We understand that yesterday Adam H. Greene (Office of the General Counsel, Civil Rights Division, U.S. Department of Health & Human Services), speaking at the ABA’s 11th Annual Conference on Emerging Issues in Healthcare Law, indicated that enforcement of the business associate provisions of the Health Information Technology for Economic and Clinical Health Act (the “HITECH Act”), which became effective on February 17, 2010, will be delayed until final rules addressing those provisions are published. The HITECH Act’s business associate provisions require business associates to implement the information security safeguards specified by the HIPAA Security Rule, and comply with certain requirements of the HIPAA Privacy Rule. Similarly, the HITECH Act requires covered entities to provide in their business associate agreements that all of the HITECH Act’s security requirements applicable to covered entities are also applicable to business associates.
The Office for Civil Rights (“OCR”), which enforces HIPAA’s Privacy and Security Rules, has stated publicly that it is carefully evaluating how to proceed with HIPAA enforcement. For example, Section 13411 of the HITECH Act requires HHS to “provide for periodic audits to ensure that covered entities and business associates” are complying with the HITECH Act and its implementing regulations. At the 18th Annual National HIPAA Summit in early February, Sue McAndrew, the OCR’s Deputy Director for Health Information Privacy, explained that there are “1,000 ways” to conduct HIPAA audits and that OCR is working with a HIPAA expert to “map out essentially the range of options” to determine how best to effectively conduct HIPAA audits.
Despite the delay in enforcement, covered entities and business associates should take necessary actions to comply with the HITECH Act’s requirements. Please see our client alert on HITECH compliance for more information.