The March 1, 2010, compliance deadline for 201 CMR 17, the personal security information regulation, is common knowledge by now.* But did you know that the American Recovery and Reinvestment Act of 2009 (ARRA) expanded privacy and security rules? The Health Information Technology and Economic and Clinical Health Act (the HITECH Act) was signed into law on February 17, 2009 as part of the ARRA.

The HITECH Act orchestrates a significant makeover to the regulation of the privacy and security of patient health information. One of the most significant changes is the regulation of "business associates" under HIPAA. "Business associates" are defined, under HIPAA, as a person or organization, other than a member of a covered entities workforce, that performs certain functions or activities on behalf of, or provides certain services to, a covered entity that involve the use or disclosure of individually identifiable health information. Business associate functions or activities on behalf of a covered entity include claims processing, data analysis, utilization review, and billing. When a covered entity uses a contractor or other non-workforce member to perform business associate services or activities, the privacy rule requires that the covered entity include certain protections for the information in a business associate agreement. The HIPAA privacy rule states that the covered entity must impose specific written safeguards on the individually identifiable health information used or disclosed by its business associates. The HITECH Act requires the business associate to impose written safeguards and hold the covered entity accountable.

If your company is a "business associate," your company will have certain obligations under the HITECH Act. Specifically, business associates must implement reasonable and appropriate policies and procedures to incorporate the following requirements:

• Administrative Safeguards  Business associates must:
1. Implement policies and procedures to prevent, detect, contain and correct security violations;
2. Identify the security official who is responsible for the development and implementation of the policies and procedures required by the security rule for the business associate;
3. Implement policies and procedures to ensure that all members of its workforce have appropriate access to electronic protected health information (PHI), and to prevent those workforce members who do not have access from obtaining access to electronic PHI;
4. Implement policies and procedures for authorizing access to electronic PHI that are consistent with the applicable requirements of the privacy rule;
5. Implement a security awareness and training program for all members of its workforce (including management);
6. Implement policies and procedures to address security incidents;
7. Establish and implement policies and procedures for responding to an emergency or other occurrence (fire, vandalism, system failure, etc.) that damages systems that contain electronic PHI; and
8. Perform a periodic technical and non-technical evaluation;
• Physical Safeguards  Business associates must:
1. Implement policies and procedures to limit physical access to its electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed;
2. Implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can assess electronic PHI;
3. Implement physical safeguards for all workstations that access electronic protected health information, to restrict access to authorized users; and
4. Implement polices and procedures that govern the receipt and removal of hardware and electronic media that contain electronic protected health information into and out of a facility.
• Technical Safeguards  Business associates must:
1. Implement technical policies and procedures for electronic information systems that maintain electronic PHI to allow access only to those persons or software programs that have been granted access rights;
2. Implement hardware, software, and/or procedural mechanisms that record and exam activity in information systems that contain or use electronic PHI;
3. Implement policies and procedures to protect electronic PHI from improper alteration or destruction;
4. Implement procedures to verify that a person or entity seeking access to electronic PHI is the one claimed; and
5. Implement technical security measures to guard against unauthorized access to electronic PHI that is being transmitted over the electronic communications network.