Elizabeth E. Hogue, Esq.
Many providers have asked whether they should modify their business associate agreements to comply with the HITECH Act. There is, in fact, ongoing discussion and debate in the legal community about this issue. It seems fair to say that business associate agreements should be modified to comply with requirements of the HITECH Act regarding notification of breaches, since final regulations have been published implementing these requirements.
On August 19, 2009, the Department of Health and Human Services (HHS) issued an interim final rule entitled “Breach Notification for Unsecured Protected Health Information.” This rule describes how healthcare providers must notify patients when the security of their protected health information has been breached. Providers were required to comply with these new requirements beginning on September 23, 2009. Providers are also required to revise their internal policies to include these requirements.