The Health Information Technology for Economic and Clinical Health Act (HITECH Act) will soon require employers to provide notice to plan participants, the U.S. Department of Health and Human Services (HHS) and maybe even the media, following breaches of protected health information (PHI). The HITECH Act goes beyond the Health Insurance Portability and Accountability Act (HIPAA) and adds new requirements for employers who in the past may not have worried much about PHI.

Is that enough acronyms for you?

The HITECH Act is part of the stimulus package enacted in February. The new regulations will cover breaches that occur after September 23, 2009. However, HHS has announced a 120-day grace period, which means enforcement won’t begin in earnest until February 22, 2010.

What should employers do between now and then? Plenty, including (among other things):

• become familiar with the new regulations;
• revise existing HIPAA policies and procedures;
• implement a breach response plan;
• discuss the plan with business associates and negotiate modifications to existing business associate agreements; and
• train employees.

For a couple of excellent articles on this topic, including FAQs and step-by-step instructions, click here and here.

This entry was posted on Thursday, August 27th, 2009 at 7:34 am and is filed under Benefits, HIPAA, Personal Health Information (PHI), Privacy. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.