As of February 22, 2010, the Department of Health and Human Services (“HHS”) began enforcement of data breach notification requirements explained in the Health Information Technology for Economic and Clinical Health Act (“HITECH Act”).

Enacted as a part of the American Recovery and Reinvestment Act of 2009, the HITECH Act, modifies the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) substantially by, among other things, requiring covered entities to provide notification to individuals whose protected health information has been compromised, used, or disclosed without authorization, or otherwise fails to comply with HIPAA.

(For more information, see our law alert (PDF) published 08/21/09 and provides a general overview of the HITECH Act and its changes to HIPAA.)

In its “Breach Notification for Unsecured Protected Health; Information Interim Final Rule” issued August 24, 2009, HHS stated that it will begin imposing sanctions on February 22, 2010 against covered entities failing to comply with the HITECH Act requirements, although, HHS also states that it expects covered entities already to be in compliance with HITECH and HHS’s regulations. HHS enforcement implicates all health care providers, health plans, business associates, and others that use, access, or disclose protected health information.

Additionally, HITECH includes enhanced enforcement provisions such as:

  1. an increased scale of fines for noncompliance up to $1,500,000;
  2. the authorization to state Attorneys General to bring actions on behalf of state residents to enforce violations of HIPAA; and
  3. expanded applicability of various portions of HIPAA directly to business associates.

All affected entities should adopt …