From the day the HITECH Act became law as part of the American Recovery and Reinvestment Act, some experts were quick to point out that the act sets out the nation's first federal data breach notification requirement. Others said HIPAA enforcement efforts were about to look altogether different thanks to the HITECH Act.
Schwabe, Williamson and Wyatt shareholder Kelly Hagan, for instance, said the most significant provisions were for enforcement incentives to the Department of Health and Human Services' Office of Civil Rights. He told me, in part:
If history is any guide, then OCR's current complaint-driven, compliance-oriented approach to enforcement will shift quickly to a more aggressive and punitive strategy.
But Goodwin Procter senior counsel Jacqueline Klosek and her colleagues were some of the first to tell us what the expanded reach of HIPAA requirements would mean for those companies that are classified as "business associates" of HIPAA-covered entities. And now that the Department of Health and Human Services and the Federal Trade Commission have issued rules relating to how the data breach notification and other HITECH Act requirements will apply to "business associates," Klosek explains what companies classified as business associates need to do to prepare for the Feb. 10, 2010, compliance deadline in a guest opinion for IT Business Edge.
Among other things, she notes that business associates should limit "the amount of protected health information they access, receive or process," review security controls and add encryption where possible, develop an "incident response plan," and train their employees in both how to properly handle health information and in how to carry out that incident response plan.
In closing, Klosek cautions:
While the regulators have asserted they will not enforce the breach notification requirements until February 2010, the requirements are now in effect. Accordingly, it is vital that business associates undertake efforts to develop and implement a compliance strategy without further delay.