HITECH vs. HIPAA: What’s the Difference?

Nov 30, 2021

HITECH vs. HIPAA: What’s the Difference?

Businesses and organizations must protect many different types of personal information to prevent serious consequences in the event of a breach. However, among the most serious and specifically regulated is personal health information.

Medical confidentiality has been a fundamental concept within medicine for millennia and is enshrined in U.S. law today in the form of HIPAA and, more recently, HITECH. But what exactly is the difference between the two? And what are the practical applications for organizations in terms of data security?

What Is HIPAA?

To understand HITECH, you need to understand HIPAA first. The Health Insurance Portability and Accountability Act was enacted in 1996. It put in place wide-ranging responsibilities for organizations to maintain medical confidentiality and patient privacy. Its dictates cover all types of communications and records, paper and electronic.

HIPAA defines various categories of personal health information (PHI). When organizations of any kind fail to uphold the privacy of personal health information, they can face fines and further repercussions. HIPAA includes several standards for data storage and access protocols, including both secured networks and physical locks protecting paper files.


The Health Information Technology for Economic and Clinical Health Act came into effect in 2009. The bill builds on the existing HIPAA framework, giving more explicit guidelines and expanding the use of electronic health records. The act also clarifies many technical requirements for electronic health records, as the practical implementation of electronic records has changed substantially since 1996.

The lack of clear guidelines before HITECH had led to very low adoption of much more efficient electronic health records. Hospitals and other organizations can know that they’re meeting compliance requirements with an effective framework in place (rather than simply hoping they are).

What Are the Differences Between the Two in Practice?

For organizations, the primary difference between the two is their responsibilities in terms of breach notifications and penalty structure. HITECH casts a far wider net of responsibility for any organization handling personal health information.

Under HITECH, any organization must report breaches of personal health information, with time frames depending on the number of individuals involved. For breaches involving more than 500 people, the organization must also report to the U.S. Department of Health & Human Services. They must also send out a letter to the affected persons through personally addressed first class mail.

HITECH takes several measures to prevent companies from simply choosing to pay fines in place of rectifying issues. Compliance violations now have tiers that scale steeply from $100 to $50,000 for each violation. Before this measure, organizations could simply continue to pay fines indefinitely instead of coming into compliance.

Properly Disposing of Personal Health Information

If your organization handles personal health information here in North Dakota, you should be aware that both HIPAA and HITECH carry severe consequences for data breaches. SEAM provides professional shredding services and NIST standard-compliant hard drive disposal. You can reach out to our team at any time to ensure that you’re meeting the required standards for personal health information disposal.


SEAM provides IT recycling and data destruction services including onsite shredding and hard drive wiping to South Dakota, North Dakota, Minnesota, Iowa, and Nebraska.

Schedule a pickup or contact us for more information.