New requirements making the HIPAA privacy and security rules applicable to business associates of healthcare entities became effective on February 17, 2010. However, the new requirements, under the the Health Information Technology for Economic and Clinical Health (“HITECH”) Act, may not be enforced immediately. Speaking at an ABA conference last week, Adam H. Greene of the Office of General Counsel of the U.S. Department of Health and Human Services' Office for Civil Rights ("OCR"), which enforces the HIPAA rules, stated that enforcement of the business associate provisions would be delayed until final regulations are issued. OCR has not formally published notice of the enforcement delay.
Other provisions of the HITECH Act, including increased penalties for data breaches, have already been in effect. New breach notification requirements became effective this week.
Covered entities and business associates would be wise to ensure compliance with the HITECH Act notwithstanding the possible enforcement delay.