Enforcement of HITECH Act Breach Provisions Set to Take Effect in February

January 11, 2010


The Health Information Technology for Economic and Clinical Health Act (HITECH Act) was passed on February 17, 2009, as part of the American Recovery and Reinvestment Act of 2009 (ARRA). The stated purpose of the HITECH Act was to promote the adoption and meaningful use of health information technology. As the Act moves through the regulatory process, employers should take note of two developments.

First, on December 29, 2009, the comment period for the HITECH Act changes to the HIPAA civil money penalty (CMP) rules ended. These regulations, which became effective on February 18, 2009, significantly increased penalties and limited the affirmative defenses available to health plans in violation of HIPAA.

Further, on August 24, 2009, HHS released regulations delineating a covered entity's duty to notify affected persons of a breach of unsecured protected health information (PHI). Although these regulations became effective on September 23, 2009, due to concerns over the period of time necessary to comply with these regulations, HHS delayed enforcement of the regulations for six months. This enforcement delay is set to expire on February 22, 2010.

Questions or comments on this issue should be addressed to either Gretchen Young, gyoung@eric.org.