Print

HITECH


HITECH Act: Privacy Requirements

Subtitle D of the Health Information Technology for Economic and Clinical Health Act (HITECH Act), enacted as part of the American Recovery and Reinvestment Act of 2009, addresses the privacy and security concerns associated with the electronic transmission of health information.

This subtitle extends the complete Privacy and Security Provisions of HIPAA to business associates of covered entities. This includes the extension of newly updated civil and criminal penalties to business associates. These changes are also required to be included in any business associate agreements with covered entities. On November 30, 2009, the regulations associated with the new enhancements to HIPAA enforcement took effect.

Another significant change brought about in Subtitle D of the HITECH Act, is the new breach notification requirements. This imposes new notification requirements on covered entities, business associates, vendors of personal health records (PHR) and related entities if a breach of unsecured protected health information (PHI) occurs. On April 27, 2009, the Department of Health and Human Services (HHS) issued guidance on how to secure protected health information appropriately. Both HHS and the Federal Trade Commission (FTC) were required under the HITECH Act to issue regulations associated with the new breach notification requirements. The HHS rule was published in the Federal Register on August 24, 2009, and the FTC rule was published on August 25, 2009.

The final significant change made in Subtitle D of the HITECH Act, implements new rules for the accounting of disclosures of a patient's health information. It extends the current accounting for disclosure requirements to information that is used to carry out treatment, payment and health care operations when an organization is using an electronic health record (EHR). This new requirement also limits the timeframe for the accounting to three years instead of six as it currently stands. These changes won't take effect until January 1, 2011, for organizations implementing EHRs between January 1, 2009 and January 1, 2011, and January 1, 2013, for organizations who had implemented an EHR prior to January 1, 2009. 


The American Recovery and Reinvestment Act of 2009, abbreviated ARRA (Pub.L. 111-5) and commonly referred to as the Stimulus or The Recovery Act, is an economic stimulus package enacted by the 111th United States Congress in February 2009 and signed into law on February 17, 2009, by President Barack Obama.

To respond to the late-2000s recession, the primary objective for ARRA was to save and create jobs almost immediately. Secondary objectives were to provide temporary relief programs for those most impacted by the recession and invest in infrastructure, education, health, and ‘green’ energy. The approximate cost of the economic stimulus package was estimated to be $787 billion at the time of passage. The Act included direct spending in infrastructure, education, health, and energy, federal tax incentives, and expansion of unemployment benefits and other social welfare provisions. The Act also included many items not directly related to economic recovery such as long-term spending projects (e.g., a study of the effectiveness of medical treatments) and other items specifically included by Congress (e.g., a limitation on executive compensation in federally aided banks added by Senator Dodd and Rep. Frank).

The rationale for ARRA was from Keynesian macroeconomic theory which argues that, during recessions, the government should offset the decrease in private spending with an increase in public spending in order to save jobs and stop further economic deterioration.