Notice of Proposed Rulemaking to Implement HITECH Act Modifications

HHS issued a notice of proposed rulemaking to modify the HIPAA Privacy, Security, and Enforcement Rules. 

The Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part of the American Recovery and Reinvestment Act of 2009, is designed to promote the widespread adoption and standardization of health information technology, and requires HHS to modify the HIPAA Privacy, Security, and Enforcement Rules to strengthen the privacy and security protections for health information and to improve the workability and effectiveness of the HIPAA Rules.

The proposed modifications to the HIPAA Rules include provisions extending the applicability of certain of the Privacy and Security Rules’ requirements to the business associates of covered entities, establishing new limitations on the use and disclosure of protected health information for marketing and fundraising purposes, prohibiting the sale of protected health information, and expanding individuals’ rights to access their information and to obtain restrictions on certain disclosures of protected health information to health plans.  In addition, the proposed rule adopts provisions designed to strengthen and expand HIPAA’s enforcement provisions.

The public is invited to comment on the provisions of the proposed rule for 60 days following publication in the Federal Register at

View the Notice of Proposed Rulemaking.

View the HHS news release announcing the Notice of Proposed Rulemaking.

View the Joint Statement on Building Trust in Health Information Exchange through Privacy and Security, issued by OCR Director Georgina Verdugo and Dr. David Blumenthal, the National Coordinator for Health Information Technology. 

Frequently Asked Questions for Professionals - Please see the HIPAA FAQs for additional guidance on health information privacy topics.

Content created by Office for Civil Rights (OCR)
Content last reviewed