HIPAA is a 1996 federal law that protects the privacy of your health information. HITECH is a 2009 law that strengthened HIPAA’s protections, added new enforcement tools, and pushed the healthcare system to adopt electronic health records. Together, they form the legal framework that controls how your medical data is collected, stored, shared, and secured in the United States.
What HIPAA Covers
The Health Insurance Portability and Accountability Act, signed into law in 1996, originally focused on helping people keep health insurance when they changed jobs. But its lasting impact came from a section called Administrative Simplification, which created national standards for protecting individually identifiable health information.
Three core rules emerged from HIPAA:
- The Privacy Rule sets limits on who can see and share your protected health information (PHI), which includes anything that identifies you and relates to your health, treatment, or payment for care.
- The Security Rule requires organizations to put administrative, physical, and technical safeguards in place to protect electronic health information specifically.
- The Breach Notification Rule (added later through HITECH) requires organizations to tell you if your health data is compromised.
HIPAA applies to “covered entities,” meaning health plans, healthcare providers that transmit information electronically, and healthcare clearinghouses. It also applies to “business associates,” the vendors, billing companies, IT firms, and other contractors that handle health data on behalf of those covered entities.
When Your Data Can Be Shared Without Permission
HIPAA doesn’t require your explicit authorization every time your health information changes hands. The law permits sharing for three broad purposes: treatment, payment, and healthcare operations. A hospital can send your records to a specialist coordinating your care. A health plan can use your data to process claims or manage chronic conditions across its membership. A covered entity can share information with another for quality improvement or case management.
Outside those categories, most uses of your health information require your written authorization. There are additional exceptions for public health reporting, law enforcement in limited circumstances, and certain research contexts, but the treatment-payment-operations framework covers the vast majority of everyday data sharing in healthcare.
What the HITECH Act Changed
The Health Information Technology for Economic and Clinical Health Act became law in 2009 as part of the American Recovery and Reinvestment Act (the economic stimulus package). It had two major goals: accelerate the adoption of electronic health records across the healthcare system, and close gaps in HIPAA that had become obvious as medical records went digital.
On the technology side, HITECH created the Meaningful Use program, which paid healthcare providers to adopt certified electronic health record systems. Eligible professionals could receive up to $44,000 over five years through Medicare, or up to $63,750 over six years through Medicaid. The program rolled out in three stages. Stage 1 (2011-2012) focused on basic electronic data capture and information sharing. Stages 2 and 3 expanded requirements, eventually mandating that providers make health information available to patients within 48 hours and that more than 80% of patients have timely online access to their records.
On the privacy and security side, HITECH made several changes that fundamentally strengthened HIPAA’s enforcement.
How HITECH Strengthened Privacy Protections
Before HITECH, business associates operated in a gray area. They were bound by contracts with covered entities but weren’t directly liable under HIPAA itself. HITECH changed that. Business associates became directly responsible for complying with the Security Rule, reporting breaches, limiting data use to the minimum necessary, and avoiding impermissible disclosures. A billing company or cloud storage provider that mishandles your health data now faces the same legal consequences as the hospital that hired them.
HITECH also created the Breach Notification Rule, which requires covered entities to notify affected individuals within 60 days of discovering a breach of unsecured health information. When a breach affects 500 or more people in a state, the organization must also notify prominent media outlets in that area within the same 60-day window. Breaches of 500 or more individuals require notification to the Secretary of Health and Human Services within 60 days as well. Smaller breaches (fewer than 500 individuals) can be reported to HHS annually, no later than 60 days after the end of the calendar year.
HITECH gave patients the right to receive electronic copies of their health records when those records are maintained electronically. This was a practical shift: rather than requesting paper printouts, you can ask for your data in a digital format.
Enforcement and Penalties
HITECH dramatically increased the financial consequences of HIPAA violations and expanded who could enforce the law. Before HITECH, only the federal Office for Civil Rights (OCR) could pursue HIPAA enforcement actions. HITECH gave State Attorneys General the authority to bring civil actions on behalf of their residents for Privacy and Security Rule violations, and to seek damages or court orders to stop ongoing violations.
Civil penalties are organized into four tiers based on the level of responsibility:
- Unknowing violations: $100 to $50,000 per violation, up to $25,000 per year for repeat violations.
- Reasonable cause: $1,000 to $50,000 per violation, up to $100,000 per year for repeat violations.
- Willful neglect, corrected in time: $10,000 to $50,000 per violation, up to $250,000 per year for repeat violations.
- Willful neglect, not corrected: $50,000 per violation, up to $1.5 million per year.
Criminal penalties can also apply in cases involving intentional misuse of health information, with fines reaching $250,000 and prison sentences up to 10 years in the most severe cases.
How HIPAA and HITECH Work Together
Think of HIPAA as the original foundation and HITECH as a major renovation. HIPAA established the right to health data privacy and set up the basic rules. HITECH updated those rules for an era when nearly all health records are electronic, created financial incentives to modernize healthcare IT, made more organizations directly accountable, and gave regulators and state officials sharper tools to enforce compliance.
In practice, healthcare organizations and their vendors treat HIPAA and HITECH as a single compliance framework. The Privacy Rule, Security Rule, and Breach Notification Rule function together, and any organization handling your health information is expected to meet all of them. When you see a reference to “HIPAA compliance” in a hospital’s privacy notice or a health app’s terms of service, it almost always includes HITECH requirements as well.