How does HITECH interact with state breach laws?

State laws can be stricter than HIPAA/HITECH. Where they conflict, the more protective requirement applies. Several states (CA, NY, MA) have notification requirements stricter than HIPAA.

All terms

CybersecurityConnected & Cyber-Physical DevicesHITECH

HITECH Act

U.S. law that strengthened HIPAA enforcement and introduced breach-notification requirements.

Reviewed by Christian Espinosa, Founder, Blue Goat CyberLast reviewed May 5, 2026

Definition

The Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted in 2009 as part of the American Recovery and Reinvestment Act, expanded HIPAA's enforcement, increased civil monetary penalties, extended Security Rule obligations directly to Business Associates, and introduced the Breach Notification Rule (45 CFR §164.400-414). HITECH also funded the meaningful-use EHR incentive programs that drove EHR adoption across U.S. hospitals.

What the regulation says

HITECH made Business Associates directly liable for HIPAA Security Rule violations - a critical change for MedTech vendors that touch PHI. The Breach Notification Rule requires notification to affected individuals, HHS OCR, and (for breaches >500 individuals) the media within 60 days.

What this means in practice

HITECH is most relevant to MedTech architects because it establishes the breach playbook: encryption Safe Harbor, 60-day notification, mandatory OCR reporting, and increased civil penalties. Designing for breach prevention (encrypt at rest, minimize PHI surface) and breach detection (logging, monitoring) directly reduces HITECH risk.

Common pitfalls

•Underestimating the Business Associate liability HITECH created - Business Associates can be fined directly.
•Failing to encrypt PHI at rest - a lost laptop becomes a reportable breach without it.

Frequently asked questions

If lost or stolen ePHI was encrypted to NIST-approved standards (FIPS 140-validated), the Breach Notification Rule does not apply. This is the single biggest argument for encrypting at rest.

Primary references

3 sources

Link health: 2 verified 1 bot-blocked· last checked 2026-05-09

HHS OCR·2FDA·1

Inline markers like [1] jump to the matching reference above.

On this term

Category: Cybersecurity
Acronym: HITECH
Sources: 3
Updated: 5/5/2026

Compare with another term

Learn in 60 seconds

U.S. law that strengthened HIPAA enforcement and introduced breach-notification requirements.

·HITECH is most relevant to MedTech architects because it establishes the breach playbook: encryption Safe Harbor, 60-day notification, mandatory OCR reporting, and increased civil penalties.
·Designing for breach prevention (encrypt at rest, minimize PHI surface) and breach detection (logging, monitoring) directly reduces HITECH risk.
·HITECH also funded the meaningful-use EHR incentive programs that drove EHR adoption across U.S.

Remember this

Watch out: Underestimating the Business Associate liability HITECH created - Business Associates can be fined directly.

Related terms

You may also need

Auto-suggested from Cybersecurity and shared keywords.

All Cybersecurity terms

From the Blue Goat network

Related resources and services on this topic.