Health Law and Employee Benefits Alert: HHS Announces Delay in Enforcement of HITECH Rules as Applied to Business Associates
3/26/2010
As reported in a previous client advisory, Title XIII of the American Reinvestment and Recovery Act of 2009, entitled the Health Information Technology for Economic and Clinical Health (HITECH) Act, makes “business associates” directly responsible for complying with certain provisions of the HIPAA privacy rule and all of the HIPAA security rules. (For a full discussion of the requirements imposed by the HITECH Act, please click here for our HITECH overview.) Although these rules were slated to take effect in February 2010, the U.S. Department of Health and Human Services (HHS) has not yet issued rules on this particular requirement.
In a recent post to its website, HHS’s Office of Civil Rights has let it be known that a proposed rule implementing the HITECH Act’s privacy and security provisions as they apply to business associate liability is in the works. The proposed rule will also deal with new limitations on the sale of protected health information, marketing, and fundraising communications, and stronger individual rights to access electronic medical records, among other things. According to the Office of Civil Rights, the proposed rule “will provide specific information regarding the expected date of compliance and enforcement of these new requirements.” We take this to mean that enforcement of these particular HITECH Act provisions will be delayed. The post includes a reminder, however, that interim final rules implementing HITECH Act provisions relating to enforcement and breach notification have already been issued and are currently in effect.
The implications for business associates are difficult to discern. The HITECH Act’s extensions of the HIPAA privacy and security rules are generally self-executing, i.e., they do not rely on implementing guidance from any government agency. Due to a disconnect between the statute and the legislative history, however, there is some confusion over the extent to which business associates must comply with the substantive privacy rules. It is hoped that the Office of Civil Rights will address this matter. While waiting for further guidance, business associates are best served by pressing ahead with their security compliance and with updating business associate agreements to comply with the HITECH Act.
For assistance in this area please contact one of the attorneys listed below or any member of your Mintz Levin client service team.
Employee Benefits and
Executive Compensation
Alden Bianchi
Practice Group Leader, Employee Benefits and Executive Compensation
(617) 348-3057
AJBianchi@mintz.com
Health Law
Karen S. Lovitch
Practice Leader,
Health Law Practice
(202) 434-7324
KSLovitch@mintz.com
Stephen M. Weiner
Chair, Health Law Practice
(617) 348-1757
SWeiner@mintz.com
