Staff at the U.S. Department of Health and Human Services' ("HHS") Office of Civil Rights, Health Information Privacy Division, stated to Duane Morris that "comprehensive HITECH regulations" will be published in the next several weeks, following final agency approval. The Health Information Technology for Economic and Clinical Health Act (the "HITECH Act," Title XIII of the American Recovery and Reinvestment Act of 2009) amended the Health Insurance Portability and Accountability Act ("HIPAA") to improve and expand current federal privacy and security protections for protected health information ("PHI"). The HITECH Act requires the Secretary of HHS to interpret key provisions through regulations. Since most of the HITECH Act's HIPAA amendments are effective on February 17, 2010, providers, group health plans, business associates and others have been awaiting these regulations in order to make any necessary changes to their HIPAA programs by the compliance deadline. Based on the act, the regulations are likely to address:

  • The expansion of the definition of business associates and the extension of HIPAA's Security Rule and parts of the Privacy Rule to business associates;
  • New definitions of the "minimum necessary" amount of PHI that may be used or disclosed;
  • Disclosure requirements for electronic health records;
  • Limitations and exceptions to the prohibition on the sale of PHI;
  • The definition of "reasonable in amount" with regard to restrictions on marketing of PHI; and
  • The modification of HIPAA Privacy Rule's provisions regarding fundraising.

The HITECH Act also creates an infrastructure for the development of a national electronic health records ("EHR") system by the end of 2014. The act sets forth requirements for EHRs, provides funding under Medicare and other programs to help providers pay for EHRs, and requires the Secretary of HHS to issue regulations on EHRs by the end of 2009. The upcoming HITECH Act regulations are expected to include:

  • Specific standards and requirements for "meaningful users" of EHRs (only meaningful users qualify for EHR funding under the HITECH Act);
  • Specific standards and requirements for "certified EHR technology"; and
  • Technologies that protect privacy and promote security in a qualified EHR.

These regulations are likely to be significant for providers and other entities that are developing EHRs, particularly if they intend to seek assistance funding.

Duane Morris will continue to monitor developments under the HITECH Act.

If you have any questions regarding this Alert or would like more information on the anticipated changes to HIPAA or the new EHR requirements, please contact Lisa W. Clark, Erin M. Duffy, any member of the Healthcare Information Technology Practice Group, or the attorney in the firm with whom you are regularly in contact.

This article is for general information and does not include full legal analysis of the matters presented. It should not be construed or relied upon as legal advice or legal opinion on any specific facts or circumstances. The description of the results of any specific case or transaction contained herein does not mean or suggest that similar results can or could be obtained in any other matter. Each legal matter should be considered to be unique and subject to varying results. The invitation to contact the authors or attorneys in our firm is not a solicitation to provide professional services and should not be construed as a statement as to any availability to perform legal services in any jurisdiction in which such attorney is not permitted to practice.

Duane Morris LLP, a full-service law firm with more than 700 attorneys in 24 offices in the United States and internationally, offers innovative solutions to the legal and business challenges presented by today's evolving global markets.