The Health Information Technology for Economics and Clinical Health (HITECH) Act went into effect on February 18, 2009. It promotes the safe and meaningful use of health information technology. Before the HITECH Act, the Privacy Rule did not govern business associates directly. However, the HITECH Act makes specific requirements of the Privacy Rule applicable to business associates. It creates direct liability for the uses and disclosures of PHI by business associates that do not comply with its business associate contract or other arrangement under the Privacy Rule.
Any Privacy Rule limitation on how a covered entity may use or disclose protected health information automatically extends to a business associate.