PLAN SPONSORS SHOULD BE aware of their obligations under the Health Information Technology for Economic and Clinical Health Act (“HITECH”). Though enacted on February 17, 2009, many of HITECH’s provisions did not become effective until February 18, 2010. HITECH addresses the privacy and security concerns raised on account of the electronic transmission of health information.

HITECH significantly modified HIPAA’s privacy and security provisions in a number of ways. First, group health plans now must provide notice to individuals who have experienced a breach of their unsecured protected health information. Second, covered entities must comply with an individual’s request to restrict disclosures of his or her protected health information (“PHI”) for payment or health care operations if: (i) except as required by law, the disclosure is to the health plan for purposes of carrying out the payment of health care operations and not for purposes of carrying out treatment; and (ii) the PHI pertains solely to a health care item or service for which the health care provider involved has been paid out-of-pocket in full. Third, HITECH extended most of HIPAA’s rules to business associates of covered entities, including HIPAA’s increased civil and criminal penalty structure, and stepped-up enforcement. More information on HIPAA’s applicability to business associates is available in the fall issue of our Employment & Employee Benefits newsletter, available at

However, on July 14, 2010, the Department of Health and Human Services (“HHS”) published its notice of proposed rulemaking regarding future changes to HIPAA and HITECH. Most notably, the Proposed Rule, entitled “Modifications to the HIPAA Privacy, Security, and Enforcement Rules under the Health Information Technology for Economic and Clinical Health Act,” expands the definition of “business associate” and modifies HIPAA’s Privacy, Security and Enforcement Rules in a number of ways. Though HHS has proposed a one-year transition period for covered entities and business associates to make any necessary changes to their business associate agreements and other such documents (in addition to the 180-day compliance period staring on the day HHS issues the final rule), now is the time for employers to be aware of the changes they expect to make to their HIPAA and HITECH documents in the relatively near future.