Staff at the U.S. Department of Health and Human Services' ("HHS") Office of Civil Rights, Health Information Privacy Division, stated to Duane Morris that "comprehensive HITECH regulations" will be published in the next several weeks, following final agency approval. The Health Information Technology for Economic and Clinical Health Act (the "HITECH Act," Title XIII of the American Recovery and Reinvestment Act of 2009) amended the Health Insurance Portability and Accountability Act ("HIPAA") to improve and expand current federal privacy and security protections for protected health information ("PHI"). The HITECH Act requires the Secretary of HHS to interpret key provisions through regulations. Since most of the HITECH Act's HIPAA amendments are effective on February 17, 2010, providers, group health plans, business associates and others have been awaiting these regulations in order to make any necessary changes to their HIPAA programs by the compliance deadline. Based on the act, the regulations are likely to address:
- The expansion of the definition of business associates and the extension of HIPAA's Security Rule and parts of the Privacy Rule to business associates;
- New definitions of the "minimum necessary" amount of PHI that may be used or disclosed;
- Disclosure requirements for electronic health records;
- Limitations and exceptions to the prohibition on the sale of PHI;
- The definition of "reasonable in amount" with regard to restrictions on marketing of PHI; and
- The modification of HIPAA Privacy Rule's provisions regarding fundraising.
The HITECH Act also creates an infrastructure for the development of a national electronic health records ("EHR") system by the end of 2014. The act sets forth requirements for EHRs, provides funding under Medicare and other programs to help providers pay for EHRs, and requires the Secretary of HHS to issue regulations on EHRs by the end of 2009. The upcoming HITECH Act regulations are expected to include:
- Specific standards and requirements for "meaningful users" of EHRs (only meaningful users qualify for EHR funding under the HITECH Act);
- Specific standards and requirements for "certified EHR technology"; and
- Technologies that protect privacy and promote security in a qualified EHR.
These regulations are likely to be significant for providers and other entities that are developing EHRs, particularly if they intend to seek assistance funding.