We have been so focused on the upcoming Massachusetts data security deadline, that we let one last week go without fanfare. As we have gently reminded you on several occasions, the new HIPAA privacy and security rules contained in the Health Information Technology for Clinical and Economic Health Act (HITECH) became effective on February 17th.
The HITECH Act was passed as part of the “Stimulus Bill” on February 17, 2009. Although rumors continue to swirl that additional regulations will be forthcoming shortly (the latest rumor is that the East Coast blizzard slowed down the review and approval process), it is clear that they were not out as of the February 17th effective date. Therefore, covered entities and their business associates must act immediately on the terms of the HITECH statute itself.
HITECH imposes new HIPAA rules on covered entities and their business associates. New data breach notification rules require covered entities to review any possible wrongful disclosures to determine whether to warn individuals or notify the federal government or the press. Covered entities should have policies in place to meet these requirements in the event of a breach. Covered entities should review and revise their business associate agreements and their other policies and procedures as well.
HITECH also makes most HIPAA rules applicable directly to business associates. If your company serves healthcare providers or insurance plans (including group health plans), and you receive health information, you are probably a business associate and are covered by these changes. Most importantly, business associates must adopt HIPAA policies and procedures to protect the security of the information they collect, hold and use. In addition to the contractual obligations business associate agreements put on them, business associates are now directly liable under HIPAA.