The HITECH Act, which was passed in 2009 under the American Recovery and Reinvestment Act (ARRA), strengthened several of the privacy and security protections under HIPAA. Under HITECH, business associates of HIPAA-covered entities, such as contractors, must comply with HIPAA privacy and security requirements. The Act strengthened rules related to disclosure of PHI for marketing and fundraising and prohibits the sale of PHI without an individual’s authorization. The Act also requires HIPAA-covered entities to notify individuals and HHS of any breach of unsecured PHI and to report breaches affecting more than 500 residents of a state or jurisdiction to media outlets in the affected area.5
5 “Modifications to the HIPAA Privacy, Security, Enforcement and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act,” 45 CFR Parts 160 and 164. Available at [http://www.gpo.gov/fdsys/pkg/FR-2013-01-25/pdf/2013-01073.pdf]. Accessed June 3, 2014.