Skip to main content

Will the Feds Delay HITECH Business Associate Provisions?

 |  By dnicastro@hcpro.com  
   February 22, 2010

A HIPAA privacy and security law firm is saying that OCR will delay enforcement of the HITECH provisions regarding business associates (BA) because it has yet to publish its own regulations surrounding those provisions.

Hunton & Williams LLP blogged Friday that Adam H. Greene, Office of the General Counsel for OCR, said the BA provisions will be delayed until final rules addressing those provisions are published. Greene spoke Thursday at the American Bar Association's 11th Annual Conference on Emerging Issues in Healthcare Law.

Though OCR has not published anything formally announcing a delay, at least one HIPAA expert believes a delay is likely.

Jeff Drummond, health law partner in the Dallas office of Jackson Walker LLP and author of HIPAA Blog, tells HealthLeaders Media that "it seems clear" OCR will not enforce any HITECH provision until it has published its own regulations and those regulations have become final.

Operating under HHS, OCR has published two regulations regarding HITECH and HIPAA—the HITECH Enforcement Final Rule and the interim final rule on breach notification.

The enforcement final rule, which includes a new penalty tier for breaches of unsecure PHI, is in effect. Breach notification is expected to be enforced starting today, February 22.

However, OCR has not published any rules or guidance on some key HITECH provisions—BA contracts and BA compliance with the HIPAA Security Rule and the use and disclosure provisions of the privacy rule.

Regardless of a enforcement delay, HITECH compliance dates for BAs still apply by statute, Drummond says.

As of February 17, BAs must be in compliance with the security rule and parts of the privacy rule. And they must be entered into contract with covered entities.

"There's no delay on what the actual statute [HITECH] says," Drummond says. "So the statute is effective, and everyone is responsible for being in compliance. … Everyone should be aware that they are currently legally obligated to be in compliance with HITECH today, and there may be other enforcers (state AGs)."

So don't delay compliance, says William Miaoulis, CISA, CISM, HIPAA lead consultant for Phoenix Health Systems.

However, Miaoulis, too, feels enforcement is "a ways off, not only for covered entities but also BAs. … I don't think [OCR] is ready, and they know they were supposed to give guidance."

Dom Nicastro is a contributing writer. He edits the Medical Records Briefings newsletter and manages the HIPAA Update Blog.

Tagged Under:


Get the latest on healthcare leadership in your inbox.