The HITECH Act is part of the American Recovery and Reinvestment Act of 2009. This law strengthened several of the privacy and security protections under HIPAA. For example, business associates of HIPAA-covered entities, such as contractors, must comply with HIPAA privacy and security requirements. The Act also strengthened rules related to disclosure of PHI for marketing and fundraising and prohibits the sale of PHI without an individual’s authorization. The Act also requires HIPAA-covered entities to notify individuals and HHS of any breach of unsecured PHI and to report breaches affecting more than 500 residents to media outlets in the affected area.9
9 “Modifications to the HIPAA Privacy, Security, Enforcement and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act,” 45 CFR Parts 160 and 164. Available at [http://www.gpo.gov/fdsys/pkg/FR-2013-01-25/pdf/2013-01073.pdf]. Accessed June 3, 2014.