Health Information Technology for Economic and Clinical Health (HITECH) Act Division A, Title XIII, Subpart D of American Recovery and Reinvestment Act of 2009

HIPAA Policies and Procedures Update for ARRA – HITECH ActCongress passed the American Recovery and Reinvestment Act of 2009 (the Act) on Friday, Feb. 13, 2009, with almost unprecedented speed, and the President signed it into law on Feb. 17. The Act has grabbed the attention of the country – from inside the beltway to Main Street America. Title XIII of the Act is artfully entitled to the Health Information Technology for Economic and Clinical Health (also referred to as HITECH) Act. Provisions are included in Division A, Title XIII, Subpart D.

Most of the Act’s provisions will take effect one year after enactment of the law (Feb. 17, 2010), although increased penalty provisions go into effect immediately. Other rules require implementing regulations and will take two years or longer to take effect.

All provisions of the Act do not take effect immediately, and a number of the regulations require the promulgation of a rule by the US Department of Health and Human Services (HHS) and, in one instance, the Federal Trade Commission (FTC). Also, especially as it relates to HIT standards adoption, the requirement to adhere to new standards is delayed. On the other hand, many of the expanded security and privacy provisions take effect much sooner, and some impact the healthcare industry outside the formal rulemaking process. Congress included provisions along with listed requirements that allow HHS to promulgate interim final rules that do not require public comment but will need to go through the public comment process before being finalized.

All health care entities and vendors with access to individually identifiable health information must pay attention to these new provisions. Given language regarding increased enforcement, it would be advisable to review the new requirements and implement those requirements as soon as practicable rather than reacting after the fact as has been the case with several healthcare entities.

Also, earlier provisions in Title XIII include a requirement to implement appropriate privacy and security controls to be eligible to take advantage of stimulus dollars associated with Title XIII. This is covered in certification requirements, standards development, electronic health record funding, etc. These are not specific ongoing legal requirements but are tied to the ability to take advantage of funds made available through ARRA.

HITECH Policy & Procedures Updates for HIPAA Privacy and Security.

Please note that these policies are ONLY updates to HIPAA Privacy and Security rule’s policy and procedures requirements. You need HITECH updates assuming that you have all the other required policies and procedures as per the HIPAA Privacy and Security rule.

If you want to meet the HIPAA requirements for HIPAA Privacy and Security rule, you need to buy the following templates which include HITECH updates and all HIPAA requirements.

The HITECH Policy updated template suite includes 12 policy and procedure updates due to the HITECH Act for HIPAA Privacy and Security. The cost for the template suite is $99.

  • Business Associates contract policy
  • Breach notification policy
  • Security incident response policy
  • Sanctions policy
  • Marketing policy
  • Fundraising policy
  • Request for a copy of the medical/claims record policy
  • Restriction request policy
  • Minimum necessary policy
  • Receipt of payment when disclosing PHI
  • EHR accounting of disclosures policy
  • Response and Reporting policy

Sample HITECH Policy

No refund or exchanges after purchase.

For an in-depth understanding of the ARRA HITECH Act ask for our HITECH update training. Email us at for details on how to view the free course.

View HIPAA Security Policies and Procedures


HIPAA Policies and Procedures Update for ARRA – HITECH Act is rated 4.8 out of 5 by 325 users.