Better known colloquially as the “stimulus” bill, the American Reinvestment and Recovery Act of 2009 (the Act) contained a hodgepodge of additional provisions with little apparent connection to the U.S. economy. Title XIII of the Act, entitled the Health Information Technology for Economic and Clinical Health (HITECH) Act, is such a provision. Among other things, HITECH makes “business associates” directly responsible for complying with certain provisions of the HIPAA privacy rule and all of the HIPAA security rules. But as a consequence of an important disconnect between the Act’s legislative history relating to the scope of the expansion of the privacy rule, it is not entirely clear what is required. Moreover, while the statutory effective date is fast approaching, the Department of Health and Human Services (HHS) has yet to issue guidance in the matter.