OCR may delay enforcement of business associate provisions in the HITECH Act
.gif){kind=logo}
Pursuant to the HITECH Act, on February 17, 2010, business associates of covered entities became subject to the HIPAA Privacy and Security Rules, including provisions regarding implementation of various safeguards to secure protected health information. As Steve Fox pointed out in a recent report on the subject by the Pittsburgh Business Journal, it is highly unlikely that most companies are ready to comply with these dramatic changes.
However, according to Hunton & Williams's privacy blog, Adam Greene of the HHS Office of Civil Rights (OCR) stated at an ABA conference on February 18, 2010, that OCR will delay enforcement of this provision of the HITECH Act until the relevant regulations are finalized. OCR itself did not publish a press release on the subject, and we were unable to reach Mr. Greene for comment.
Regardless of OCR's intent to enforce compliance, the business associate provisions in the HITECH Act went into effect last week. We would strongly encourage all covered entities and business associates to take all necessary actions to comply with the new law.
"Privacy policies over electronic health records expand reach," Pittsburgh Business Journal (February 19, 2010).
"HHS Delays Enforcement of HITECH Act Business Associate Provisions," Privacy & Information Security Law Blog (February 19, 2010).
