Skip to main content

Data Privacy Day Tip #2 - HITECH Act

Written by Dianne Bourque

Effective February 17, 2010, significant new compliance obligations will be imposed on business associates through the HITECH provisions of the American Recovery and Reinvestment Act of 2009 ("ARRA"). Business associates (or organizations that use or disclose protected health information on behalf of covered entities subject to HIPAA) will be directly liable for compliance with certain provisions of the HIPAA Privacy Rule and the HIPAA Security Standards, and may be audited by the Department of Health and Human Services ("HHS"). They will also be subject to increased civil and criminal penalties for non-compliance.

DATA PRIVACY DAY REMINDER: Time to update business associate agreements to reflect HITECH's new breach-notice provisions and other requirements. Business associates must also--at a minimum--(i) undertake and complete a security risk assessment, (ii) prepare and adopt written security policies and procedures, and (iii) conduct workforce training in their policies and procedures.

Link to blog post for more information:
Privacy and Security Information - Privacy MATTERS: Federal Breach Notification Rules -- NEXT WEEK. Are you ready?

Subscribe To Viewpoints


Cynthia J. Larose

Member / Co-Chair, Privacy & Cybersecurity Practice

Cynthia J. Larose is Chair of the firm's Privacy & Cybersecurity Practice, a Certified Information Privacy Professional-US (CIPP-US), and a Certified Information Privacy Professional-Europe (CIPP-E). She works with clients in various industries to develop comprehensive information security programs on the front end, and provides timely counsel when it becomes necessary to respond to a data breach.