ChartRequest - Logo - Color
Close this search box.

What is the HITECH Act?

Hitech Act

Change can be stressful and, in the case of setting up certified EHR systems, expensive. Many HIPAA-covered entities were hesitant to adopt an electronic PHI solution. To change this, the HITECH Act included large financial incentives to covered entities that adopted and meaningfully used such technology.

As electronic health record (EHR) technology continues to evolve, it’s difficult to imagine a time when paper records reigned. This wasn’t too long ago for many healthcare professionals, however.


Doctors have been around far longer than computers. In fact, there’s even evidence that our prehistoric predecessors developed specialized tools for medical practices. 

For example, the surgical knife dates back to 10,000-8,000 BC. At this time, prehistoric doctors would use surgical knives for trepanation, or drilling a hole in the head. This is a technique healthcare professionals still use today.

People made these knives from nonmetal materials such as flint, shell, or obsidian. Archeologists have found such tools made by ancient civilizations worldwide.

Hippocrates of Kos revolutionized medicine in ways that still impact care approximately 2,500 years later. In addition to collecting the Hippocratic Corpus, a collection of ancient Greek medical works, he first defined the modern scalpel. At the time, he referred to this tool as a ‘macairion’ and described features that align with today’s scalpels.

Another medical tool that predates modern medicine was established in early Mesopotamia. The oldest medical records, cuneiform chiseled into clay tablets, date back to approximately 5,000 BC. This indicates that at least 3,000-5,000 years of medical treatment went either unrecorded or recorded in temporary formats.

Throughout history, civilizations worldwide have created and recreated many medicinal tools and techniques. While the scalpel has remained fairly similar throughout this time, medical records have changed drastically. 

From clay to paper to electronic files, the modern medical record is almost indiscernible from its earliest version. So how did electronic medical records become the industry standard in healthcare?


The Health Information Technology for Economic and Clinical Health (HITECH) Act was passed in 2009 as part of the American Recovery and Reinvestment Act (ARRA). Following the HIPAA Privacy Rule and Security Rule, this legislation sought to improve upon these rules and promote the widespread adoption of electronic health record systems. 

Of the $800 billion ARRA, $27 billion was allocated for the HITECH Act. Much of these funds were used to incentivize healthcare providers to switch from paper to digital records. In order to be eligible for these funds, covered entities must use an electronic health records system that has been certified by an authorized testing and certification body. 

It’s not enough to simply adopt one of these systems, but the meaningful use of certified EHR technology is required. We’ll talk more about what constitutes meaningful use in a later section of this post.

After ARRA was passed, eligible professionals who meaningfully used their certified electronic health record system were offered substantial bonuses. Covered entities who made the change within 2011-2012 could receive $44,000 in incentive payments over 5 years. These incentive payments decreased for late adopters of certified EHR systems. 

Additionally, healthcare providers who failed to meaningfully use certified electronic health record technology by 2015 were subject to reduced reimbursement from Medicare and Medicaid. 

A study by HealthAffairs determined that the HITECH Act is directly responsible for the widespread adoption of EHR systems. After HITECH implementation, the average percentage increase rate of hospital EHR adoption rose from 3.2% to 14.2%. 

Simply put, significantly more healthcare providers chose to use electronic health records once financial incentives were introduced. Since the HITECH Act passed and medical records became digitized, care coordination and health information exchange haven’t been the same.


While incentive payments decreased over time, the requirements for meaningful use expanded. This allowed physicians to adapt to the requirements as they learned how to use their EHR systems. Rather than discussing what the requirements were over time though, let’s look at requirements today.

In addition to the certification requirements, physicians must use their EHR system to improve the quality of patient care. Simply put, electronic health records need to be used when they’re the best option. 

To help covered entities understand what constitutes meaningful use, the HITECH Act introduced the 5 pillars of health outcomes:

  1. Improve the quality, safety, and efficiency of medical records exchange.
  2. Promote patient engagement in healthcare.
  3. Improve care coordination between physicians.
  4. Improve public health.
  5. Enhance privacy and security measures for PHI.

