As February deadlines approach, health plan sponsors, health care providers, and their vendors need to act now to meet the new rules introduced by the Health Information Technology for Economic and Clinical Health Act (HITECH). HITECH (enacted as part of the American Recovery and Reinvestment Act of 2009) makes significant changes to HIPAA?including changes that subject various vendors directly to privacy and security requirements and require notice to individuals whose information is affected by a breach of privacy.

For earlier Ballard Spahr publications on the HITECH changes, click here. Ballard Spahr has also updated forms and tools that can assist your organization in meeting HITECH obligations.

By February 17, 2010, health plan sponsors and health care providers should review and, as appropriate, update their HIPAA forms to comply with the HITECH rules concerning such things as:

  • Agreements with vendors who handle individually identifiable health information ("Business Associates")
  • Internal policies and procedures
  • Notice of privacy practices
  • HIPAA plan amendments

Business associates under HIPAA will, for the first time, be directly subject to a number of HIPAA's privacy requirements and virtually all of its security requirements. If your organization is a business associate, you will need to make sure that you have the necessary documentation in place to comply with the applicable rules and designate a Security Official.

On February 22, 2010, the new breach notification requirements become enforceable. Health plans, health care providers, and business associates will need to be alert for potential breaches. Each may have obligations with regard to a breach that ultimately require notice to affected individuals, the U.S. Department of Health and Human Services, and sometimes local media. You will need to make sure that appropriate procedures are in place before a possible breach occurs to allow enough time to investigate that breach and produce and deliver appropriate notices within the prescribed period.

Every compliance effort will require training for relevant members of the workforce regarding these and other changes.