HITECH Deadline Looms Over Covered Entities
Recent changes enacted as part of the Health Information Technology for Economic and Clinical Health Act (“HITECH”) and its implementing regulations require Covered Entities and their Business Associates to implement Security Breach Notification procedures and may require revisions to existing Business Associate Agreements (“BAAs”). HITECH was passed as part of the American Recovery and Reinvestment Act of 2009 (“ARRA”). The new requirements became effective September 23, 2009, following the publication of the Department of Health and Human Services (“DHHS”) Security Breach Notification Interim Final Rule (the Interim Rule) in August of 2009. Their enforcement begins on February 23, 2010.
HITECH requires Covered Entities to report to the affected patient, and in some cases to the Centers for Medicare and Medicaid Services(CMS) and/or the local media, any breach to the security of “unsecure” protected health information (“PHI”) held in electronic form. The law applies to Business Associates and BAAs are required to incorporate specific provisions of the law. Accordingly, all Covered Entities and Business Associates should review their BAAs and policies/procedures to ensure compliance with HITECH.
