As February deadlines approach, health plan sponsors, health care providers, and their vendors need to act now to meet the new rules introduced by the Health Information Technology for Economic and Clinical Health Act (HITECH). HITECH (enacted as part of the American Recovery and Reinvestment Act of 2009) makes significant changes to HIPAA―including changes that subject various vendors directly to privacy and security requirements and require notice to individuals whose information is affected by a breach of privacy.

For earlier Ballard Spahr publications on the HITECH changes, click here. Ballard Spahr has also updated forms and tools that can assist your organization in meeting HITECH obligations.

By February 17, 2010, health plan sponsors and health care providers should review and, as appropriate, update their HIPAA forms to comply with the HITECH rules concerning such things as:

  • Agreements with vendors who handle individually identifiable health information ("Business Associates")
  • Internal policies and procedures
  • Notice of privacy practices
  • HIPAA plan amendments

Business associates under HIPAA will, for the first time, be directly subject to a number of HIPAA's privacy requirements and virtually all of its security requirements. If your organization is a business associate, you will need to make sure that you have the necessary documentation in place to comply with the applicable rules and designate a Security Official. 

On February 22, 2010, the new breach notification requirements become enforceable. Health plans, health care providers, and business associates will need to be alert for potential breaches. Each may have obligations with regard to a breach that ultimately require notice to affected individuals, the U.S. Department of Health and Human Services, and sometimes local media. You will need to make sure that appropriate procedures are in place before a possible breach occurs to allow enough time to investigate that breach and produce and deliver appropriate notices within the prescribed period. 

Every compliance effort will require training for relevant members of the workforce regarding these and other changes.

Stay tuned for additional Ballard Spahr alerts on HITECH compliance in the coming weeks, and feel free to contact the following members of our HIPAA Compliance Team or any member of our Employee Benefits and Executive Compensation Group for more information:

Jean C. Hemphill (215.864.8539;
Edward I. Leeds (215.864.8419;

Copyright © 2010 by Ballard Spahr LLP.
(No claim to original U.S. government material.)


All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, without prior written permission of the author and publisher.

This alert is a periodic publication of Ballard Spahr LLP and is intended to notify recipients of new developments in the law. It should not be construed as legal advice or legal opinion on any specific facts or circumstances. The contents are intended for general informational purposes only, and you are urged to consult your own attorney concerning your situation and specific legal questions you have.