These provisions have varying start times, and most are subject to further rulemaking by the Secretary of Health and Human Services. Many of these provisions raise as many questions as they answer, so the regulations that are ultimately drafted and adopted will be very important. Until then, entities that deal with medical records or other health information should be prepared to make some changes to their operations and documentation. Specifically, most covered entities will need to make some changes to their BAAs to address the changes noted above. Depending on the specific provisions of the final regulations, some covered providers will want to change their standards and processes for obtaining patient authorizations, particularly to avoid the issues raised by the new definition of marketing, and especially if the covered entity uses an electronic medical record. Providers should also consider whether these changes will require them to revise the “Notice of Privacy Practices” they give their patients on their first visit.
More importantly, given the breach notification requirements and their applicability to “unsecured” PHI, covered entities should review their current IT policies to ensure that they are currently taking (or are ready to adopt once regulations are drafted) the appropriate steps to make the PHI they hold and exchange “unusable, unreadable, or indecipherable to unauthorized users.” Those covered entities that have not adopted strict security provisions such as encryption should start taking those steps now, and be prepared to take further action as soon as regulations are issued.