With the September 23, 2009 effective date for the new HIPAA breach notification requirements rapidly approaching, health care organizations must move now to address compliance obligations.

The slide deck below (from a presentation for the Washington State Hospital Association I gave on September 16th) contains a summary of the rule along with a Compliance Action Plan outlining key steps to address requirements under the rule.

HHS indicated they will exercise their “enforcement discretion” over the next several months given the tight time frame.  That said, in light of the increased civil penalties passed as part of the HITECH Act and now in effect, covered entities should work to implement a compliance action plan now rather than rely on such “enforcement discretion” later.