February 17, 2010 marks the compliance date for significant new obligations under the Health Information Technology for Economic and Clinical Health (HITECH) Act, which is part of the American Recovery and Reinvestment Act of 2009, adopted one year ago. It appears the date may come and go without the regulatory guidance that many HIPAA covered entities and business associates expected to inform their compliance decisions.
Many of the new obligations require significant resources for implementation (e.g., amending business associate agreements, adopting new systems for limiting disclosures to health plans and providing copies in electronic formats that can be securely delivered). Yet, the HITECH provisions are unclear in many places. Thus, expending resources without clarifying guidance creates a Catch-22 for many covered entities and business associates subject to the new requirements (e.g., the definition of an Electronic Health Record is opaque, at best, with its dependence on the undefined term “clinician”).