HITECH Privacy and Security Regulations Update

Posted July 28, 2011, 3:49 pm by Jason Luke

Image of Jason

Jason Luke

While the Health Information Technology for Economic and Clinical Health Act (HITECH) of 2009 is over two years old, most people do not realize that many of its requirements are not fully in place yet, specifically the data security and privacy requirements.

Originally, many of HITECH's requirements around privacy and security were supposed to be effective on February 17, 2010. HHS has stated that the expected date of compliance and enforcement of these new requirements, except for the data breach rules, will be delayed until a period after the issuance of the final rules, which are not out yet. Recently, the HHS announced that the final rules implementing HITECH's changes to privacy, security, and data breach notification will be issued together sometime this year, 2011.

Timeline Recap:

February, 2009 - HITECH Act passed into law. Certain provisions took effect immediately, but not the privacy and security provisions. Those do not take effect until HHS issues rules on them.

September, 2009 - HHS issued an Interim Final Rule for the breach notification provisions only. These took effect immediately.

July, 2010 - A Notice of Proposed Rulemaking (NPRM) released by HHS for the privacy and security provisions of HITECH. This NPRM was  basically a draft of what they wanted the rules to be.

Next Steps:

HHS is supposed to evaluate comments from the NPRM and issue a final rule on the privacy and security provisions. This has not been done yet. HHS has pushed this final rule back and back and now say sometime in 2011.

Why didn't the HHS publish the final rules for privacy and security soon after the NPRM was released and commented on?

No one really knows, but many people had problems with the NPRM so perhaps HHS is re-evaluating some of the most commented on requirements. Most of the NPRM was uncontroversial and were as expected based on the law. However, the NPRM added additional elements that alter HIPAA's overall requirements in a significant way. In particular, the NPRM proposed to change the definition of business associate such that all downstream subcontractors would be relabeled as business associates and subject to all the requirements that entails.


How does the new subcontractor proposal change things?

In the past (and technically still today), covered entities and their business associates had to maintain compliance with HIPAA. Generally, if you were a subcontractor to a business associate, providing some service to them that required some access to PHI, you were not a business associate. The main difference here is that the new law now encompasses all people who have access to PHI. This will create substantial challenges in the process of drafting contracts for existing and new business associates.


When the final rule around data security and privacy is published, when will everyone need to comply?

There is a general assumption that the final rule will be effective 30 days after it is published and that compliance will be enforced 180 days after that.




Filed under: Uncategorized
Edited January 12, 2018 by Julie
Listed in Communities: Our Site

You must be logged in to post comments.