February 17, 2010, Deadline for Implementing HIPAA Privacy Rule Amendments and HIPAA Business Associate Compliance

Hinshaw Health Law Alert

February 9, 2010
Hinshaw Health Law Alert

Numerous amendments to the HIPAA Privacy and Security Rules contained within the recently passed Health Information Technology for Economic and Clinical Health Act (“HITECH Act”) add new requirements and new restrictions for HIPAA Covered Entities and their Business Associates. Health care organizations that fail to comply with the HIPAA requirements may be subject to civil monetary penalties up to $1.5 million annually, and criminal penalties for individuals or employees of Covered Entities or Business Associates who violate the HIPAA rules.

HIPAA Covered Entities

On or before February 17, 2010, all HIPAA Covered Entities should revise their Business Associate Agreements to:

On or before February 17, 2010, all HIPAA Covered Entities should revise their Notice of Privacy Practices and the following HIPAA Privacy policies and procedures to incorporate changes required by the HITECH Act:

Business Associates

On February 17, 2010, Business Associates who have access to protected health information in the course of the services they provide to entities covered directly by HIPAA will, for the first time, be directly subject to many of the requirements of HIPAA.  HIPAA Business Associates will be subject to most of the HIPAA Privacy and Security Rule requirements, including direct regulation by the Office for Civil Rights and enhanced penalties for HIPAA violations. Among other things, by February 17, 2010, HIPAA Business Associates should:

For additional information, please contact Michael A. Dowell or your regular Hinshaw attorney before the February 17, 2010, deadline

This alert has been prepared by Hinshaw & Culbertson LLP to provide information on recent legal developments of interest to our readers. It is not intended to provide legal advice for a specific situation or to create an attorney-client relationship.