HITECH Act

HITECH Act: A Comprehensive Guide for CIPP/US Exam Preparation

Introduction to the HITECH Act

The Health Information Technology for Economic and Clinical Health (HITECH) Act was enacted in 2009 as part of the American Recovery and Reinvestment Act (ARRA). It represents one of the most significant expansions of health information privacy and security law in the United States, directly strengthening and extending the protections originally established under the Health Insurance Portability and Accountability Act (HIPAA) of 1996.

Why the HITECH Act is Important

The HITECH Act is critically important for several reasons:

1. Strengthened Enforcement of HIPAA: Before HITECH, HIPAA enforcement was widely considered to be weak. HITECH dramatically increased penalties for noncompliance and gave state attorneys general the authority to bring civil actions on behalf of state residents for HIPAA violations.

2. Breach Notification Requirements: HITECH introduced, for the first time, mandatory breach notification requirements for unsecured protected health information (PHI). This was a watershed moment in U.S. health privacy law, requiring covered entities and business associates to notify affected individuals, the Department of Health and Human Services (HHS), and in some cases the media, when breaches occur.

3. Extended Liability to Business Associates: Prior to HITECH, business associates (entities that handle PHI on behalf of covered entities) were not directly subject to HIPAA's Security Rule or certain provisions of the Privacy Rule. HITECH extended direct liability to business associates, making them independently responsible for compliance.

4. Promotion of Electronic Health Records (EHRs): HITECH provided financial incentives to encourage the adoption of electronic health records, while simultaneously recognizing that increased digitization of health data demanded stronger privacy and security protections.

5. Limits on Private Sector Collection and Use: HITECH imposed important new restrictions on the use and disclosure of PHI, particularly regarding the sale of PHI, marketing communications, and the rights of individuals to restrict certain disclosures.

What the HITECH Act Is

The HITECH Act is a federal statute that was signed into law on February 17, 2009. It is divided into two subtitles relevant to privacy professionals:

Subtitle A – Promotion of Health Information Technology
This subtitle focuses on promoting the adoption and meaningful use of health information technology, particularly electronic health records (EHRs). It established the Office of the National Coordinator for Health Information Technology (ONC) within HHS and authorized billions of dollars in incentive payments through Medicare and Medicaid for providers who adopted certified EHR technology.

Subtitle D – Privacy
This is the subtitle most relevant to CIPP/US candidates. It contains the privacy and security provisions that strengthened HIPAA, including:

- Breach notification requirements
- Enhanced enforcement and penalties
- Extension of HIPAA requirements to business associates
- New restrictions on marketing and the sale of PHI
- Expanded individual rights
- Accounting of disclosures requirements
- Restrictions on disclosures to health plans for services paid out of pocket

How the HITECH Act Works

1. Breach Notification (Section 13402)

HITECH requires covered entities to notify affected individuals following the discovery of a breach of unsecured PHI. Key elements include:

- Definition of Breach: The acquisition, access, use, or disclosure of PHI in a manner not permitted under the HIPAA Privacy Rule that compromises the security or privacy of the PHI.
- Unsecured PHI: PHI that has not been rendered unusable, unreadable, or indecipherable to unauthorized persons through encryption or destruction as specified by HHS guidance.
- Notification to Individuals: Must be provided without unreasonable delay and no later than 60 days after discovery of the breach.
- Notification to HHS: If a breach affects 500 or more individuals, HHS must be notified without unreasonable delay (and HHS posts these on its public "wall of shame"). For breaches affecting fewer than 500 individuals, notification to HHS may be made annually.
- Notification to Media: If a breach affects 500 or more residents of a single state or jurisdiction, prominent media outlets in that area must be notified.
- Business Associate Obligations: Business associates must notify the covered entity of breaches, which then triggers the covered entity's notification obligations.
- Risk Assessment: Under the 2013 HIPAA Omnibus Rule (which implemented many HITECH provisions), a breach is presumed unless the covered entity can demonstrate through a risk assessment that there is a low probability that the PHI has been compromised, based on four factors: (i) the nature and extent of the PHI involved, (ii) the unauthorized person who used the PHI or to whom the disclosure was made, (iii) whether the PHI was actually acquired or viewed, and (iv) the extent to which the risk to the PHI has been mitigated.

2. Enhanced Penalties and Enforcement (Section 13410)

HITECH established a tiered system of civil monetary penalties based on the level of culpability:

- Tier A (Did Not Know): The entity did not know and, by exercising reasonable diligence, would not have known of the violation. Minimum penalty: $100 per violation, up to $25,000 per year for identical violations (adjusted for inflation; current maximums are higher).
- Tier B (Reasonable Cause): The violation was due to reasonable cause and not willful neglect. Minimum penalty: $1,000 per violation, up to $100,000 per year.
- Tier C (Willful Neglect – Corrected): The violation was due to willful neglect but was corrected within 30 days. Minimum penalty: $10,000 per violation, up to $250,000 per year.
- Tier D (Willful Neglect – Not Corrected): The violation was due to willful neglect and was not corrected within 30 days. Minimum penalty: $50,000 per violation, up to $1.5 million per year.

