Follow The Industry Radar
 facebook-32x32  ty  re ew  qw  ds
HITECH History and Compliance Timeline


February 17  HITECH Act Enacted

  • Application of tiered civil monetary penalties (i.e. for violations occuring post enactment)
  • State Attorney General Authority to Enforce  (i.e. bring a civil action on behalf of citizens post enactment)

April 20

  • HHS list of technologies and methodologies that render information "unusable, unreadable or indecipherable."

August 18

  • HHS and FTC promulgate interim final regulations on breach notification

December 31

HHS to adopt rules for the standards related to accounting for disclosures


February 18

  • HHS and FTC study on privacy and security requirements for PHR vendors and applications
  • GAO study on best practices for disclosures for treatment and use of electronic informed consent.
  • First annual report on HIPAA enforcement.
  • First annual guidance on the most effective and appropriate technical safeguards for health information.
  • HHS study on de-identification.
  • HHS implementation of health information privacy educational initiative.
  • Application of rules for business associates.
  • Clarification regarding which entities are required to be business associates.
  • Patient's right to restrict disclosures to health plans.
  • Deeming of limited data set as satisfying the minimum necessary standard.
  • Patient's right to electronic access to, and an electronic copy of, their health record.
  • Clarification regarding marketing provisions.
  • Opt-out for fund raising communications; HIPAA's current provisions regarding fund raising remain in full force an effect.
  • Clarification regarding the ability to impose criminal penalties against individuals.
  • Civil monetary penalties and settlements flowing to HHS/OCR (Office of Civil Rights) for enforcement.
  • Requirement for HHS to begin conducting mandatory audits.

August 18

  • Secretary's guidance on minimum necessary
  • Regulations re:sale of data prohibition (effective 6 months post promulgation)
  • GAO report on methodology for providing individuals with a percentage of HIPAA penalties
  • Regulations on imposition of civil monetary penalties in cases of willful neglect (and with respect to when the Secretary can civilly pursue violations of HIPAA that qualify as criminal)



  • Initial deadline for complying with new accounting for disclosure rules for entities implementing EHR systems post January 1, 2009.
  • HHS to provide guidance regarding "minimum necessary."
  • Promulgated regulations regarding prohibition on the sale of PHI data, which will be effective six (6) months post promulgation.
  • GAO report on methodology for providing individuals with a percentage of HIPAA penalties.
  • Promulgation on imposition of civil monetary penalties in cases of "willful neglect"