After learning of comments on HIPAA enforcement made by a member of the HHS OCR legal staff at an ABA meeting on health care issues, I contacted him directly.  Adam Greene confirmed that HITECH Act changes to HIPAA rules regarding business associate agreements will be implemented through standard notice and comment rulemaking, noting that this has been OCR's public take on the issue.  Thus, a notice of proposed rulemaking will be published "shortly," followed by promulgation of a final rule after a comment period.  Even thought the statute calls for the BAA provisions to be effective this month, they clearly will not be.  The breach notification and penalty provisions are already the subject of an interim final rule, so they are in effect. 

As I wrote several months ago,

"business associates" under HIPAA are now required to implement policies and procedures to maintain privacy and security of PHI, parallel to those that have been required of "covered entities" under HIPAA since the beginning. All business associate agreements and notice of privacy practices (NPPs) will have to be updated to account for the new requirements before February. Health care providers that wish to distinguish themselves should consider revising their NPPs to highlight the ease with which they will make copies of records available to patients. This is a bone of contention for many patients, and ensuring that patients' rights to their records are easily exercised could be a way to build goodwill among patients and potential patients.

Thanks to Bob Coffield for pointing to the post on the ABA meeting and raising the question.

I urge all covered entitites and business associates to take heed of these new requirements and begin planning now for implementation of the soon-to-be-released regulations.  Don't sit back and end up being made an example of by OCR (e.g., with a million-dollar fine) or by a state attorney general.  Contact the HealthBlawger now.

David Harlow
The Harlow Group LLC
Health Care Law and Consulting