It was my understanding that Health & Human Services had until mid-August to issue guidance on individual notices of protected health information breach and other aspects of the new HITECH requirements included in ARRA. Has anyone seen anything on this guidance yet? (Other than what came out in April)

Never mind . . . . Will be in 8/24's Federal Register.

I would be curious what TPA/Business Associates are doing in response to this. I'm thinking an addendum to a client's Privacy Practices outlining the new breach rules, as well as an addendum to our BAA might suffice. Of course, some sort of training for clients would probably also be helpful. Thoughts?

We are a large employer with self-insured medical plans and ASO agremeents with 2 nationwide carriers. We are redoing all our Business Associate agreements and revamping and expanding our training in house. We will rely on our business associates certification that they have conducted the proper training on their end.

Are there amendments to the SPD that are required for the HITECH changes?