HITECH and Breach Notification
HITECH (2009) strengthened HIPAA and created breach notification. A breach is presumed unless a risk assessment shows low probability of compromise. Individuals get notice within 60 days; breaches over 500 trigger HHS notice immediately and media notice if 500+ in one jurisdiction. Encryption avoids liability.
The HITECH Act was enacted within the American Recovery and Reinvestment Act of 2009 and provided $19 billion in incentives for electronic health records. A Breach (HITECH) is presumed unless the entity proves through a risk assessment a low probability that security or privacy was compromised - placing the burden of proof on the covered entity or business associate.
| Trigger | Requirement |
|---|---|
| High probability of compromise | Notify individuals within 60 days of discovery |
| Business associate discovers breach | Notify the covered entity |
| Breach affects more than 500 people | Notify HHS immediately |
| 500 or more in the same jurisdiction | Notify the media |
| All notice-requiring breaches | Report to HHS at least annually |
A breach applies only to unsecured information. A covered entity can avoid liability by encrypting the information. Separately, HITECH's Personal health record provider rule covers medical apps and wearables and is enforced by the FTC, even if the provider never seeks federal reimbursement.