vendor of PHRs and their third party service provider.

The HHS’ Office for Civil Rights is the primary enforcer of the HITECH Act, specifically the breach notification requirements and the enhanced HIPAA Privacy and Security Rules. The FTC also has jurisdiction over certain aspects of HITECH compliance for vendors of personal health records and their third-party service providers.


It’s important to understand the differences and similarities between HITECH and HIPAA. While HIPAA addresses security and privacy for all health records, electronic or not, the HITECH Act specifically covers electronic records, the security measures in place, and data breaches.

Despite their differences, HITECH and HIPAA overlap in many ways. Both laws are designed to protect the privacy and security of individuals’ health information. Both laws apply to covered entities. Both laws require covered entities to implement administrative, physical, and technical safeguards to protect health information, and both laws require covered entities to notify individuals in the event of a breach of unsecured PHI. Additionally, HITECH modified and expanded on certain provisions of HIPAA, so parts of HITECH are included in HIPAA. HITECH is a small but vital part of HIPAA.

Why Should You Comply with the HITECH Act?

The HITECH Act was created with five goals in mind which are also known as the five goals of the US healthcare system:

  1. Improve quality, safety, and efficiency 
  2. Engage patients in their care
  3. Increase coordination of care
  4. Improve the health status of the population
  5. Ensure privacy and security

The enactment of HITECH aimed to achieve these goals by incentivizing the adoption and use of health information technology, encouraging patients to become an active participant in their health, clearing the path for the growth of Health Information Exchanges, and expanding the privacy and security provisions of HIPAA. Consequently, compliance with the HITECH Act plays an important role in modernizing the US healthcare system.

In addition to improving the overall healthcare system, there are other factors organizations should consider regarding the significance of HITECH compliance:

  • Adopting EHRs and streamlining healthcare operations according to HITECH requirements improves efficiency and reduces cost.
  • Implementing the Act’s requirements mitigates potentially substantial financial penalties.

Furthermore, the HITECH additions to HIPAA allowed the HHS´ Office for Civil Rights to step up enforcement action against non-compliant organizations by introducing new requirements for covered entities and business associates to report data breaches. Organizations that fail to comply with the requirements of the HITECH Act may be subject to financial penalties and other consequences, such as public disclosure of their non-compliance and the potential loss of federal funding.

The enactment of the HITECH Act has significantly upped the ante for non-compliance.

How to Achieve Compliance?

Achieving compliance with the HITECH Act includes implementing a comprehensive privacy and security program that includes policies, procedures, and technical safeguards to protect the confidentiality, integrity, and availability of electronic protected health information (ePHI). It can be difficult to identify where to begin, decide what to prioritize, determine what parts you already comply with, and implement a strategy to accomplish all the necessary tasks.

To combat the challenges of achieving compliance, Centraleyes’ SaaS platform provides a comprehensive and streamlined process to help covered entities and business associates meet their compliance obligations. The platform offers automated tools and workflows to help organizations meet the requirements of HITECH, including built-in questionnaires, security risk assessments, security and privacy policy templates, and real-time remediation guidance. With just a few clicks, potential risks can be identified, followed by clear corrective actions to mitigate them. The intuitive interface allows organizations to easily manage their compliance activities and track progress. 

Centraleyes also supports several other healthcare frameworks and regulations, including HIPAA and the Health Industry Cybersecurity Practices (HICP), to ensure comprehensive coverage across all your regulational requirements.

By choosing Centraleyes, you can be rest assured that you’re taking the necessary steps to protect your patients’ health information and avoid costly penalties. The platform is designed to streamline the compliance process and help you achieve HITECH compliance in the shortest time possible, so you can focus on delivering quality patient care.

With Centraleyes, you will be better prepared to meet the requirements of the HITECH Act, ultimately reducing the risk of data breaches and improving the overall security of ePHI.

Read more:


Does your company need to be compliant with HITECH Act?

Related Content

ISO 42001

What is ISO 42001 (AI)? Artificial intelligence (AI) has emerged as a transformative technology, imbuing machines…


What is NIS2? NIS2 is a high-level directive, strengthening cybersecurity. To enhance Europe’s resilience against existing…


What is the CJIS framework? The CJIS (Criminal Justice Information Services) framework is a comprehensive set…
Skip to content