Foundational Guide

The HITECH Act: How It Extended HIPAA (2026 Update)

Q: How did HITECH change HIPAA?

HITECH made four major changes to HIPAA: (1) It made business associates directly liable for HIPAA violations — previously, BAs were only contractually obligated under BAAs. (2) It created a four-tier civil penalty structure with a maximum of $1.5 million per violation category per year. (3) It replaced the prior 'harm standard' for breach notification with a stricter presumptive breach standard. (4) It created the Meaningful Use incentive program to drive EHR adoption.

Q: When was HITECH enacted?

The HITECH Act was enacted on February 17, 2009, as part of the American Recovery and Reinvestment Act (ARRA). The implementing regulations — the 2013 Omnibus Rule — were finalized on January 25, 2013, with a compliance deadline of September 23, 2013.

Q: Did HITECH create new HIPAA rules?

HITECH itself is a separate statute, but its HIPAA-related provisions were implemented through the 2013 Omnibus Rule, which substantially amended the existing HIPAA regulations. The Omnibus Rule finalized the Breach Notification Rule, expanded business associate obligations, updated the enforcement penalty tiers, restricted uses of PHI for fundraising and marketing, and strengthened patient rights.

Q: What are the HITECH Act penalties?

HITECH created four civil penalty tiers based on culpability, with 2024 inflation-adjusted amounts: (1) Unknowing: $137–$68,928 per violation; (2) Reasonable cause: $1,379–$68,928 per violation; (3) Willful neglect, corrected: $13,785–$68,928 per violation; (4) Willful neglect, not corrected: $68,928–$2,067,813 per violation. Each tier has an annual per-violation-category cap. Criminal penalties of up to 10 years imprisonment apply for wrongful disclosure with intent to sell.

By ComplyCreate Editorial Team · Published Apr 24, 2026 · Last reviewed Apr 24, 2026

Quick answer: HITECH (enacted February 2009) made three pivotal changes to HIPAA: it made business associates directly and legally liable for HIPAA violations (not just contractually), raised the civil penalty ceiling to $1.5 million per violation category per year, and replaced the lenient harm standard for breaches with a stricter presumptive-breach approach. Because HITECH made BAs directly liable, Business Associate Agreements became even more critical — both parties now face direct regulatory exposure.

Before HITECH, HIPAA's enforcement was widely criticized as toothless. Covered entities faced relatively low maximum penalties, business associates bore only contractual obligations (not direct regulatory liability), and the threshold for breach notification was lenient. HITECH changed all of that — and the 2013 Omnibus Rule that implemented HITECH's provisions created the modern HIPAA enforcement framework that governs organizations today.

Background: ARRA Title XIII (2009)

The Health Information Technology for Economic and Clinical Health Act was enacted as Title XIII of the American Recovery and Reinvestment Act (ARRA) — the Obama administration's economic stimulus legislation — on February 17, 2009. While the broader ARRA was focused on economic recovery, HITECH reflected two distinct policy goals: (1) accelerating EHR adoption through financial incentives (the Meaningful Use program), and (2) strengthening the privacy and security framework for electronic health records.

Congress recognized that as healthcare moved from paper to electronic records, the risks of unauthorized access, theft, and mass data breaches were increasing dramatically. HITECH was designed to create meaningful legal accountability for both the healthcare organizations maintaining patient data and the technology vendors handling it on their behalf.

Three Key Changes HITECH Made

1. Direct Business Associate Liability

Before HITECH, business associates had HIPAA obligations only through the contractual terms of their Business Associate Agreements. If a billing company mishandled patient records, OCR could investigate the covered entity that hired them and hold the CE accountable for failing to oversee the BA — but OCR could not directly penalize the BA itself.

HITECH eliminated this gap. Under 42 U.S.C. § 17934 (implemented through the 2013 Omnibus Rule), business associates became directly subject to the HIPAA Security Rule, the Breach Notification Rule, and certain Privacy Rule provisions. This means OCR can — and does — investigate and fine BAs directly, without involving the covered entity. EHR vendors, billing companies, cloud storage providers, and all other BAs now face the same civil and criminal penalties as covered entities for violations of the rules that apply to them.

The practical implication: BAAs are no longer just contractual protections between parties — they now reflect dual regulatory obligations that both parties must independently fulfill. See our business associates guide for the full list of BA obligations.

2. Raised Penalty Ceiling

Pre-HITECH, civil money penalties were capped at $100 per violation and $25,000 per year per identical violation — amounts that healthcare organizations considered an acceptable cost of doing business. The cap was so low that it created no meaningful deterrent for large organizations.

HITECH created a four-tier civil penalty structure based on culpability (see the penalty tiers section below) and raised the maximum per-violation penalty to $50,000 with an annual per-violation-category cap of $1.5 million. Adjusted for inflation under 45 CFR § 160.522, the 2024 amounts range from $137 per violation (unknowing) up to approximately $2.07 million as the annual maximum. See our HIPAA penalties guide for the current, inflation-adjusted tier amounts.

