> Minor quibble - HIPAA and HITECH are not the same thing
They are separate legislative actions, but HITECH is largely amendments to HIPAA, and can't really be considered in isolation. References to what HIPAA requires generally refer to not only the original HIPAA enactment but subsequent amendments (such as, but not limited to, those in the ACA and HITECH), and regulations and guidance adopted under HIPAA (as amended). Distinguishing HITECH from HIPAA makes sense in terms of discussing legislatibve history, but less so in terms of discussing current rules.
It is also not accurate to draw the division as HIPAA being "general policy" and HITECH being "how that policy can be implemented in technology." Its true that HITECH (more precisely, guidance/regulation mandated by and adopted subsequently to HITECH's amendments to HIPAA) provides more technical specificity in some areas, particularly privacy/security, than was in HIPAA (and regulations under HIPAA) prior to HITECH, but HITECH also amended aspects of HIPAA that fall into the general policy area (for instance, direct liability of Business Associates), and there were specific technical standards adopted under HIPAA prior to HITECH and also under mandates stemming from post-HITECH (notably, ACA) amendments to HIPAA.
They are separate legislative actions, but HITECH is largely amendments to HIPAA, and can't really be considered in isolation. References to what HIPAA requires generally refer to not only the original HIPAA enactment but subsequent amendments (such as, but not limited to, those in the ACA and HITECH), and regulations and guidance adopted under HIPAA (as amended). Distinguishing HITECH from HIPAA makes sense in terms of discussing legislatibve history, but less so in terms of discussing current rules.
It is also not accurate to draw the division as HIPAA being "general policy" and HITECH being "how that policy can be implemented in technology." Its true that HITECH (more precisely, guidance/regulation mandated by and adopted subsequently to HITECH's amendments to HIPAA) provides more technical specificity in some areas, particularly privacy/security, than was in HIPAA (and regulations under HIPAA) prior to HITECH, but HITECH also amended aspects of HIPAA that fall into the general policy area (for instance, direct liability of Business Associates), and there were specific technical standards adopted under HIPAA prior to HITECH and also under mandates stemming from post-HITECH (notably, ACA) amendments to HIPAA.