Ready For HITECH Changes On September 23, 2013? Find Out With This Compliance Checklist For Employer-Sponsored Health Plans


The final regulations implementing the Health Information Technology for Economic and Clinical Health (HITECH) Act were issued in January and compliance is required by September 23, 2013. The final regulations require covered entities, including employer-sponsored health plans, to make many changes to their documents and processes in order to comply with the new rules. Here is a compliance checklist that sponsors of health plans can use to measure their progress toward meeting the new requirements.

Business Associate Agreements

Review all business associate agreements and revise those that do not comply with the final HITECH regulations. 

  • Business associate is now defined as any person or entity that creates, receives, maintains or transmits Protected Health Information (PHI) on behalf of a covered entity, other than as a member of the workforce of the covered entity; inclusion of "maintains" is intended to categorize providers of cloud services as business associates, if they maintain PHI

  • The definition of business associate now includes any subcontractor of a business associate that will create, receive, maintain or transmit PHI on behalf of the business associate, other than as a member of the workforce of the business associate.  (infinite flowdown—each business associate and subcontractor must require its subcontractors to comply with at least the same requirements as it must comply with).

  • Business associates must be required to comply with all HIPAA security standards and implementation specifications.

  • Business associates must be required to comply with certain HIPAA privacy requirements.

  • Sample Business Associate Agreement Provisions published by HHS are available here, but we caution that these provisions will need customization.

  • There is limited transition relief under certain circumstances, but it applies to documentation only; substantive compliance with all final HITECH regulatory requirements is required by September 23, 2013.

Policies and Procedures

Review and, if necessary, revise the plan’s written policies and procedures to reflect the changes in the final HITECH regulations.  These include:

  • Changes relating to notification of breach of unsecured PHI;
  • Changes relating to individual's right of access to PHI;
  • Changes relating to the sale of PHI;
  • Changes relating to the use of PHI for marketing; and
  • Changes relating to the use of genetic information for underwriting purposes.

Notice of Privacy Practices

Review the Notice of Privacy Practices, revise to comply with the final HITECH regulations, and determine how revised Notice will be provided.


Retrain all workforce members on all changes no later than September 23, 2013

Employer-sponsored health plans may have additional obligations under the final HITECH regulations, depending on the specific circumstances of the plan. Contact counsel to assist you in your compliance efforts.

Written by:

Published In:


DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Perkins Coie | Attorney Advertising

Don't miss a thing! Build a custom news brief:

Read fresh new writing on compliance, cybersecurity, Dodd-Frank, whistleblowers, social media, hiring & firing, patent reform, the NLRB, Obamacare, the SEC…

…or whatever matters the most to you. Follow authors, firms, and topics on JD Supra.

Create your news brief now - it's free and easy »

All the intelligence you need, in one easy email:

Great! Your first step to building an email digest of JD Supra authors and topics. Log in with LinkedIn so we can start sending your digest...

Sign up for your custom alerts now, using LinkedIn ›

* With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name.