HIPAA Compliance Plan

Download a FREE copy of our Breach Notification Training Module.


This page reviews the pertinent dates from the HITECH Act Subtitle D and provides commentary as appropriate:

February 17, 2009 HITECH Act Enacted

On February 17, 2009 Upon Enactment

HIPAA Survival Guide Note:

Clearly this raises the stakes from day one. We don't know of any cases brought by a state AG as of yet (circa August 2009), but when it happens it is guaranteed to make the national news.

By April 20, 2009 Within 60 Days of Enactment

HIPAA Survival Guide Note:

Notification of breach requirements were covered in this post. Section 13402 of HITECH's Subtitle D is the relevant section. HHS has provided the required guidance and therefore unsecured PHI now is defined (paraphrased and annotated) as follows:

13402(h): unsecured PHI* means PHI that is not secured through: 1) encryption; and/or 2) destruction–as provided by HHS guidance. Methods must render PHI “unusable, unreadable, or indecipherable” to unauthorized individuals (see HIPAA Security Rule & NIST standards).

By August 18, 2009 Within 180 Days of Enactment

HIPAA Survival Guide Note:

Breach notification is covered in Section 13402 of HITECH's Subtitle D.

By December 31, 2009 By this Specific Date

HIPAA Survival Guide Note:

The relevant Subtitle D Section is 13405.

By February 18, 2010 Due Within One Year Post Enactment

HIPAA Survival Guide Note:

PHR (personal health records) vendors include companies like Google and Microsoft. These are "cloud computing" offerings that allow consumers/patients to track their own health information. EHR vendors are also offering cloud solutions as discussed here.

On February 18, 2010 Effective One Year Post Enactment

  • Application of rules to, and accountability for, business associates.
  • Clarification regarding which entities are required to be business associates.
  • Patient's right to restrict disclosures to health plans.
  • Deeming of limited data set as satisfying the minimum necessary standard.
  • Patient's right to electronic access to, and an electronic copy of, their health record.
  • Clarification regarding marketing provisions.
  • Opt-out for fund raising communications; HIPAA's current provisions regarding fund raising remain in full force an effect.
  • Clarification regarding the ability to impose criminal penalties against individuals.
  • Civil monetary penalties and settlements flowing to HHS/OCR (Office of Civil Rights) for enforcement.
  • Requirement for HHS to begin conducting mandatory audits.
HIPAA Survival Guide Note:

The last two "bulleted" items are covered in Sections 13410 and 13411. Refer to this post for more information regarding improved enforcement (13410) and this one for mandatory audits (13411).

By August 18, 2010 Within 18 months of enactment


By January 1, 2011 By this specific date

HIPAA Survival Guide Note:

Note: the relevant Subtitle D Section is 13405.

By February 18, 2011 Within 24 Months of Enactment

HIPAA Survival Guide Note:

Individuals still cannot bring a civil action but clearly will now have more financial incentive to file a HIPAA complaint. The definition of "willful neglect" is still an open question. Refer to this post for commentary regarding same.

By February 18, 2011 Within 24 Months of Enactment

HIPAA Survival Guide Note:

Given the lax enforcement of HIPAA's Privacy & Security Rules prior to the HITECH Act, I am certain that HHS is going to have no problem finding instances of "willful neglect"--especially for those unlucky few to be the first ones audited.

On February 18, 2012 36 Months of Enactment

HIPAA Survival Guide Note:

It should be fairly clear that the HITECH Act has provided HHS with a money machine and individuals get to play for more than "funzies."

By 2013 By this Year

HIPAA Survival Guide Note:

The relevant Subtitle D Section is 13405.

By January 1, 2014 By this Specific Date

HIPAA Survival Guide Note:

The relevant Subtitle D Section is 13405.

On February 18, 2014 60 Months of Enactment

By 2016 By this Year

HIPAA Survival Guide Note:

The relevant Subtitle D Section is 13405.


You can find an excellent summary of the modifications to HIPAA mandated by the HITECH Act here. It is one of the more thorough summaries we have found to date, with Appendix A containing a calendar of HITECH/HIPAA due dates and effective dates.

Make sure you are Omnibus Rule Compliant: HIPAA Privacy Checklist.