In the past several days, three important information privacy and security deadlines have arrived. To recap, they are:
- February 17, 2010: the provisions of the HITECH Act regarding HIPAA business associates went into effect (albeit without regulations, which are expected to be issued any day now). Many HIPAA covered entities have been revising their Business Associate Agreements in an effort to comply with what they think the regulations will say. Others are waiting until they see the regulations to amend those agreements.
- February 22, 2010: FTC rules regarding health information breaches went into effect. The FTC has provided a standard reporting form for such breaches. And the FTC is putting its money where its mouth is: in the Fiscal Year 2011 Congressional Budget Justification, the FTC is seeking two full-time employees for “data security enforcement and rulemakings.”
- March 1, 2010: Last but not least, the Massachusetts Data Security regulations went into effect on March 1, although we have not received word from the Massachusetts Attorney General as to how these regulations will be enforced. A recent Boston Globe article (for which I was interviewed) details the apparent state of readiness for these regulations.