Ready For HITECH Changes On September 23, 2013? Find Out With This Compliance Checklist For Employer-Sponsored Health Plans


The final regulations implementing the Health Information Technology for Economic and Clinical Health (HITECH) Act were issued in January and compliance is required by September 23, 2013. The final regulations require covered entities, including employer-sponsored health plans, to make many changes to their documents and processes in order to comply with the new rules. Here is a compliance checklist that sponsors of health plans can use to measure their progress toward meeting the new requirements.

Business Associate Agreements

Review all business associate agreements and revise those that do not comply with the final HITECH regulations. 

  • Business associate is now defined as any person or entity that creates, receives, maintains or transmits Protected Health Information (PHI) on behalf of a covered entity, other than as a member of the workforce of the covered entity; inclusion of "maintains" is intended to categorize providers of cloud services as business associates, if they maintain PHI

  • The definition of business associate now includes any subcontractor of a business associate that will create, receive, maintain or transmit PHI on behalf of the business associate, other than as a member of the workforce of the business associate.  (infinite flowdown—each business associate and subcontractor must require its subcontractors to comply with at least the same requirements as it must comply with).

  • Business associates must be required to comply with all HIPAA security standards and implementation specifications.

  • Business associates must be required to comply with certain HIPAA privacy requirements.

  • Sample Business Associate Agreement Provisions published by HHS are available here, but we caution that these provisions will need customization.

  • There is limited transition relief under certain circumstances, but it applies to documentation only; substantive compliance with all final HITECH regulatory requirements is required by September 23, 2013.

Policies and Procedures

Review and, if necessary, revise the plan’s written policies and procedures to reflect the changes in the final HITECH regulations.  These include:

  • Changes relating to notification of breach of unsecured PHI;
  • Changes relating to individual's right of access to PHI;
  • Changes relating to the sale of PHI;
  • Changes relating to the use of PHI for marketing; and
  • Changes relating to the use of genetic information for underwriting purposes.

Notice of Privacy Practices

Review the Notice of Privacy Practices, revise to comply with the final HITECH regulations, and determine how revised Notice will be provided.


Retrain all workforce members on all changes no later than September 23, 2013

Employer-sponsored health plans may have additional obligations under the final HITECH regulations, depending on the specific circumstances of the plan. Contact counsel to assist you in your compliance efforts.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Perkins Coie | Attorney Advertising

Written by:


Perkins Coie on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:

Sign up to create your digest using LinkedIn*

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.

Already signed up? Log in here

*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.