The Health Information Technology for Economic and Clinical Health Act (HITECH Act) enacted on February 17, 2009 addresses the privacy and security of patient health information. HITECH is part of the American Recovery and Reinvestment Act of 2009 (ARRA – Pub L 111-5, 123 Stat 115). The HITECH Act appreciably revises the Health Insurance Portability and Accountability Act of 1996 (HIPAA – Pub L 104-191, 110 Stat 1936).  HIPAA ( is concerned with the protection of patient medical records and imposed regulations, effective since November 30, 2009, to address patient confidentiality. However, HITECH imposes new requirements concerning privacy and security for health information that materially and directly affects many more entities, businesses, and individuals in more varied ways than HIPAA. In particular, the HITECH ACT provides for the following:

  1. Expands the definitions of business associates, which are defined as persons and organizations (typically subcontractors) that perform activities involving the use or disclosure of individually identifiable health information. Activities include claims processing, quality assurance, data analysis, billing, and benefit management, as well as, legal, accounting, or administrative functions (45CFR 160-103). Business associates also include organizations that transmit protected health information and require access on a routine basis to such information.
  2. Requires that, beginning on February 17, 2010, HIPAA security standards that apply to health plans and health care providers also apply directly to business associates. They are also subject to the administrative, physical, and technical security requirements of HIPAA. Therefore, they must implement suitable policies and procedures, and must document their security activities (42 USC – 17931).
  3. Institutes new security breach requirements (42 USC – 17932(j)). Starting in September, 2010, the HITECH Act calls for a health plan or health care provider that accesses, maintains, retains, modifies, records, stores, destroys or otherwise holds, uses, or discloses unsecured protected health information and discovers a breach of the information to notify each individual whose health information has been, or is reasonably believed to have been accessed, acquired, or disclosed as a result of the breach (42 USC – 17932 (a)). Business associates are also required to give notice of data breaches to the health care plan or provider and identify each individual whose protected health information was breached (42 USC 17932 (b)). The health plan, health care provider, or business associate must give notice of the breach without unreasonable delay, no later than 60 calendar days after its discovery (42 USC 17932 (d)). Notice must be provided by first-class mail to the individuals at their last known address, or if specified by the individual, via e-mail (42 USC 17932 (e) (1)).
  4. Permits individuals to electronic copies of health information. From February 17, 2010 forward, individuals are entitled to copies of their health information in an electronic format from any health plan or health care providers that use or maintain electronic health records. The individual can direct the health plan or health care provider to transmit the copy directly to anyone he or she designates. Fees for providing this service must not be greater than the entity’s labor costs (42 USC 17935 9e)).
  5. Requires regulations concerning the sale of electronic health records and protected health information by mid-August, 2010. Effective 6 months after the regulations are enacted, with certain exceptions, the HITECH Act will prohibit a health plan, health care provider, or business associate from receiving payment for an individual’s protected health information without the authorization from the individual (42 USC – 17935 (d)).


The entire HITECH Act can be accessed at: