How the HITECH Act changed secure email communication in healthcare

The HITECH Act was created as part of the American Recovery and Reinvestment Act. The legislation was designed to accelerate the adoption of electronic health records across the United States.

Before HITECH, HIPAA's Privacy and Security Rules had laid a foundation for protecting patient information. The problem was enforcement. Penalties were modest, the rules for business associates were largely voluntary, and the use of email was not regulated accordingly. However, HITECH changed all of that, helping to standardize requirements for protecting health records.

Closing the business associate gap

One of HITECH's provisions was extending direct legal liability to business associates who handle protected health information on behalf of covered entities. Under the old framework, covered entities had primary responsibility. Business associates operated under contractual obligations alone, with limited federal enforcement exposure.

HITECH ended that arrangement. Section 13401 of the Act states that its security provisions "shall apply to a business associate of a covered entity in the same manner that such sections apply to the covered entity," and that civil and criminal penalties apply to a business associate "with respect to such violation in the same manner such sections apply to a covered entity." Business associates became directly liable under HIPAA's Security Rule, meaning email service providers who process, store, or transmit PHI must now implement the same administrative, physical, and technical safeguards as the healthcare organisations they serve.

The breach notification mandate

Before HITECH, there was no federal obligation to notify patients when their health information was compromised. Organisations often handled breaches, weighing reputational risk against the cost of disclosure. HITECH eliminated that by mandating breach notification.

Section 13400 of the Act defines a breach as "the unauthorized acquisition, access, use, or disclosure of protected health information which compromises the security or privacy of such information." Section 13402 goes further, requiring that any covered entity which discovers such a breach must "notify each individual whose unsecured protected health information has been, or is reasonably believed by the covered entity to have been, accessed, acquired, or disclosed as a result of such breach."

Under Section 13400(h), "Unsecured protected health information" means PHI "not secured through the use of a technology or methodology specified by the Secretary" in practice, PHI that has not been rendered "unusable, unreadable, or indecipherable to unauthorized individuals." A single misdirected email containing patient records, sent without encryption, triggers formal notification obligations to the affected individuals, the Department of Health and Human Services, and, in larger incidents, the media.

The penalty tier system

HITECH introduced a tiered civil penalty structure that brought financial impact to HIPAA violations. Section 13410 of the Act sets out four tiers scaling with culpability; where a violation occurred without the entity's knowledge, where the violation was due to reasonable cause but not willful neglect, where willful neglect is established but the violation is corrected, and where willful neglect is established and the violation goes uncorrected. Criminal penalties for deliberate misuse of PHI were also strengthened.

Section 13410 also mandates that the Secretary "shall formally investigate any complaint of a violation" where a preliminary review indicates possible willful neglect, removing prosecutorial discretion and requiring enforcement action. Regulators gained both the authority and the financial incentive to pursue enforcement actions.

What HITECH demands of secure email systems

HITECH compliant email communication requires several specific safeguards. Encryption in transit and at rest. Access controls and authentication must ensure that only authorised individuals can send, receive, or access emails containing PHI, with audit logs maintained to verify access history.

Any email provider handling PHI must also sign a business associate agreement, accepting joint responsibility for compliance. Under Section 13401, the Act's additional security requirements "shall be incorporated into the business associate agreement between the business associate and the covered entity," meaning providers unwilling to sign a BAA cannot legally be used for PHI transmission. Furthermore, HITECH requires administrative safeguards including documented email use policies and staff training on handling patient information electronically. Organisations must also maintain incident response procedures for identifying, containing, and reporting email-related breaches within the specified regulatory timeframes.

The human problem

An analysis of HHS breach data published in Human Factors in Electronic Health Records Cybersecurity Breach examined 1,485 security incidents reported to the Office for Civil Rights between January 2015 and December 2020, covering over 141 million compromised records. While HITECH focuses on technical safeguards and vendor accountability, the study found that 73.1 percent of all affected records resulted from unintentional human factors rather than deliberate external attacks. The number of records exposed through unintentional breaches was more than twice that of those caused by malicious actors.

Email sits at the centre of this problem in two ways. First, carelessness and negligence accounted for 382 incidents and more than half of those involved an employee or business associate emailing PHI to the wrong recipients. Secondly, phishing attacks carried the highest record exposure of any breach category, at over 421,000 records per incident. The authors note that the discourse around healthcare data breaches has shifted from "if" to "when" an organisation will experience one.

An illustration of phishing's potential is the 2015 Anthem Inc. breach. A targeted spear-phishing campaign allowed attackers to obtain employee credentials and run queries across Anthem's enterprise data warehouse over several weeks, ultimately exposing nearly 78.8 million records, a breach that OCR data confirms was enabled by a single compromised email interaction.

HITECH in practice

A 2016 ONC-commissioned review by Gold and McLaughlin offered a measured assessment, "Our review of the evidence provides a mixed picture." Progress was real, but uneven.

On adoption, the results were that by 2014, nearly all reporting hospitals (97%) possessed certified EHR technology, and 83% of office-based physicians had an EHR system. The financial incentives were that the Act authorised up to $27 billion in Medicare and federal Medicaid payments over 10 years to drive adoption, and providers responded accordingly.

The academic literature published in the Journal of the American Medical Informatics Association, "Impact of the HITECH Act on Physicians' Adoption of Electronic Health Records," found only weak and statistically insignificant evidence that the Meaningful Use subsidy programme accelerated EHR adoption beyond what would have occurred naturally. Analysing over a decade of national physician data, they concluded that adoption was driven by physicians mimicking their peers rather than enthusiasm for the technology, a dynamic the authors described as an "imitation effect."

Furthermore, they raised the possibility that the certification requirements central to HITECH may have slowed technological progress, pushing vendors to invest in compliance rather than research and development. By the end of 2014, the federal government had distributed $28.1 billion through the Meaningful Use programmes a public investment whose returns, the study found, remained ambiguous. Their conclusion was that "many current EHR systems reduce physician productivity, lack data sharing capabilities," undermining the interoperability goals the legislation was designed to achieve.

FAQs

Does HITECH apply to healthcare providers outside the United States?

HITECH is a US federal law and applies only to covered entities and business associates operating within American jurisdiction.

Can a patient sue a healthcare provider directly for a HITECH violation?

HITECH does not create a private right of action for patients, meaning individuals cannot sue directly under the Act and enforcement remains with the Office for Civil Rights.

Is encrypted email alone enough to make a healthcare organisation HITECH-compliant?

Encryption is necessary but not sufficient, full compliance also requires signed business associate agreements, staff training, access controls, audit logs, and documented incident response procedures.

What happens if a small practice cannot afford a compliant email system?

The law makes no financial exemption for smaller providers, though the penalty tier system does account for whether a violation involves willful neglect or simply a lack of awareness.

Are personal devices used for work email covered under HITECH?

Any device used to transmit or access PHI falls within HITECH's scope.