Though HITECH (the Health Information Technology for Economic and Clinical Health act) took full effect this past Feb. 17, provisions regarding business associates were still vague, as we noted at the time.

Now, the Office of Civil Rights (OCR) in the Department of Health and Human Services (HHS), the law’s oversight agency, is promising to issue proposed rules soon, which typically would be followed by a public commentary period.

Most of the vagueness stems from language in the HITECH act that elevates business associates to the same status as covered entities. Previously, covered entities (generally, health care providers and insurers) had primary responsibility for insuring the security of private health information (PHI) in their possession, but HITECH extended such primary responsibility to those business associates that work with and for covered entities.

Though most customers of Personnel Concepts are probably neither covered entities nor business associates, any company that offers health insurance or retains medical information on its employees is still subject to the rules of HITECH and HIPAA (Health Insurance Portability and Accountability Act of 1996) to protect the confidentiality of employee PHI.

A sure way to announce your intention of respecting HIPAA and HITECH and of informing your employees of their rights and obligations under the two laws is by obtaining and posting a copy of our All-On-One HIPAA Information Poster.