Note: These amounts have been updated and adjusted. The 2019 HHS enforcement notification revised the penalty tiers, but the tiered structure remains a key concept.

- State Attorneys General Enforcement: HITECH authorized state attorneys general to bring civil actions in federal district court on behalf of state residents for HIPAA violations. This was a major expansion, as previously only HHS (through OCR) and the DOJ could enforce HIPAA.
- Percentage of Penalties to Harmed Individuals: HITECH provided that a percentage of civil monetary penalties or monetary settlements could be distributed to individuals harmed by the violation, though this provision has not been widely implemented.

3. Business Associate Direct Liability (Section 13401)

Before HITECH, business associates were only contractually bound to comply with HIPAA through business associate agreements (BAAs). HITECH made business associates directly liable for compliance with:

- The HIPAA Security Rule (administrative, physical, and technical safeguards)
- Certain provisions of the HIPAA Privacy Rule, including the use and disclosure limitations and the minimum necessary standard
- Breach notification obligations (notifying the covered entity)

This means that HHS can directly investigate and penalize business associates, and business associates can face the same tiered civil monetary penalties as covered entities.

4. Restrictions on Marketing and Sale of PHI (Sections 13405 and 13406)

HITECH imposed significant new limits on the private sector's collection and use of health information:

- Marketing: HITECH narrowed the definition of permissible marketing communications. Covered entities and business associates must obtain individual authorization before using PHI for marketing purposes. Subsidized communications (where the covered entity receives financial remuneration from a third party for making the communication) are treated as marketing and require authorization. However, refill reminders and certain communications about drugs or biologics currently being prescribed to the individual are permitted if any financial remuneration received is reasonably related to the cost of the communication.
- Sale of PHI: HITECH prohibited the sale of PHI without individual authorization. A covered entity or business associate may not receive direct or indirect remuneration in exchange for PHI unless the individual authorizes the transaction. There are exceptions for public health activities, treatment purposes, the sale or merger of a covered entity, certain business associate functions, and other narrow purposes specified by regulation.

5. Expanded Individual Rights

- Right to Restrict Disclosures to Health Plans: Under HITECH, individuals have the right to request that a covered entity restrict disclosures of PHI to a health plan if the individual has paid for the service out of pocket in full. The covered entity must comply with this restriction (unlike the general HIPAA right to request restrictions, which covered entities may deny).
- Right to Electronic Copies: If a covered entity maintains PHI in an electronic health record, the individual has the right to obtain a copy in electronic form.
- Accounting of Disclosures: HITECH expanded the accounting of disclosures requirement to include disclosures for treatment, payment, and health care operations made through an EHR. (Implementation of this provision has been subject to rulemaking delays.)

6. Minimum Necessary Standard Strengthened

HITECH directed HHS to issue guidance on what constitutes the "minimum necessary" amount of PHI for particular purposes. It reinforced that covered entities and business associates must limit their use, disclosure, and requests for PHI to the minimum necessary to accomplish the intended purpose (with exceptions for treatment, disclosures to the individual, and certain other purposes).

7. Prohibition on Certain Disclosures of Genetic Information

HITECH, in conjunction with the Genetic Information Nondiscrimination Act (GINA), prohibits health plans from using or disclosing genetic information for underwriting purposes.

Relationship Between HITECH and the HIPAA Omnibus Rule (2013)

Many of HITECH's provisions were implemented through the HIPAA Omnibus Rule, published by HHS in January 2013. The Omnibus Rule:

- Finalized the breach notification rule
- Implemented the enhanced penalty structure
- Extended direct liability to business associates
- Modified the breach risk assessment standard (replacing the "harm" standard with the "low probability of compromise" standard)
- Implemented restrictions on marketing and the sale of PHI
- Implemented the right to restrict disclosures for services paid out of pocket

For exam purposes, it is important to understand that HITECH is the statute and the Omnibus Rule is the regulation that implements HITECH's provisions.