3. Stricter Breach Notification Standard

Pre-HITECH, the breach notification rule used a "harm standard" — a breach only required notification if there was a significant risk of financial, reputational, or other harm to the individual. This gave covered entities broad discretion to determine that a breach did not need to be reported.

HITECH replaced this with a presumptive breach standard: any impermissible use or disclosure of unsecured PHI is presumed a reportable breach unless the covered entity can demonstrate a low probability of compromise using a documented four-factor risk assessment. The presumption reverses the burden — organizations must affirmatively prove the breach is not reportable, rather than assuming it doesn't need to be reported unless harm is likely.

Meaningful Use Provisions and EHR Adoption

HITECH also created the Medicare and Medicaid EHR Incentive Programs — colloquially known as "Meaningful Use." These programs paid eligible healthcare providers up to $44,000 (Medicare) or $63,750 (Medicaid) to adopt and demonstrate meaningful use of certified EHR technology. The Meaningful Use program had three stages of increasingly sophisticated use requirements and a corresponding "payment adjustment" (penalty) for providers who failed to adopt EHRs by the program's deadline.

By 2016, over 95% of eligible hospitals and more than 85% of eligible office-based physicians had demonstrated meaningful use. The program was restructured in 2018 as the Promoting Interoperability program under MACRA. While Meaningful Use incentives are no longer available, the infrastructure of widespread EHR adoption — and the expanded surface area for PHI security risks — is a direct legacy of HITECH.

The 2013 Omnibus Rule: HITECH's Implementation

HITECH itself required HHS to implement its provisions through rulemaking. The resulting 2013 Omnibus Rule (78 Fed. Reg. 5566, published January 25, 2013, with a September 23, 2013 compliance deadline) was the most sweeping HIPAA rulemaking since the original Privacy Rule. Key Omnibus Rule provisions included:

Finalization of business associate direct liability and expansion of BA definition to include subcontractors
Finalization of the four-tier penalty structure with annual caps
Implementation of the presumptive breach standard replacing the harm standard
Strengthened restrictions on marketing uses of PHI — covered entities could no longer use PHI for certain marketing communications without authorization even with a business associate
Prohibition on sale of PHI without patient authorization
Strengthened patient access rights, including right to receive electronic copies of records held in EHRs
New requirements for genetic information — GINA amendments prohibiting use of genetic information for underwriting

Current HITECH/Omnibus Penalty Tiers

Tier	Culpability	Per-Violation Range (2024)	Annual Cap
1	Unknowing	$137 – $68,928	$2,067,813
2	Reasonable cause	$1,379 – $68,928	$2,067,813
3	Willful neglect, corrected within 30 days	$13,785 – $68,928	$2,067,813
4	Willful neglect, not corrected	$68,928 – $2,067,813	$2,067,813

Note: These are per-violation amounts. A single breach affecting multiple patients can generate thousands of violations. OCR has imposed aggregate fines exceeding $10 million in particularly egregious cases.

Frequently Asked Questions

What is the HITECH Act?

The HITECH Act (Health Information Technology for Economic and Clinical Health Act) is Title XIII of the American Recovery and Reinvestment Act of 2009. It significantly strengthened HIPAA by making business associates directly liable for violations, raising the civil penalty ceiling to $1.5 million per violation category per year, adopting a stricter presumptive breach standard, and creating the Meaningful Use EHR incentive program.

How did HITECH change HIPAA?

HITECH made four major changes: (1) Business associates became directly subject to HIPAA — not just contractually but legally, with direct OCR enforcement authority. (2) Civil penalties were restructured into four tiers with a maximum of approximately $2 million per violation category per year (2024 adjusted amounts). (3) The breach notification "harm standard" was replaced with a stricter presumptive breach standard. (4) The Meaningful Use incentive program drove near-universal EHR adoption among providers.

When was HITECH enacted?

February 17, 2009. The implementing regulations — the 2013 Omnibus Rule — were finalized on January 25, 2013, with a compliance deadline of September 23, 2013. This is the date by which all covered entities and business associates were required to comply with the expanded framework.

Did HITECH create new HIPAA rules?

HITECH is a separate statute that directed HHS to implement its provisions through rulemaking. The resulting 2013 Omnibus Rule substantially amended the HIPAA Privacy, Security, and Breach Notification regulations. The Omnibus Rule finalized the Breach Notification Rule in its current form, expanded BA obligations and liability, updated penalty tiers, restricted PHI marketing uses, and strengthened patient rights.

What are the HITECH Act penalties?

HITECH created four civil penalty tiers. With 2024 inflation adjustments: Tier 1 (unknowing) $137–$68,928 per violation; Tier 2 (reasonable cause) $1,379–$68,928; Tier 3 (willful neglect, corrected) $13,785–$68,928; Tier 4 (willful neglect, not corrected) $68,928–$2,067,813. Each tier has an annual per-violation-category cap. Criminal penalties of up to 10 years imprisonment apply for wrongful disclosure with intent to sell PHI. See our full HIPAA penalties guide.