The HHS HITECH Act Technology Implementation Plan. The U.S. Department of Health & Human Services (HHS) has a broad role in the implementation of multiple health and welfare plans addressed by the American Recovery and Reinvestment Act of 2009 (ARRA). In order to manage and coordinate its many obligations under ARRA, HHS established the Office of Recovery Act Coordination. This office is responsible for ensuring that ARRA programs are designed to best meet ARRA objectives and reporting due dates, to establish and track performance outcomes, mitigate the risks of fraud and abuse, and to keep the public informed through the Web and other means of communication. The Office of Recovery Act Coordination released a 291-page implementation plan to address each aspect of HHS responsibilities under the ARRA, including a distinct Act within ARRA focused on health information technology, privacy and security. This Act is titled, “Health Information Technology for Economic and Clinical Health Act” (HITECH Act).

The Officer of Recovery Coordination’s implementation plan includes specific plans for accelerating the adoption and implementation of health information technology in compliance with the HITECH Act. The HHS ARRA Implementation Plan for Health Information Technology, Medicare and Medicaid Incentives and Administrative Funding can be accessed here. The Office of National Coordinator’s ARRA Implementation Plan for Health Information Technology plan can be accessed here.

Breach Notification Interim Final Regulation and Related Guidance. In addition to implementing health information technology, the HITECH Act also requires HHS to issue interim final regulations within 180 days of the enactment of ARRA to require covered entitiesunder the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and their business associates (BAs) to provide for notification in the case of breaches of “unsecured protected health information.” The HITECH Act defines “unsecured protected health information” to mean protected health information that is not secured through the use of a technology or methodology specified by the Secretary in guidance. On April 17, 2009, HHS issued guidance specifying the technologies and methodologies that render protected health information unusable, unreadable, or indecipherable to unauthorized individuals. Public comments regarding this guidance were due on May 21, 2009. Pending changes made by HHS as a result of public comment, this guidance will apply to breaches 30 days after publication of the forthcoming interim final regulations. The interim guidance issued April 17, 2009, can be reviewed here.

In recognition of the new types of web-based entities that collect consumers’ health information, which are not subject to HIPAA,  the HITECH Act also required the Federal Trade Commission (FTC) to issue interim rules requiring vendors of personal health records (PHRs) and related entities to notify individuals when the security of their individually identifiable health information is breached. Accordingly, the FTC released a proposed rule on health breach notification for PHRs. The comment period ended June 1, 2009. The FTC rules are to govern PHR security breaches until Congress enacts new legislation implementing the joint recommendations of FTC and HHS on potential privacy, security and breach notification requirements to be made in a report to Congress by February 17, 2010. For more information on the FTC Rule, click here.