This page reviews the pertinent dates from the HITECH Act Subtitle D and provides commentary as appropriate:
February 17, 2009 HITECH Act Enacted
On February 17, 2009 Upon Enactment
- Application of tiered civil monetary penalties (i.e. for violations occuring post enactment)
- State Attorney General Authority to Enforce (i.e. bring a civil action on behalf of citizens post enactment)
HIPAA Survival Guide Note:
Clearly this raises the stakes from day one. We don't know of any cases brought by a state AG as of yet (circa August 2009), but when it happens it is guaranteed to make the national news.
By April 20, 2009 Within 60 Days of Enactment
- HHS must set forth a list of technologies and methodologies that render information "unusable, unreadable or indecipherable." Directly relevant to breach notification requirements.
HIPAA Survival Guide Note:
Notification of breach requirements were covered in this post. Section 13402 of HITECH's Subtitle D is the relevant section. HHS has provided the required guidance and therefore unsecured PHI now is defined (paraphrased and annotated) as follows:
13402(h): unsecured PHI* means PHI that is not secured through: 1) encryption; and/or 2) destruction–as provided by HHS guidance. Methods must render PHI “unusable, unreadable, or indecipherable” to unauthorized individuals (see HIPAA Security Rule & NIST standards).
By August 18, 2009 Within 180 Days of Enactment
- HHS and FTC must each promulgate interim final regulations on breach notification; which apply to breaches discovered on or after the interim final regulations have been published.
HIPAA Survival Guide Note:
Breach notification is covered in Section 13402 of HITECH's Subtitle D.
By December 31, 2009 By this Specific Date
- HHS must adopt rules for the initial prioritized set of standards related to accounting for disclosures; with the regulations required to implement the standard due six (6) months after the standard has been adopted.
HIPAA Survival Guide Note:
The relevant Subtitle D Section is 13405.
By February 18, 2010 Due Within One Year Post Enactment
- HHS and FTC study on privacy and security requirements for PHR vendors and applications
- GAO study on best practices for disclosures for treatment and use of electronic informed consent.
- First annual report on HIPAA enforcement.
- First annual guidance on the most effective and appropriate technical safeguards for health information.
- HHS study on de-identification.
- HHS implementation of health information privacy educational initiative.
HIPAA Survival Guide Note:
PHR (personal health records) vendors include companies like Google and Microsoft. These are "cloud computing" offerings that allow consumers/patients to track their own health information. EHR vendors are also offering cloud solutions as discussed here.
On February 18, 2010 Effective One Year Post Enactment
- Application of rules to, and accountability for, business associates.
- Clarification regarding which entities are required to be business associates.
- Patient's right to restrict disclosures to health plans.
- Deeming of limited data set as satisfying the minimum necessary standard.
- Patient's right to electronic access to, and an electronic copy of, their health record.
- Clarification regarding marketing provisions.
- Opt-out for fund raising communications; HIPAA's current provisions regarding fund raising remain in full force an effect.
- Clarification regarding the ability to impose criminal penalties against individuals.
- Civil monetary penalties and settlements flowing to HHS/OCR (Office of Civil Rights) for enforcement.
- Requirement for HHS to begin conducting mandatory audits.
HIPAA Survival Guide Note:
The last two "bulleted" items are covered in Sections 13410 and 13411. Refer to this post for more information regarding improved enforcement (13410) and this one for mandatory audits (13411).
By August 18, 2010 Within 18 months of enactment
- Secretary's guidance on minimum necessary
- Regulations re:sale of data prohibition (effective 6 months post promulgation)
- GAO report on methodology for providing individuals with a percentage of HIPAA penalties
- Regulations on imposition of civil monetary penalties in cases of willful neglect (and with respect to when the Secretary can civilly pursue violations of HIPAA that qualify as criminal)
By January 1, 2011 By this specific date
- Initial deadline for complying with new accounting for disclosure rules for entities implementing EHR systems post January 1, 2009.
HIPAA Survival Guide Note:
Note: the relevant Subtitle D Section is 13405.
By February 18, 2011 Within 24 Months of Enactment
- HHS to provide guidance regarding "minimum necessary."
- Promulgated regulations regarding prohibition on the sale of PHI data, which will be effective six (6) months post promulgation.
- GAO report on methodology for providing individuals with a percentage of HIPAA penalties.
- Promulgation on imposition of civil monetary penalties in cases of "willful neglect" and that HHS can pursue a civil action that would otherwise qualify as criminal.
HIPAA Survival Guide Note:
Individuals still cannot bring a civil action but clearly will now have more financial incentive to file a HIPAA complaint. The definition of "willful neglect" is still an open question. Refer to this post for commentary regarding same.
By February 18, 2011 Within 24 Months of Enactment
- Clarification of HHS' ability to pursue civil penalties when criminal penalties are not pursued; applies to violations discovered on or after.
- HHS' requirement to impose civil monetary penalties in cases of "willful neglect"; applies to violations discovered on or after.
HIPAA Survival Guide Note:
Given the lax enforcement of HIPAA's Privacy & Security Rules prior to the HITECH Act, I am certain that HHS is going to have no problem finding instances of "willful neglect"--especially for those unlucky few to be the first ones audited.
On February 18, 2012 36 Months of Enactment
- HHS to promulgate methodology for providing individuals with a percentage of HIPAA penalties that OCR collects.
HIPAA Survival Guide Note:
It should be fairly clear that the HITECH Act has provided HHS with a money machine and individuals get to play for more than "funzies."
By 2013 By this Year
- Extended deadline for older systems to comply with the new accounting for disclosure rules.
HIPAA Survival Guide Note:
The relevant Subtitle D Section is 13405.
By January 1, 2014 By this Specific Date
- Initial deadline for older systems to comply with the new accounting for disclosure rules.
HIPAA Survival Guide Note:
The relevant Subtitle D Section is 13405.
On February 18, 2014 60 Months of Enactment
- GAO study on impact of American Recovery and Reinvestment Act (ARRA).
By 2016 By this Year
- Extended deadline for older systems to comply with the new accounting for disclosure rules.
HIPAA Survival Guide Note:
The relevant Subtitle D Section is 13405.
Download our Free HIPAA Project Plan.