A Summary of the Proposed HIPAA Regulations Implementing HITECH

The Health Insurance Portability and Accountability Act of 1996 (HIPAA)1 contained a provision requiring the Secretary of the Department of Health and Human Services (HHS) to publish national standards to protect the privacy and security of individually identifiable health information.  These regulations are known as the HIPAA Privacy Rule and the HIPAA Security Rule.  In 2009, HIPAA was amended by the Health Information Technology for Economic and Clinical Health Act (HITECH), enacted as part of the American Recovery and Reinvestment Act (ARRA).2  In July 2010, HHS released a Notice of Proposed Rulemaking (NPRM or Proposed Rule) to implement the various changes to the Privacy and Security Rules required by HITECH.3  

1.) HIPAA Privacy Rule

a.)  Individually Identifiable Health Information

b.)  De-Identified Health Information

c.)  Limited Data Sets

d.)  Uses and Disclosures of PHI

e.)  Treatment, Payment, and Health Care Operations (TPO)

f.)  Public Interest Activities

g.)  Uses Requiring Individual Authorization   

h.)  Marketing

i.)  Fundraising

j.)  Sale of PHI

k.)  Limiting Uses and Disclosures to the Minimum Necessary

l.)  Business Associate Requirements

2.) HIPAA Security Rule

a.)  Entities Subject to or Affected by the Security Rule

b.)  Administrative Safeguards

c.)  Physical Safeguards

d.)  Organizational Safeguards

3.) HIPAA Enforcement

a.)  HITECH Expansion & Revised Civil Penalties

b.)  Direct Business Associate Liability

4.) HIPAA Breach Notification Provisions and Security Guidance

a.) Breach of Unsecured PHI