HITECH/HIPAA compliance and its timelines

If you would like to know some of the relevant timelines for HITECH/HIPAA compliance, take a look below for quick reference.

HITECH enactment (February 17, 2009) Tiered civil penalties based on the nature of HIPAA violations, up to $50,000 per violation and an annual maximum of $1.5 million (Section 13410).

180 days post enactment (August 17, 2009) HHS and the FTC will promulgate interim regulations on notification of breaches. The FTC rules will apply to breach notification by PHRs that are not covered by HIPAA (i.e. because generally the organization that produces the PHR is not a “covered entity”) or business associate agreements (Section 13402, 13407).

24 months post-enactment (February 17, 2011) HHS clarification regarding ability to pursue civil penalties when criminal penalties are not pursued (Section 13405).

36 months post-enactment (February 17, 2012) HHS is obligated to establish regulations that will allow individuals harmed by privacy and security violations to receive a percentage of any HHS monies collected related to civil fines regarding such violations.