hitech-act-privacy
HITECH Act Privacy and Security Requirements
Overview
The Health Information Technology for Economic and Clinical Health (HITECH) Act was enacted as Title XIII of the American Recovery and Reinvestment Act of 2009 (Pub. L. 111-5). HITECH fundamentally transformed HIPAA enforcement by establishing breach notification requirements, creating a four-tier penalty structure with significantly increased penalties, granting enforcement authority to state attorneys general, extending HIPAA Security Rule requirements directly to business associates, and tying privacy and security compliance to the Electronic Health Record (EHR) meaningful use incentive program. The 2013 Omnibus Rule (78 FR 5566) implemented most HITECH provisions into the HIPAA regulatory framework.
Breach Notification — HITECH §13402
Establishment of Federal Healthcare Breach Notification
Prior to HITECH, HIPAA had no breach notification requirement. HITECH §13402 created the obligation for covered entities and business associates to notify individuals, HHS, and in some cases the media, following a breach of unsecured PHI.
Key provisions enacted by HITECH: