HITECH Act Overview (Pub. L. 111-5, Title XIII)
Title XIII of the American Recovery and Reinvestment Act amended HIPAA in 2009 to add breach notification, direct business associate liability, increased penalties, and the Meaningful Use program.
Primary source
HITECH Act (Pub. L. 111-5, Title XIII) — Congress.gov →https://www.congress.gov/bill/111th-congress/house-bill/1/text
Verified May 23, 2026 · This is the authoritative regulator URL. The summary below is a research aid; the linked source controls.
Additional sources
The Health Information Technology for Economic and Clinical Health (HITECH) Act — Title XIII of the American Recovery and Reinvestment Act of 2009 — substantially amended HIPAA. The 2013 Omnibus Rule implemented HITECH's HIPAA-related provisions in regulation.
Key changes:
- Breach Notification Rule (Subtitle D): created the federal breach notification regime now codified at 45 CFR Part 164 Subpart D.
- Direct business associate liability: business associates are directly subject to (and liable for) Security Rule compliance, certain Privacy Rule provisions, and breach notification.
- Increased penalty tiers: the four-tier culpability structure (no knowledge / reasonable cause / willful neglect corrected / willful neglect not corrected).
- State attorney general enforcement: state AGs may bring civil actions on behalf of state residents for HIPAA violations.
- Right of restriction for self-pay: the absolute right to restrict disclosure to a health plan for items or services paid in full out of pocket.
- Electronic copies right: when records are in an EHR, the individual has the right to obtain an electronic copy.
- Sale of PHI prohibition: prohibits direct or indirect remuneration for PHI absent authorization, with narrow exceptions.
- Meaningful Use (Subtitle B): Medicare and Medicaid EHR Incentive Programs (transitioned to MIPS Promoting Interoperability).
HITECH is the structural reason the modern HIPAA enforcement environment exists.
Use this in your workspace
D3rx assembles the documentation linked to this regulation, walks the practical decisions in plain English, and stores the artifacts against the .gov sources cited above. It is an administrative research aid, not a substitute for counsel.
Related regulations
D3rx is a healthcare-billing and compliance research aid maintained by D3rx Inc. Articles are drafted by an LLM (Anthropic Claude) against primary HHS, OCR, CMS, eCFR, NIST, and state-regulator publications, and reviewed for restraint and source fidelity by the D3rx team.
Reviewer status: a named credentialed reviewer (CHC, CHPC, or healthcare attorney) is being engaged. Until that engagement is finalized, this page does not claim credentialed review.
Related across the archive
- RegulationHITECH Business Associate Direct Liability (45 CFR 160.103, 164.502(a)(3))Business associates are directly liable for Security Rule compliance, breach notification, certain Privacy Rule provisions, and BAA flow-down to subcontractors.
- RegulationHITECH Enforcement Changes (42 USC 17939)HITECH expanded HIPAA enforcement with state attorney general civil actions, four-tier penalties, willful neglect mandatory investigation, and a percentage of CMPs to harmed individuals.
- RegulationHIPAA Breach Notification Rule Overview (45 CFR 164.400-414)When unsecured PHI is accessed, used, or disclosed in a manner not permitted, the entity must follow individual, HHS, and (in some cases) media notification requirements within defined timelines.
- GlossaryOCR Civil Monetary Penalties (HIPAA)HHS Office for Civil Rights' tiered CMP structure for HIPAA violations, with maximums adjusted annually for inflation.
- RegulationHITECH Electronic Copy Right and Sale-of-PHI ProhibitionTwo HITECH-era patient-rights expansions: the right to an electronic copy of EHR-resident PHI and the general prohibition on remuneration for PHI absent authorization.
- RegulationHITECH Meaningful Use and Promoting InteroperabilityHITECH's EHR Incentive Programs evolved into the Medicare Promoting Interoperability program under MIPS; SRA attestation remains an annual requirement.
Last reviewed May 23, 2026 · Citation verified May 23, 2026
Research aid, not legal advice. This summary is an administrative research aid prepared by D3rx. It does not certify compliance, provide legal advice, replace counsel, or guarantee an audit outcome. For authoritative regulatory text follow the primary source link at the top of this page. The practice remains responsible for reviewing, adopting, and maintaining its compliance program.