Here are some of the relevant timelines for HITECH/HIPAA compliance. Refer to the Subtitle-D table of contents below for a quick reference to the respective sections.
- HITECH enactment (February 17, 2009) Tiered civil penalties based on the nature of HIPAA violations, up to $50,000 per violation and an annual maximum of $1.5 million (Section 13410).
- 180 days post enactment (August 17, 2009) HHS and the FTC will promulgate interim regulations on notification of breaches. The FTC rules will apply to breach notification by PHRs that are not covered by HIPAA (i.e. because generally the organization that produces the PHR is not a "covered entity") or business associate agreements (Section 13402, 13407).
- 24 months post-enactment (February 17, 2011) HHS clarification regarding ability to pursue civil penalties when criminal penalties are not pursued (Section 13405).
- 36 months post-enactment (February 17, 2012) HHS is obligated to establish regulations that will allow individuals harmed by privacy and security violations to receive a percentage of any HHS monies collected related to civil fines regarding such violations.
DIVISION A: TITLE XIII—HEALTH INFORMATION TECHNOLOGY
SUBTITLE D-PRIVACY.
Sec. 13400. Definitions.
PART 1—IMPROVED PRIVACY PROVISIONS AND SECURITY PROVISIONS
Sec. 13401. Application of security provisions and penalties to business associates of covered entities; annual guidance on security provisions.
Sec. 13402. Notification in the case of breach.
Sec. 13403. Education on health information privacy.
Sec. 13404. Application of privacy provisions and penalties to business associates of covered entities.
Sec. 13405. Restrictions on certain disclosures and sales of health information; accounting of certain protected health information disclosures; access to certain information in electronic format.
Sec. 13406. Conditions on certain contacts as part of health care operations.
Sec. 13407. Temporary breach notification requirement for vendors of personal health records and other non-HIPAA covered entities.
Sec. 13408. Business associate contracts required for certain entities.
Sec. 13409. Clarification of application of wrongful disclosures criminal penalties.
Sec. 13410. Improved enforcement.
Sec. 13411. Audits.
PART 2—RELATIONSHIP TO OTHER LAWS; REGULATORY REFERENCES; EFFECTIVE DATE; REPORTS
Sec. 13421. Relationship to other laws.
Looking for a best of breed HIPAA Compliance Tracking System?
To stay current on the HITECH Act and its quickly changing regulatory scheme visit the HITECH Survival Guide website and/or sign up for our free monthly compliance newsletter. Also, check out our FREE EHR Checklist.
If you need tools that will help with your compliance initiatives then check out the HSG Store.