Meaningful use also includes six EHR reporting measures. Of these, eligible hospitals must attest to at least four and eligible healthcare providers must attest to at least two. These reporting measures are:

  1. Immunization registry
  2. Syndromic surveillance
  3. Electronic case
  4. Public health registries
  5. Clinical data registries
  6. Electronic reportable laboratory test

These meaningful use requirements help fulfill the main EHR goals of the Centers for Medicare & Medicaid Services. These goals focus on interoperability and patients’ ability to access their PHI. 

With these provisions, the data silos caused by incompatible EHR systems can be mitigated. This works hand-in-hand with the 21st Century Cures Act regulations that prevent information blocking.


From 1996 to 2009, most rules and regulations of HIPAA only applied to covered entities. This means that the law held business associates to lesser HIPAA standards than covered entities for about 13 years. 

In breaches of protected health information, penalties can be steep. Even before the HITECH Act updated the penalty tier structure, covered entities wanted to avoid HIPAA breaches. If these couldn’t be avoided, however, there was an incentive to not report them.

Before the HITECH Act, covered entities were also responsible for breaches of PHI by their business associates. In some cases, this allowed business associates to avoid taking responsibility for patient information breaches.

One major goal of the Hitech Act was to close loopholes and expand HIPAA to hold business associates equally accountable. This eased the compliance burden of covered entities by ensuring that business associates prioritize protecting patient information.

Simplifying compliance and bolstering trust are essential for the free flow of medical information. By ensuring everyone who requests records except the patient follows the same rules, healthcare providers can share information without fear.


HHS passed HIPAA in 1996, and they’ve written several additional rules since then. Before the HITECH Act, the only two additional rules that passed were the Privacy Rule and Security Rule. The HITECH Act enforces these regulations.

Following a breach of HIPAA, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) determines penalties. To enforce these rules, the OCR investigates complaints, conducts compliance audits, and educates covered entities and business associates about compliance.

In a breach caused by HIPAA noncompliance, the OCR requires CEs and BAs to attempt to minimize the risk afterward. The type and cost of breach penalties are impacted by:

  • What caused the breach? 
  • What is the likelihood that the responsible party should have noticed the breach?
  • How many individuals did the breach affect? 
  • What types of records did they breach? 
  • How much identifiable information is present on breached records?
  • How did the responsible organization respond to the breach?

Penalties for violating HIPAA regulations and/or breaching medical records include both civil and criminal penalties. 


The 2019 Notice of Enforcement Discretion adjusted the price ranges and maximums. Please note that actual penalties can be higher, as these are the numbers OCR uses as a baseline before inflation adjustments.

If you are faced with HIPAA violation(s), your main responsibility is to rectify the situation. The OCR designed the HITECH Act to protect covered entities and business associates who follow the rules.

The Secretary cannot press civil charges if:

  1. The CE or BA fixes the cause of violation within 30 days, and
  2. Willful neglect is not a factor in the violation.

The Secretary can provide extensions for the 30-day deadline if the covered entity or business associate needs more time.

In cases where the fines are unavoidable, these are the four penalty tiers:

Tier 1 – Lack of Knowledge: The responsible party was unaware of the breach and couldn’t have detected the breach using reasonable due diligence. Penalties range from $100-$50,000 per violation with an annual limit of $25,000 for repeat violations.

Tier 2 – Reasonable Cause: The responsible party should have noticed the breach by using reasonable due diligence. Penalties range from $1,000-$50,000 per violation with an annual limit of $100,000 for repeat violations.

Tier 3 – Willful Neglect: The responsible party chose to neglect HIPAA rules and/or PHI breaches. Penalties range from $10,000-$50,000 per violation with an annual limit of $250,000 for repeat violations.

