HIPAA vs HITECH
HIPAA is the 1996 baseline privacy and security law. HITECH is the 2009 act that strengthened HIPAA — extending direct liability to business associates and creating breach-notification obligations.
Last reviewed May 24, 2026
Side by side
HIPAA (1996)
Health Insurance Portability and Accountability Act of 1996 — established the federal baseline for privacy, security, and electronic transaction standards for healthcare.
Pub. L. 104-191- Created the Privacy and Security Rules (via implementing regs in 2003 and 2005).
- Defined Covered Entities and Business Associates.
HITECH (2009)
Health Information Technology for Economic and Clinical Health Act — part of ARRA 2009. Strengthened HIPAA: direct BA liability, breach notification, tiered penalties, EHR Meaningful Use incentives.
Pub. L. 111-5 (ARRA Title XIII)- Created the Breach Notification Rule (45 CFR 164.400–414).
- Made business associates directly liable for HIPAA Security Rule violations.
- Raised maximum penalties to $1.5M per identical violation/year.
When to use HIPAA (1996)
- Citing the foundational privacy or transaction standards — HIPAA Pub. L. 104-191.
When to use HITECH (2009)
- Citing breach-notification obligations or BA direct liability — HITECH established both.
- Discussing the Meaningful Use EHR incentive program.
Common mistakes
- Saying "HIPAA breach notification" without recognizing the duty originated in HITECH and was operationalized in the 2013 Omnibus Rule.
- Treating HITECH as a separate compliance regime — it operates by amending HIPAA.
Sources
- HHS — HITECH Act Enforcement Interim Final Rulehttps://www.hhs.gov/hipaa/for-professionals/special-topics/hitech-act-enforcement-interim-final-rule/index.html
- HHS OCR — Breach Notification Rulehttps://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html
Related
Document breach posture in the SRA readiness check
Open sra studio →D3rx is a healthcare-billing and compliance research aid maintained by D3rx Inc. Articles are drafted by an LLM (Anthropic Claude) against primary HHS, OCR, CMS, eCFR, NIST, and state-regulator publications, and reviewed for restraint and source fidelity by the D3rx team.
Reviewer status: a named credentialed reviewer (CHC, CHPC, or healthcare attorney) is being engaged. Until that engagement is finalized, this page does not claim credentialed review.
This comparison is a research aid for billing and compliance staff. It does not provide legal, medical, or financial advice and does not replace counsel. References cited link to primary sources at CMS, HHS, OCR, eCFR, NIST, and the relevant payer or state regulator. Last reviewed May 24, 2026.