The final regulations implementing the Health Information Technology for Economic and Clinical Health (HITECH) Act were issued in January and compliance is required by September 23, 2013. The final regulations require covered entities, including employer-sponsored health plans, to make many changes to their documents and processes in order to comply with the new rules. Here is a compliance checklist that sponsors of health plans can use to measure their progress toward meeting the new requirements.

Business Associate Agreements

Review all business associate agreements and revise those that do not comply with the final HITECH regulations. 

• Business associate is now defined as any person or entity that creates, receives, maintains or transmits Protected Health Information (PHI) on behalf of a covered entity, other than as a member of the workforce of the covered entity; inclusion of "maintains" is intended to categorize providers of cloud services as business associates, if they maintain PHI.
  
  
• The definition of business associate now includes any subcontractor of a business associate that will create, receive, maintain or transmit PHI on behalf of the business associate, other than as a member of the workforce of the business associate.  (infinite flowdown—each business associate and subcontractor must require its subcontractors to comply with at least the same requirements as it must comply with).
  
  
• Business associates must be required to comply with all HIPAA security standards and implementation specifications.
  
  
• Business associates must be required to comply with certain HIPAA privacy requirements.
  
  
• Sample Business Associate Agreement Provisions published by HHS are available here, but we caution that these provisions will need customization.
  
  
• There is limited transition relief under certain circumstances, but it applies to documentation only; substantive compliance with all final HITECH regulatory requirements is required by September 23, 2013.

Policies and Procedures

Review and, if necessary, revise the plan’s written policies and procedures to reflect the changes in the final HITECH regulations.  These include:

• Changes relating to notification of breach of unsecured PHI;
  
  
• Changes relating to individual's right of access to PHI;
  
  
• Changes relating to the sale of PHI;
  
  
• Changes relating to the use of PHI for marketing; and
  
  
• Changes relating to the use of genetic information for underwriting purposes.

Notice of Privacy Practices

Review the Notice of Privacy Practices, revise to comply with the final HITECH regulations, and determine how revised Notice will be provided.

Retraining

Retrain all workforce members on all changes no later than September 23, 2013

Employer-sponsored health plans may have additional obligations under the final HITECH regulations, depending on the specific circumstances of the plan. Contact counsel to assist you in your compliance efforts.

© 2013 Perkins Coie LLP