Key Concepts Summary Table

- Enacted: 2009 (part of ARRA)
- Scope: Strengthens and extends HIPAA
- Breach Notification: Mandatory for unsecured PHI; 60-day deadline; tiered notification (individuals, HHS, media)
- Business Associates: Directly liable under HIPAA Security Rule and parts of Privacy Rule
- Penalties: Four-tiered system based on culpability; maximums up to $1.5 million per violation category per year
- State AG Enforcement: Authorized for the first time
- Marketing/Sale of PHI: Authorization generally required
- Individual Rights: Mandatory restriction for out-of-pocket services; electronic copies; expanded accounting of disclosures
- Implemented by: HIPAA Omnibus Rule (2013)

Exam Tips: Answering Questions on the HITECH Act

Tip 1: Know the Relationship Between HITECH and HIPAA
HITECH did not replace HIPAA; it strengthened and extended it. Questions may test whether you understand that HITECH amended HIPAA rather than creating an entirely separate regulatory framework. If a question asks what HITECH did, focus on the enhancements: breach notification, enforcement, business associate liability, and new restrictions.

Tip 2: Master the Breach Notification Requirements
Breach notification is one of the most frequently tested HITECH topics. Remember the key thresholds: 500 individuals for immediate HHS notification and media notification (for a single state/jurisdiction); fewer than 500 for annual HHS reporting. Remember the 60-day deadline from discovery, not from occurrence. Know that the standard is "low probability that PHI has been compromised" (not a harm-based standard).

Tip 3: Understand the Penalty Tiers
You should be able to identify the four tiers of penalties and their relative severity. The key distinguishing factor is the level of culpability: unknowing, reasonable cause, willful neglect (corrected), and willful neglect (not corrected). Remember that willful neglect violations that are not corrected carry the highest penalties and must result in a penalty (HHS has no discretion to waive them).

Tip 4: Remember Business Associate Direct Liability
A common exam question tests whether business associates are directly liable under HIPAA post-HITECH. The answer is yes. Before HITECH, liability was only contractual (through BAAs). After HITECH, business associates face direct regulatory liability. Know that subcontractors of business associates are also treated as business associates under the Omnibus Rule.

Tip 5: Distinguish Marketing from Treatment Communications
Questions on marketing can be tricky. Remember that treatment communications (e.g., a doctor recommending a specific medication) are generally not marketing. However, if a third party pays the covered entity to send a communication, it is generally treated as marketing and requires authorization. Refill reminders are an exception if the remuneration is reasonably related to the cost of the communication.

Tip 6: Know the Mandatory Restriction Right
Unlike the general HIPAA right to request restrictions (which a covered entity can deny), the HITECH right to restrict disclosures to a health plan for services paid entirely out of pocket is mandatory. If you see a question about a patient paying cash and requesting that information not be shared with their insurer, HITECH's mandatory restriction provision is the answer.

Tip 7: Distinguish Unsecured vs. Secured PHI
Breach notification only applies to unsecured PHI. PHI that has been encrypted to NIST standards or properly destroyed is considered "secured" and falls outside the breach notification requirements. This is sometimes called a "safe harbor" for encryption.

Tip 8: State Attorney General Enforcement
Remember that HITECH authorized state attorneys general to enforce HIPAA for the first time. This is a unique and frequently tested concept. Prior to HITECH, only HHS/OCR and DOJ could enforce HIPAA. State AGs bring actions in federal court (not state court).

Tip 9: Sale of PHI
Know that HITECH generally prohibits the sale of PHI without authorization. Be familiar with the exceptions (public health, treatment, mergers/acquisitions, business associate functions, etc.). If a question describes a covered entity receiving payment in exchange for PHI, think about HITECH's prohibition on the sale of PHI.

Tip 10: Read Questions Carefully for Time References
Some questions may reference the state of the law before vs. after HITECH. Be attentive to temporal clues. If a question asks about the law prior to 2009, HITECH provisions do not apply. If the question references current law, HITECH (as implemented by the Omnibus Rule) is in effect.

Tip 11: Connect HITECH to the Broader Theme of Limits on Private Sector Collection and Use
In the CIPP/US body of knowledge, HITECH falls under the broader category of limits on private sector collection and use of information. Understand how HITECH fits within the sectoral approach to U.S. privacy law — it is a health-sector-specific statute that imposes collection, use, and disclosure limitations on covered entities and business associates. This contextual understanding helps when answering questions that require you to identify which law applies to a given scenario.

Tip 12: Practice Scenario-Based Questions
HITECH questions on the CIPP/US exam are often scenario-based. You may be given a fact pattern involving a data breach at a hospital, a business associate losing a laptop, or a pharmacy receiving payments to send marketing materials. Practice identifying the relevant HITECH provision and the required action. Ask yourself: Who is obligated? What must they do? Within what timeframe? What are the consequences of noncompliance?

Final Takeaway

The HITECH Act is a cornerstone of U.S. health privacy law and a critical topic for the CIPP/US exam. It transformed HIPAA from a law with relatively weak enforcement into a robust regulatory framework with meaningful penalties, broad applicability to business associates, mandatory breach notification, and enhanced individual rights. Understanding both the substance of HITECH and its practical implications will serve you well on exam day and in professional practice.