Skip to main content

HITECH Act Compliance Date Arrived -- Without the Promised Regulatory Guidance

We have been so focused on the upcoming Massachusetts data security deadline, that we let one last week go without fanfare. As we have gently reminded you on several occasions, the new HIPAA privacy and security rules contained in the Health Information Technology for Clinical and Economic Health Act (HITECH) became effective on February 17th.

The HITECH Act was passed as part of the “Stimulus Bill” on February 17, 2009. Although rumors continue to swirl that additional regulations will be forthcoming shortly (the latest rumor is that the East Coast blizzard slowed down the review and approval process), it is clear that they were not out as of the February 17th effective date. Therefore, covered entities and their business associates must act immediately on the terms of the HITECH statute itself.

HITECH imposes new HIPAA rules on covered entities and their business associates. New data breach notification rules require covered entities to review any possible wrongful disclosures to determine whether to warn individuals or notify the federal government or the press. Covered entities should have policies in place to meet these requirements in the event of a breach. Covered entities should review and revise their business associate agreements and their other policies and procedures as well.

HITECH also makes most HIPAA rules applicable directly to business associates. If your company serves healthcare providers or insurance plans (including group health plans), and you receive health information, you are probably a business associate and are covered by these changes. Most importantly, business associates must adopt HIPAA policies and procedures to protect the security of the information they collect, hold and use. In addition to the contractual obligations business associate agreements put on them, business associates are now directly liable under HIPAA.

Subscribe To Viewpoints


Cynthia J. Larose

Member / Chair, Privacy & Cybersecurity Practice

Cynthia J. Larose is Chair of the firm's Privacy & Cybersecurity Practice, a Certified Information Privacy Professional-US (CIPP-US), and a Certified Information Privacy Professional-Europe (CIPP-E). She works with clients in various industries to develop comprehensive information security programs on the front end, and provides timely counsel when it becomes necessary to respond to a data breach.