Comparison · Privacy

HIPAA vs HITECH

HIPAA is the 1996 baseline privacy and security law. HITECH is the 2009 act that strengthened HIPAA — extending direct liability to business associates and creating breach-notification obligations.

Last reviewed May 24, 2026

Side by side

Option A

HIPAA (1996)

Health Insurance Portability and Accountability Act of 1996 — established the federal baseline for privacy, security, and electronic transaction standards for healthcare.

Pub. L. 104-191
  • Created the Privacy and Security Rules (via implementing regs in 2003 and 2005).
  • Defined Covered Entities and Business Associates.
Option B

HITECH (2009)

Health Information Technology for Economic and Clinical Health Act — part of ARRA 2009. Strengthened HIPAA: direct BA liability, breach notification, tiered penalties, EHR Meaningful Use incentives.

Pub. L. 111-5 (ARRA Title XIII)
  • Created the Breach Notification Rule (45 CFR 164.400–414).
  • Made business associates directly liable for HIPAA Security Rule violations.
  • Raised maximum penalties to $1.5M per identical violation/year.
Year enacted
HIPAA1996
HITECH2009
Created breach-notification duty
HIPAANo — added later by HITECH/Omnibus
HITECHYes — 45 CFR 164.400–414
BA direct liability
HIPAANo — pre-2013, only via contract
HITECHYes — direct civil/criminal liability under HIPAA Security Rule
Penalty structure
HIPAASingle-tier
HITECHFour-tier, up to $1.5M/identical violation/year

When to use HIPAA (1996)

  • Citing the foundational privacy or transaction standards — HIPAA Pub. L. 104-191.

When to use HITECH (2009)

  • Citing breach-notification obligations or BA direct liability — HITECH established both.
  • Discussing the Meaningful Use EHR incentive program.

Common mistakes

  • Saying "HIPAA breach notification" without recognizing the duty originated in HITECH and was operationalized in the 2013 Omnibus Rule.
  • Treating HITECH as a separate compliance regime — it operates by amending HIPAA.

Sources

Take it into the workspace

Document breach posture in the SRA readiness check

Open sra studio
Authored by D3rx

D3rx is a healthcare-billing and compliance research aid maintained by D3rx Inc. Articles are drafted by an LLM (Anthropic Claude) against primary HHS, OCR, CMS, eCFR, NIST, and state-regulator publications, and reviewed for restraint and source fidelity by the D3rx team.

Reviewer status: a named credentialed reviewer (CHC, CHPC, or healthcare attorney) is being engaged. Until that engagement is finalized, this page does not claim credentialed review.

This comparison is a research aid for billing and compliance staff. It does not provide legal, medical, or financial advice and does not replace counsel. References cited link to primary sources at CMS, HHS, OCR, eCFR, NIST, and the relevant payer or state regulator. Last reviewed May 24, 2026.