KH: I think that will depend on when additional guidance, including regulations, are actually issued. We hope there will be additional guidance by December of 2009. We don’t know whether that will be regulations, and we also don’t know whether that will be issued in August or December.
I think providers should begin to take a hard look at their privacy and security policies and procedures now, because there will be additional work that needs to be done.
AG: It sounds like PHI is an area people need to take a hard look at, that they may be focusing on the healthcare IT side, the payments, but there is a lot of critical information in the act about privacy and security.
KH: Yes, I think that’s absolutely true.