HITECH is a U.S. law that requires data breach notice of unauthorized use or disclosure of unencrypted personal health information.

Overview

The Health Information Technology for Economic and Clinical Health Act (HITECH)^[1] was enacted under the American Recovery and Reinvestment Act of 2009. In addition to extending existing privacy and security provisions under HIPAA, and increasing civil and criminal penalties for non-compliance, HITECH requires data breach notification for unauthorized uses and disclosures of “unsecured PHI” (unencrypted personal health information). These breach notification requirements are similar to most state data breach laws related to personally identifiable information. Additionally, patients whose health providers have an electronic health record (EHR) system in place have a right to access their electronic personal health information (ePHI), and they can have their records sent to a third party for a fee equal to the costs incurred to produce the records. Finally, HITECH provides that business associates of organizations subject to HIPAA, including accounting firms, billing agencies and law firms, are now subject to the same data privacy and security requirements as the HIPAA-regulated organizations they work with.

References

1. ↑ http://hdl.loc.gov/loc.uscongress/legislation.111hr1

External Links

• HITECH Act Enforcement Interim Final Rule

• HITECH Breach Notification Interim Final Rule

Related Resources on FindLaw

Related Blogs on FindLaw

See Also

• Health Insurance Portability and Accountability Act (HIPAA)
• U.S. Privacy Law
• American Recovery and Reinvestment Act of 2009 (ARRA)