On February 17, 2009, the Stimulus Bill was signed into law primarily to stabilize the struggling economy by creating jobs and assisting those affected by the recession. Quietly, another significant set of provisions were included called the Health Information Technology for Economic Clinical Health ("HITECH") Act, addressing the protection of electronic protected health information ("PHI"). It is important to be aware that the HITECH Act requirements became effective on February 17, 2010.
Essentially, the HITECH Act expands the Privacy and Security Rules of the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") to directly apply to business associates (previously done through contracts) and adds some additional notification requirements. The specific requirements were previously discussed in detail in the article titled "It's Not Just About the Money – How the New Stimulus Bill Expands HIPAA Privacy and Security Requirements," published in the May 2009, Volume 6, Issue 2, SettlePou Newsletter. It should be noted that CPAs, lawyers and business consultants or any other business that acquires PHI are included within the scope of the definition of "business associates" and, therefore, must implement the statutory safeguards, policies and procedures to protect the PHI they are receiving from covered entities. This requires that business associates develop and implement a HIPAA policy as of February 17. 2010. So if you have not developed a HIPAA policy you are not in compliance!
Applicable individuals and businesses should have already initiated efforts to determine if their privacy and security procedures are in compliance with the new rules and address any deficiencies accordingly.