Written by Dianne Bourque
Effective February 17, 2010, significant new compliance obligations will be imposed on business associates through the HITECH provisions of the American Recovery and Reinvestment Act of 2009 ("ARRA"). Business associates (or organizations that use or disclose protected health information on behalf of covered entities subject to HIPAA) will be directly liable for compliance with certain provisions of the HIPAA Privacy Rule and the HIPAA Security Standards, and may be audited by the Department of Health and Human Services ("HHS"). They will also be subject to increased civil and criminal penalties for non-compliance.
DATA PRIVACY DAY REMINDER: Time to update business associate agreements to reflect HITECH's new breach-notice provisions and other requirements. Business associates must also--at a minimum--(i) undertake and complete a security risk assessment, (ii) prepare and adopt written security policies and procedures, and (iii) conduct workforce training in their policies and procedures.
Link to blog post for more information:
Privacy and Security Information - Privacy MATTERS: Federal Breach Notification Rules -- NEXT WEEK. Are you ready?