8/29/2009

In February, the Health Information Technology for Economic and Clinical Health Act (HITECH) was passed under the American Recovery and Reinvestment Act of 2009 (ARRA). The purpose of the act was to create a nationwide information technology infrastructure that would allow controlled electronic dissemination of health information (EMR).

HITECH rules, which are currently being promulgated by HHS, will place more responsibilities on covered business entities and their business associates. On August 18, a new regulation will go into effect which requires covered entities and their business associates to provide notice of breaches or unauthorized disclosures of protected health information (PHI) within 60 days. Covered entities would be required to provide notification to the breached individuals, HHS and in cases where 500 or more people are affected, to the media outlets. HHS has created a “safe harbor” if specific methodoligies and technologies are used to secure information.

All covered entities should, at this time, review their safeguards, training and documentation in order to guarantee the entities’ compliance with all of these rapdidly changing regulations.

By February 2010, HHS will release a number of specific modifications to HIPAA with regards to electronic transmission of PHI. These will involve additional disclosure accountability, extensions of the HIPAA rule for business associates, tighter PHI controls and a number of additional modifications.

It is incumbent on all providers to closely monitor these regulations as they come in to effect.