Recent changes enacted as part of the Health Information Technology for

Economic and Clinical Health Act (HITECH) and its implementing regulations

require Covered Entities (CEs) and their Business Associates (BAs) to

implement Security Breach Notification procedures and may require revisions

to existing Business Associate Agreements (BAAs). HITECH was passed as a

part of the vast economic stimulus bill known as the American Recovery and

Reinvestment Act of 2009 (ARRA). The new requirements became effective

September 23, 2009, following the publication of the Department of Health and

Human Services (DHHS) Security Breach Notification Interim Final Rule (the

Interim Rule) in August of 2009. Their enforcement, however, begins on

February 23, 2010. If you have not already reviewed your existing BAAs, or

instituted compliant Breach Notification policies and procedures, now is an

excellent time to start. Joshua J. Freemire of Ober|Kaler highlights some of the details of the Interim Rule.