Today is the compliance deadline for many of the HIPAA changes resulting from the HITECH Act (September 23, 2013).   Entities that routinely handle patient information – healthcare providers, health plans, and the vendors and contractors that service the healthcare industry – are now subject to the HITECH Act's enhanced HIPAA obligations and penalties.

HITECH compliance generally requires policy updates, contract revisions, training, and other action steps described below.  Even if your company has yet to complete these steps, it is not too late to take action.

As noted in prior alerts, Covered Entities, Business Associates, and Business Associate "Subcontractors" should address the following eight issues in light of the HITECH requirements:

  • Fulfill Security Rule Requirements
  • Update Privacy Rule Policies
  • Identify Business Associates
  • Identify Business Associate "Subcontractors"
  • Update Business Associate Agreements and Implement Business Associate Agreement "Subcontracts"
  • Update Breach Notification Polices and Procedures
  • Train Workforce on New Policies
  • Reconsider Vendor Management Programs, Processes and Guidelines

The federal agency with oversight over HIPAA Privacy and Security Rule enforcement is issuing administrative guidance and policy statements regarding various aspects of the HITECH regulations.  Thus far, these statements address:

  • Guidelines on disclosure of patient information for certain marketing purposes
  • Decedents' health information
  • Disclosure of student immunization data
  • •Use and disclosure of patient information to law enforcement
  • •The federal government has also issued a model Notice of Privacy Practices and Business Associate Agreement that Covered Entities and Business Associates can utilize when developing and tailoring their own documents suited to their particular needs, circumstances, and existing contractual requirements.

A summary of HITECH compliance action steps can be found here.

A copy of the HIPAA-HITECH Final Rule, as well as prior Nelson Mullins summaries of the new HIPAA requirements, is available here.