The Privacy and Security Provisions for Health Information in the American Recovery and Reinvestment Act of 2009

Gina Stevens
Legislative Attorney

Edward C. Liu
Legislative Attorney

President Obama signed the American Recovery and Reinvestment Act of 2009 (P.L. 111-5) on February 17, 2009. Title XIII of Division A and Title IV of Division B of that act are referred to as the Health Information Technology for Economic and Clinical Health Act (HITECH Act). The HITECH Act was designed to promote the widespread adoption of health information technology (HIT). HIT involves the exchange of health information in an electronic environment. 

The HITECH Act, based on legislation introduced in the 110th Congress, promotes health information technology through codification of the role of the Office of the National Coordinator for Health Information Technology (ONCHIT); adoption of standards for health information technology; creation of grants and loan programs to promote wider HIT use among health care practitioners; and expansion of privacy and security requirements for protected health information. The HITECH Act also includes financial incentives for Medicare and Medicaid health care providers who make meaningful use of electronic health records. 

As part of the HITECH Act, sweeping changes to the health information privacy regime were enacted. Most of the provisions in Subtitle D of Title XIII (Privacy) of the HITECH Act are additional requirements supplementing the HIPAA Privacy and Security Rules, but a few provisions deal specifically with electronic health records (EHRs). Subtitle D (Privacy) of Title XIII of the HITECH Act extended application of certain provisions of the HIPAA Privacy and Security Rules to the business associates of covered entities making those business associates subject to civil and criminal liability for violations; established new limits on the use of protected health information for marketing and fundraising purposes; provided new enforcement authority for state attorneys general to bring suit in federal district court to enforce HIPAA violations; increased civil and criminal penalties for HIPAA violations; required covered entities and business associates to notify the public or HHS of data breaches (regardless of whether actual harm has occurred); changed certain use and disclosure rules for protected health information; and created additional individual rights. 

In this report, we provide an overview of HIPAA, of the HIPAA Privacy and Security Rules, and of the privacy and security provisions for protected health information included in Subtitle D of Title XIII of the HITECH Act. .


Date of Report: February 22, 2010
Number of Pages: 24
Order Number: R40546
Price: $29.95

Document available electronically as a pdf file or in paper form.
To order, e-mail congress@pennyhill.com or call us at 301-253-0881.