On March 15, 2010, the Office of Civil Rights of the Department of Health and Human Services published an update on their rulemaking and enforcement efforts under the HITECH Act. It can be accessed here.

OCR acknowleged that they are still working on rulemaking covering business associate liability; new limitations on the sale of protected health information, marketing, and fundraising communications; and stronger individual rights to access electronic medical records and restrict the disclosure of certain information. They reminded covered entities that the HITECH inerim final rule on Breach Notification will be enforced for breaches that occur after February 22, 2010, and new civil money penalty amounts will apply to HIPAA Privacy and Security Rule violations occurring after February 17, 2010.

OCR states that its forthcoming Notice of Proposed Rulemaking and the final rule that follows will provide specific information regarding the expected date of compliance and enforcement of the remaining new requirements. Note - this is not the same as an indefinite deferral of compliance obligations. The safest approach remains good faith compliance with the HITECH Act now.