The Health Information Technology for Economic and Clinical Health (HITECH) Act included changes in HIPAA. To implement the changes in the HITECH Act, the U.S. Department of Health and Human Services (HHS) published proposed rules. The comment period expired on September 13, 2010, and it is anticipated that final rules will be published in the near future. HHS has indicated that in most cases, parties affected by modifications to the "HIPAA Rules" will be afforded a 180-day compliance period after publication of the final rules, although the final rules will ultimately control the effective date for compliance. There are several significant changes proposed. For example, the definition of "business associate" would be modified under the Privacy Rule to include subcontractors, and, as business associates, such subcontractors would be obliged to comply with the HIPAA Rules and exposed to the enforcement powers of the Secretary for non-compliance. Business associates will also be required to comply with certain provisions of the Security Rule, including, for example, the implementation of administrative, physical and technical safeguards, and security policies and procedures. Failure to comply with such requirements could result in civil and/or criminal liability. The Enforcement Rule would be expanded to include the imposition of civil monetary penalties on business associates for the acts or omissions of their agents. The above is but a small sampling of the changes that are coming, and covered entities, business associates and their agents will need to be diligent in monitoring the rules as they are finalized and to be prepared to take steps necessary to comply with the final rules.
Click here to view the first edition of The HIPAA Minute which contains an overview of the proposed rule changes regarding the HIPAA Privacy Rule, Security Rule and Enforcement Rule prepared by our Privacy Practice Team leader Susan Pauley.
We hope you find this helpful.