HIPAA and HITECH

The Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH) work in tandem to regulate how healthcare organizations protect electronic Protected Health Information (ePHI).

• HIPAA (1996) established two key components:

  • The Privacy Rule, which defines who may access or disclose PHI.

  • The Security Rule, which outlines the required administrative, technical, and physical safeguards to protect ePHI.

• HITECH Act (2009) expanded HIPAA by:

  • Introducing the Breach Notification Rule, which mandates reporting of security incidents involving PHI.

  • Granting the Office for Civil Rights (OCR) enhanced authority to investigate violations and enforce penalties.

Together, these laws form the backbone of healthcare cybersecurity compliance, embedding federal requirements into organizational policy, workforce behavior, and technical infrastructure. Specifically:

• Organizations must maintain clear records of their safeguards, including employee training, security risk assessments, incident response plans, and technical controls

• Under HITECH, responsibility for compliance extends beyond IT to include executive leadership and compliance officers

• Reportable security incidents are listed on the U.S. Department of Health and Human Services’ “Wall of Shame,” potentially impacting reputation and public trust

• Fines may reach $50,000 per violation, with an annual cap of $1.9 million per violation category

• Many insurers use HIPAA and HITECH compliance as a baseline for coverage eligibility. Noncompliance may result in increased premiums or policy exclusions