The Office for Civil Rights (OCR) of the Department of Health and Human Services (HHS) issued an omnibus final rule (Final Rule) on January 17, 2013, implementing various provisions of the Health Information Technology for Economic and Clinical Health Act (HITECH Act). The Final Rule takes effect on March 26, 2013, with a compliance date of September 23, 2013. The Final Rule was published in the Federal Register on January 25, 2013, and is available here.
As a result of this Final Rule, organizations need to take several "Action Items" to ensure they are compliant. Here are a few suggested "Action items":
- Covered entities and business associates will need to review their policies and procedures prior to the September 23, 2013 compliance date so that they can identify and implement all changes that are needed in order to comply with the Final Rule. In addition, Notices of Privacy Practices will need to be revised and appropriate training should be provided to personnel of covered entities and business associates prior to the compliance date.
- In light of the expanded definition of "business associate" to include subcontractors, any vendor or other business that performs functions for a covered entity or another business associate involving the use or disclosure of PHI should determine whether it is a "business associate" and, if so, what steps need to be taken in order to comply with the Privacy, Security and Breach Notification Rules by the compliance date.
- Your data privacy policies, practices, agreements, Incident Response Plans, and Information Security Programs will need to be reviewed, and most likely revised, for compliance with this Final Rule.
To read our full Alert on the HITECH Final Rule, click here.
Stay tuned for our upcoming Alerts on the Final Rule, including Alerts focused on the Breach Notification Rule and on implications for business associates, as well as our Business Hour event on the Final Rule.