The Department of Health and Human Services Office for Civil Rights (OCR) has an announcement on its website that it is working on regulations on the privacy and security provisions of the HITECH Act. (The HITECH Act was passed as part of the American Recovery and Reinvestment Act of 2009.)

The new regulations to be issued will focus on:

• business associate liability;
• limitations on marketing, fundraising communications, and the sale of PHI; and
• stronger individual rights to access electronic medical records and restrict the disclosure of certain information.

The effective date (Feb. 17, 2010) for many of these HITECH Act provisions has already passed; therefore OCR has stated that the regulations will provide specific information regarding the expected date of compliance and enforcement of these new requirements.

The announcement contains a reminder to covered entities (including health plans) and business associates that regulations implementing the HITECH Act’s breach notification and enforcement provisions have already been issued and are currently in effect. Under those rules, covered entities are required to provide notification of a breach of unsecured PHI to HHS, affected individuals, and, in certain circumstances, the media. In addition, increased civil monetary penalties apply to both covered entities and business associates for violations of HIPAA's privacy and security rules.

The announcement does not indicate when OCR expects to issue the new regulations under the HITECH Act. Because of this and in light of the strengthened enforcement provisions, health plans (and their business associates) should comply with the statutory requirements of the HITECH Act while they await issuance of the regulations.

Click here to view HITECH Act Rulemaking and Implementation Update on the HHS-OCR webpage.