Glossary
HITECH Act
The Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted in 2009, expanded HIPAA enforcement by establishing tiered civil monetary penalties up to $1.5M per violation category per year, extending direct liability to business associates, creating mandatory breach notification requirements, and funding the adoption of electronic health records.
Definition
The Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted in 2009, expanded HIPAA enforcement by establishing tiered civil monetary penalties up to $1.5M per violation category per year, extending direct liability to business associates, creating mandatory breach notification requirements, and funding the adoption of electronic health records.
HITECH was enacted as part of the American Recovery and Reinvestment Act of 2009. It fundamentally changed healthcare technology compliance by tying federal funding to EHR adoption (Meaningful Use), increasing HIPAA enforcement rigor, and giving patients new rights around electronic access to their records.
Regulatory basis
HITECH is codified as Public Law 111-5 (Division A, Title XIII and Division B, Title IV). Its enforcement provisions were implemented primarily through the HHS Omnibus Rule of 2013, which finalized HITECH’s changes to HIPAA and extended direct obligations to business associates. Enforcement is carried out by the HHS Office for Civil Rights. Authoritative guidance is available at HHS HITECH Act enforcement.
Who uses it and when it applies
- All covered entities and business associates under HIPAA are now directly subject to HITECH’s expanded enforcement
- Breach Notification: breaches affecting 500+ individuals must be reported to HHS and the media within 60 days; smaller breaches are logged and submitted annually
- Business associate direct liability: BAs are now directly accountable to HHS for Security Rule compliance — pre-HITECH, only covered entities faced direct enforcement
- EHR incentives: HITECH established the Meaningful Use program (now Promoting Interoperability) tying Medicare/Medicaid payments to certified EHR use
Related terms
- HIPAA Compliance — the broader framework HITECH expanded
- Business Associate Agreement — the contract vehicle HITECH made directly enforceable
- ePHI — the electronic subset whose protection HITECH strengthened
- Care coordination — a workflow HITECH’s EHR incentives accelerated
How Positive Check relates
HITECH makes Positive Check, as a business associate, directly liable to HHS for Security Rule compliance. The platform’s audit logging, access controls, and breach notification workflow are designed to meet HITECH’s post-2009 enforcement standards. Learn more on the Positive Check platform overview.
Reviewed against current HHS HITECH guidance. HHS HITECH Act enforcement. Last updated 2026-04-21.