Tier 4 – Uncorrected Willful Neglect: The responsible party neglected HIPAA rules and/or PHI breaches and didn’t fix their noncompliance within 30 days of discovery. Penalties cost $50,000 per violation with an annual limit of $1,500,000 for repeat violations.


HHS designed the above penalty tiers to rectify HIPAA violations that weaken patient privacy and security. Criminal violations are for individuals who intentionally misuse or unlawfully breach protected health information.

Individuals who knowingly obtain or disclose PHI can face a fine of up to $50,000 and up to 1 year in prison. Individuals who do so under false pretense face maximum penalties of $100,000 and 5 years.

If a CE or BA steals PHI to use or sell unlawfully or maliciously, the maximum penalties increase to $250,000 and 10 years.

In most cases, criminal penalties are not applicable. Keep in mind that the goal of the HITECH Act isn’t to lock up every doctor who makes a mistake. HHS aims to create a safer and more efficient environment for care coordination and medical records exchange.

If your organization faces issues with HIPAA, compliance and cooperation are absolutely essential. In this situation, be honest and respond quickly to fix the problem. 


We designed ChartRequest to help healthcare providers, patients, and professional requestors streamline the exchange of medical information. Knowledge is power, and ChartRequest puts that power into your hands.

Traditional medical records exchange is complicated. It’s easy for the administrative legwork to grow overwhelming. Things like lost faxes, phone calls for status updates, and manual entries all complicate the process for your team.

Fax machines are outdated, and they open your organization up to more breaches of PHI. The rate of failed faxes ranges from 5-8%, and just one incorrect number can cause the PHI to reach the wrong person. You can’t always know who is on the receiving end of the fax machine, which makes it easy for an unintentional breach to go unnoticed.

Your patients deserve top-of-the-line security. To help your team ensure records are never sent to the wrong person, we combine our rigorous security measures with our 7-step release of information process. This helps you prevent costly errors by protecting your patients from both human and technical errors.

Patients should always feel involved in their health. In addition to providing the security your requestors can trust, we prioritize the patient experience. By making it easy for patients to collect their medical information, you also help them create personal health records.

Our Full-Service Partnership completely automates your release of information by allocating the task to our HIPAA professionals for an average turnaround time of 2 days. Our Self-Service Partnership puts our streamlined software into your team’s hands to make the process as smooth and efficient as possible.

ChartRequest has options for healthcare organizations of all sizes, click here to learn which one is right for you.

6 Types of Healthcare Audits For Insurance Companies
Healthcare audits are an essential part of maintaining fairness and accountability as a payor in the healthcare industry.
How Can ERP Insurance Optimize Risk Management?
ERP insurance coverage offers protection from financial losses for a limited period after an existing coverage plan expires.
Leverage Medical Records For Mass Tort Payouts
Mass tort payouts can be massive, but they often require quick and accurate access to your clients' medical records.
Hackensack Meridian Health Penalized $100K For Medical Records Right of Access Penalty
Hackensack Meridian Health, also known as Essex Residential Care, recently faced a $100,000 penalty for Right of Access failure.
What Is the Epic Vs. Particle Health Dispute Regarding Carequality?
The dispute between Epic vs. Particle Health has healthcare professionals split, and this article provides an unbiased breakdown.
Mass Tort Litigation Guide for Personal Injury Attorneys
Mass tort litigation can be a practical way to pursue compensation for numerous personal injury and medical malpractice claimants.

Want to Stay Updated?

Subscribe to our newsletter to learn:

  • Tips to Ensure Compliance
  • Strategies for ROI Success
  • Relevant Healthcare News

We respect your inbox, so we’ll only reach out to share high-quality content.

Sign Up for Automated Care Coordination Updates!

Our automated care coordination and referral management solution is coming soon!
If you’d like to be the first to learn new information and find out when it’s ready, please fill out this form:
This field is for validation purposes and should be left unchanged.