Skip to main content
HomeHIPAA Compliance PackageOmnibus RuleHITECH Act OverviewHIPAA Security RuleHIPAA Privacy Rule OverviewPurchase ProductsAbout / Contact Us
HITECH Act Overview 

On February 17, 2009, the American Recovery and Reinvestment Act (ARRA) was signed into law. Among many other things, the ARRA dedicates substantial resources to health information technology that supports the secure electronic exchange and use of health infor­mation. Title XIII of Division A and Title IV of Division B of the Act are referred to as the Health Information Tech­nology for Economic and Clinical Health Act or HITECH Act. The HITECH Act includes a number of measures designed to broaden the scope and increase the rigor of HIPAA compliance.

The HITECH Act expands the reach of HIPAA data privacy and security requirements to include the Business Associates of those entities (health care providers, pharmacies, and the like) that are subject to HIPAA. Business Associates are companies like accounting firms, billing agencies, law firms or others that provide services to the entities covered under HIPAA.

Prior to the enactment of the HITECH Act, Business Associates were not directly subject to the HIPAA Privacy and Security Rules. Instead, HIPAA applied only indirectly through the contractual duties and obligations imposed by the Business Associate Agreement between the covered entity and business associate. Thus, Business Associates were not subject to the penalties imposed by HIPAA for failure to comply with the Privacy and Security Rules. Business Associates only risked being held accountable for damages flowing from a contractual breach. The HITECH Act imposes dramatic changes to this dynamic, with most new requirements taking effect on February 17, 2010.

Under the HITECH Act, those companies are now directly subject to HIPAA security and privacy requirements, as well as to the same civil and criminal penalties that hospitals, pharmacies, and other HIPAA-covered entities face for violations. Before HITECH came into force, Business Associates that failed to properly protect patient information were liable to the covered entities via their service contracts, but they did not face governmental penalties.

The HITECH Act specifies that Business Associates will be subject to the same civil and criminal penalties previously only imposed on covered entities. As amended by the HITECH Act, civil penalties range from $100 to $50,000 per violation, with caps of $25,000 to $1,500,000 for all violations of a single requirement in a calendar year. Criminal penalties include fines up to $50,000 and imprisonment for up to one year. In some instances, fines are mandatory.

Each Business Associate should act now to review:
  • The information security measures it employs to protect PHI.
  • Its policies and procedures relating to PHI it handles for Covered Entity clients.
  • Its Business Associate agreements.
  • The ways in which it uses and discloses PHI and the amount of PHI disclosed.
  • Its communications to patients, if any, to implement measures to meet these new requirements.
Feel free to contact us with questions.

Phone: 585.202.6655