Recent HITECH Act Activity Requires Employers’ Attention to Health Plans

Congress significantly modified HIPAA’s privacy and security rules in 2009 when it enacted the Health Information Technology for Economic and Clinical Health (HITECH) Act. Among other things, the HITECH Act adds breach notification requirements and additional individual protections with respect to the use and disclosure of protected health information.

The Office for Civil Rights (OCR) of the U.S. Department of Health and Human Services has made two recent pronouncements in connection with the HITECH Act. Employers who sponsor health plans for their employees should review their HIPAA compliance program in light of these pronouncements.

New Regulations

OCR officials have recently stated that it is their goal to issue final HITECH regulations before the end of the year. If they succeed, the revised regulations will likely become effective sometime in 2012. These regulations will affect most employers who sponsor group health plans for their employees and will require changes to the plans’ policies and procedures as well as amendments to existing business associate agreements. OCR recognizes the existing HIPAA rules do not address technological advances occurring after it adopted the original HIPAA security rules in 2003.


The HITECH Act requires OCR to conduct periodic audits to ensure compliance with the HIPAA privacy and security rules. Towards that end, OCR announced it immediately will begin an initiative in which it will audit approximately 150 covered entities to assess compliance. OCR has stated it will be auditing a broad range of health plans as part of its initiative, so even plans sponsored by small employers will be targeted. The audits will include in-person site visits.

Separately, OCR has already drastically stepped up its enforcement activity, and has sought and recovered large monetary penalties against covered entities for failing to comply fully with HIPAA.

Action Steps

Each employer should review all aspects of its HIPAA compliance program, from beginning to end, including:

  • Updating its HIPAA policies and procedures to comply with the final HITECH Act rules and take into account new technology (such as smartphones, tablets, and other portable devices) that did not exist when the employer completed its initial security review.
  • Planning ahead to be able to document that it is HIPAA-compliant in the event of an OCR audit or other investigation.
  • Revising and delivering new notices of privacy practices to participants to reflect the final HITECH Act rules when issued.
  • Confirming there is in effect a valid agreement with each business associate and communicating with its business associates to start the process of amending these agreements in accordance with the new HITECH Act rules.
  • Training its workforce as to the new HITECH Act requirements.

For More Information

For further information, please contact Charles C. Scheim at 610.478.2282 or the Stevens & Lee attorney with whom you normally write.

This News Alert has been prepared for informational purposes only and should not be construed as, and does not constitute, legal advice on any specific matter. For more information, please see the disclaimer.