The HITECH Act

01/01/2010

The Health Information Technology for Economic and Clinical Health Act (HITECH) recently went into effect, which facilitates the expansion of HIPAA standards that aid in electronic exchange of health information on a national basis. It is also concerned with putting forth incentives for covered entities that adopt Electronic Health Records (EHR). With HITECH setting new benchmarks for clarifying the requirements to become HIPAA-compliant, those who choose to be non-compliant have become more vulnerable to civil penalties.

Here are a few points to consider:

The HHS breach notification rules layers encryption standards - how to render health information "unusable, unreadable or indecipherable" - for data at rest, data in use and data in motion, on top of the HIPAA privacy and security rules.
Encryption is not required, but a security breach with respect to non-encrypted data triggers public notice requirements (i.e., alert the media) in addition to data subject notice requirements.
The FTC rules widen the net, imposing HIPAA - "covered-entity" - like obligations on business associates including, e.g., vendors and other non-covered-entity repositories of health information.
As an aside, greater regulation of other business associates under HIPAA will be effective in February; business associates will have to implement policies and procedures similar to those now required only of covered entities.
Enforcement will be ratcheted up after six months. Greater sanctions are available for regulators to impose, and the FTC is a tougher enforcer than HHS has been on the HIPAA front to date.

More information can be found in this summary on the main HIPAA-related points of the HITECH Act.

view all news

The HITECH Act

Media Contacts

News & Events

follow us on