[ Monday, February 22, 2010 ]
Effectiveness vs Enforcement.
I spent some time Friday discussing with a reporter the distinction between a statute becoming effective and it being enforced. Apparently, there's been some stir in the air, at the least generated by the appearance of some HHS folks at various venues explaining HHS' lack of regulations on the business associate provisions of HITECH (which became effective on Wednesday, 2/17/10). It seems that, in the face of questions such as, "how can you enforce this provision when you haven't given us regs yet," the administrators have indicated that they are delaying the enforcement of the BAA regs. Other lawyers definitively have that impression
However, others in the administration want to be absolutely clear that there's no delay in the effectiveness of the regs, and that enforcement and effectiveness don't necessarily mean the same things. But they all also scrupulously state, at the beginning of any public appearance, that they aren't speaking on behalf of the agency and don't bind the agency by what they say.
All this means that (i) the enforcement date for the BAA provisions of HITECH was last Wednesday, and if you don't have your BAAs revised, you could be in violation of HIPAA (there is a school of thought that says HITECH automatically
amended every BAA, so even if you didn't amend it yourself, consider it amended); (ii) it's probably unlikely that HHS or OCR is going to start subjecting laggard covered entities to the Spanish Inquisition, given that they couldn't get their stuff done in time either; but (iii) that's not a total get-out-of-jail-free card, just a mitigating factor. Remember, HITECH gave us new HIPAA enforcers in the 50 states Attorneys General (and gives a financial incentive to the wronged individuals whose data is compromised), so even if HHS gives an "honor among thieves" pass to those who fail to fix their BAAs, you can't count on others to let you off the hook.
Jeff [12:23 AM]
Blogger: HIPAA Blog - Edit your Template