Skip Navigation

 

Search

Font Size Reduce Text SizeEnlarge Text Size     Print Send this page to printer     Download Reader  Download PDF readerHHS Home|HHS News|About HHS

Health Information Privacy

Office for Civil RightsCivil RightsHealth Information Privacy

OCR Home > Health Information Privacy > Understanding HIPAA Privacy > For Covered Entities

HIPAA

Understanding HIPAA Privacy

For Consumers

For Covered Entities

Special Topics

Related Links

Summary of the HIPAA Privacy Rule

Summary of the HIPAA Security Rule

Training Materials

HIPAA Administrative Simplification Statute and Rules

Enforcement Activities & Results

How to File a Complaint

News Archive

Frequently Asked Questions

PSQIA

Understanding PSQIA Confidentiality

PSQIA Statute & Rule

Enforcement Activities & Results

How to File a Complaint

HITECH Act Rulemaking and Implementation Update

OCR will implement important privacy and security provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act through notice and comment rulemaking, as required by the Administrative Procedure Act.  These provisions include: business associate liability; new limitations on the sale of protected health information, marketing, and fundraising communications; and stronger individual rights to access electronic medical records and restrict the disclosure of certain information.  OCR has issued a Notice of Proposed Rulemaking (NPRM) regarding these provisions.  Although the effective date (February 17, 2010) for many of these HITECH Act provisions has passed, the NPRM, and the final rule that will follow, provide specific information regarding the expected date of compliance and enforcement of these new requirements.

However, interim final rules implementing HITECH Act provisions in two areas have already been issued and are currently in effect: enforcement and breach notification.  New civil money penalty amounts apply to HIPAA Privacy and Security Rule violations occurring after February 17, 2009.  Covered entities and business associates must comply now with breach notification obligations for breaches that are discovered on or after September 23, 2009. OCR announced previously that it would use its enforcement discretion not to impose fiscal sanctions with regard to breaches discovered before February 22, 2010. Since that date has passed, OCR will enforce the Breach Notification Interim Final Rule, including with the possible imposition of sanctions, as it does with the HIPAA Privacy and Security Rule requirements.

View more information on the HITECH NPRM.

View more information on the Enforcement Interim Final Rule.

View more information on the Breach Notification Interim Final Rule.

View the HITECH Act.


horizontal line

HHS Home | Questions? | Contacting HHS | Accessibility | Privacy Policy | FOIA | Disclaimers | Inspector General | No FEAR Act | Viewers & Players
The White House | USA.gov | HHS Archive | Pandemic Flu

U.S. Department of Health & Human Services · 200 Independence Avenue, S.W. · Washington, D.C. 20201