When Advocate Medical Group paid $5.55 million to settle HIPAA violations in 2016, the penalty wasn't calculated under the original 1996 HIPAA statute. It was calculated under the enhanced penalty structure created by the HITECH Act — a law that fundamentally changed how HIPAA is enforced and how much a violation can cost. If you're asking what is HITECH and HIPAA, you're asking about two laws that are now inseparable in practice, and understanding both is essential for every covered entity and business associate.

What Is HITECH and HIPAA: Two Laws, One Compliance Framework

HIPAA — the Health Insurance Portability and Accountability Act — was signed into law in 1996. It established the Privacy Rule (45 CFR Part 164, Subpart E), the Security Rule (45 CFR Part 164, Subpart C), and created the framework for protecting protected health information (PHI). But HIPAA had enforcement limitations that left significant gaps.

The HITECH Act — the Health Information Technology for Economic and Clinical Health Act — was enacted in 2009 as part of the American Recovery and Reinvestment Act. HITECH didn't replace HIPAA. It strengthened it in four critical ways: expanded breach notification requirements, increased civil monetary penalties, extended direct liability to business associates, and funded OCR enforcement.

Healthcare organizations consistently struggle to see these as connected obligations. In my work with covered entities, I find that many compliance officers can recite the Privacy Rule but have never read Section 13402 of the HITECH Act, which created the breach notification requirements they follow every day.

How HITECH Transformed HIPAA Enforcement Penalties

Before HITECH, the maximum penalty for a HIPAA violation was $25,000 per violation category per year. HITECH created a tiered penalty structure that dramatically increased accountability:

  • Tier 1 (Did Not Know): $100 to $50,000 per violation
  • Tier 2 (Reasonable Cause): $1,000 to $50,000 per violation
  • Tier 3 (Willful Neglect, Corrected): $10,000 to $50,000 per violation
  • Tier 4 (Willful Neglect, Not Corrected): $50,000 per violation

The annual cap per identical violation category was raised to $1.5 million. These penalty amounts were further adjusted for inflation by the 2013 Omnibus Rule and subsequent HHS updates. OCR has made clear through enforcement actions that willful neglect — particularly failure to conduct a risk analysis or train your workforce — triggers the highest penalty tiers.

The Breach Notification Rule: HITECH's Most Visible Requirement

Before HITECH, there was no federal requirement for covered entities to notify individuals when their PHI was compromised. HITECH created the Breach Notification Rule (45 CFR Part 164, Subpart D), which requires three actions after a breach of unsecured PHI:

  • Individual notification within 60 days of discovery
  • HHS notification — immediately for breaches affecting 500+ individuals, or annually for smaller breaches
  • Media notification for breaches affecting 500+ residents of a state or jurisdiction

In 2024, OCR reported over 700 breaches affecting 500 or more individuals on its public breach portal. Each of those entries represents an organization that had to follow the HITECH-mandated notification process — and each is a potential enforcement action.

Business Associate Liability: HITECH's Game-Changing Expansion

Under the original HIPAA statute, business associates were only accountable through their contracts with covered entities. If a business associate violated the Security Rule, OCR could pursue only the covered entity. HITECH changed that completely.

Since the 2013 Omnibus Rule implemented HITECH's business associate provisions, business associates are directly liable for compliance with the Security Rule, certain Privacy Rule provisions, and the Breach Notification Rule. OCR has acted on this authority. In 2018, Fresenius Medical Care North America paid $3.5 million in part because business associate obligations were not properly managed.

Your organization must ensure that every business associate agreement (BAA) reflects HITECH requirements and that your business associates are genuinely complying — not just signing documents.

Risk Analysis: The Obligation Both Laws Demand

The Security Rule requires a thorough risk analysis under 45 CFR § 164.308(a)(1)(ii)(A). HITECH raised the stakes on this requirement by making failure to perform a risk analysis one of the most commonly cited violations in OCR settlements.

Between 2008 and 2024, OCR enforcement actions repeatedly identified risk analysis failures as a root cause of breaches. It's not enough to run a checklist once. Your covered entity needs a documented, repeatable risk analysis process that identifies threats to electronic PHI, evaluates current safeguards, and assigns risk levels that drive remediation.

If your workforce doesn't understand what a risk analysis is and why it matters, your compliance program has a critical gap. Investing in HIPAA training and certification ensures your team can identify and address these risks before OCR does.

The Minimum Necessary Standard Under Combined HITECH and HIPAA Requirements

HITECH directed HHS to issue guidance on the minimum necessary standard — the Privacy Rule requirement that covered entities limit PHI use, disclosure, and requests to only what is needed for the intended purpose. While HHS has not issued the full guidance HITECH envisioned, OCR enforces this standard aggressively.

In practice, this means your organization must have policies defining who can access PHI, under what circumstances, and in what quantity. Role-based access controls, audit logs, and workforce training on the minimum necessary standard are not optional — they are expected by OCR during investigations.

Workforce Training: Where HITECH and HIPAA Compliance Starts

The Privacy Rule at 45 CFR § 164.530(b) requires training for every workforce member on your organization's PHI policies and procedures. The Security Rule at 45 CFR § 164.308(a)(5) requires security awareness training. HITECH didn't create new training mandates — it made the consequences of failing to train exponentially more expensive.

When OCR investigates a breach and finds that workforce members weren't trained, the violation often falls into the willful neglect category. That's the highest penalty tier. It's also the most preventable finding.

Your workforce needs more than a one-time orientation slide. They need ongoing, documented training that covers the Privacy Rule, Security Rule, Breach Notification Rule, and the Notice of Privacy Practices. HIPAA Certify's workforce compliance program gives organizations the structured training and documentation they need to demonstrate compliance during an OCR audit.

What Your Organization Should Do Right Now

Understanding what is HITECH and HIPAA isn't academic — it's operational. Here are the actions that matter most:

  • Review your risk analysis. If it hasn't been updated in the past 12 months, it's overdue.
  • Audit your business associate agreements. Every BAA must reflect HITECH requirements and be actively monitored.
  • Document your workforce training. OCR doesn't accept verbal assurances. You need dated records showing who was trained, on what topics, and when.
  • Test your breach notification process. If a breach happened tomorrow, could your team execute the 60-day notification timeline?
  • Enforce the minimum necessary standard. Review role-based access and ensure PHI access is limited to what each workforce member actually needs.

HITECH transformed HIPAA from a regulatory framework with limited teeth into one of the most aggressively enforced federal privacy laws in the country. Your compliance program must reflect both laws — because OCR certainly does.