Follow The Industry Radar
 facebook-32x32  ty  re ew  qw  ds
hitech
HITECH History and Compliance Timeline

2009

February 17  HITECH Act Enacted

  • Application of tiered civil monetary penalties (i.e. for violations occuring post enactment)
  • State Attorney General Authority to Enforce  (i.e. bring a civil action on behalf of citizens post enactment)

April 20

  • HHS list of technologies and methodologies that render information "unusable, unreadable or indecipherable."

August 18

  • HHS and FTC promulgate interim final regulations on breach notification

December 31

HHS to adopt rules for the standards related to accounting for disclosures

2010

February 18

  • HHS and FTC study on privacy and security requirements for PHR vendors and applications
  • GAO study on best practices for disclosures for treatment and use of electronic informed consent.
  • First annual report on HIPAA enforcement.
  • First annual guidance on the most effective and appropriate technical safeguards for health information.
  • HHS study on de-identification.
  • HHS implementation of health information privacy educational initiative.
  • Application of rules for business associates.
  • Clarification regarding which entities are required to be business associates.
  • Patient's right to restrict disclosures to health plans.
  • Deeming of limited data set as satisfying the minimum necessary standard.
  • Patient's right to electronic access to, and an electronic copy of, their health record.
  • Clarification regarding marketing provisions.
  • Opt-out for fund raising communications; HIPAA's current provisions regarding fund raising remain in full force an effect.
  • Clarification regarding the ability to impose criminal penalties against individuals.
  • Civil monetary penalties and settlements flowing to HHS/OCR (Office of Civil Rights) for enforcement.
  • Requirement for HHS to begin conducting mandatory audits.

August 18

  • Secretary's guidance on minimum necessary
  • Regulations re:sale of data prohibition (effective 6 months post promulgation)
  • GAO report on methodology for providing individuals with a percentage of HIPAA penalties
  • Regulations on imposition of civil monetary penalties in cases of willful neglect (and with respect to when the Secretary can civilly pursue violations of HIPAA that qualify as criminal)

2011


January

  • Initial deadline for complying with new accounting for disclosure rules for entities implementing EHR systems post January 1, 2009.
February
  • HHS to provide guidance regarding "minimum necessary."
  • Promulgated regulations regarding prohibition on the sale of PHI data, which will be effective six (6) months post promulgation.
  • GAO report on methodology for providing individuals with a percentage of HIPAA penalties.
  • Promulgation on imposition of civil monetary penalties in cases of "willful neglect"