Final HIPAA/HITECH Rule Released

HHS has recently released final rules modifying HIPAA under the HITECH Act. The rules make several changes for both providers and business associates. First, the regulations expand the definition of business associate. Thus, businesses need to figure out whether they are now subject to HIPAA. Business associates may face up to $1.5 million in fines per year if they do not comply with the new rules.

Providers will have to make several changes as well. The new rules give providers less flexibility to decide when to report a breach and restrict when PHI can be used for marketing. Providers must provide patients with records in electronic form on request. Also, they must revise their Notices of Privacy Practices. If providers do not comply, they will face harsher fines and new enforcement tools. Providers should start revising their business associate agreements, NPPs, and other policies to comply by September 23.

© 2013 Parsonage Vandenack Williams LLC

For more information, contact

Final HIPAA/HITECH Regulations Delayed

Publication of the HIPAA/HITECH Act Omnibus Final Rule has been delayed. The Office of Information and Regulatory Affairs, the department responsible for reviewing the regulations, has requested an extended review period for the rules. This extended review period will last for 30 days, and requires special approval for further extension. Commentators anticipate that a decision on the rule should be issued by July 23.

The proposed rule is expected to modify several components of HIPAA, including the Breach Notification Rule, the Enforcement Rule, and the Privacy and Security Rules. Furthermore, the proposed rule will expand the scope of HIPAA provisions to cover business associates of entities subject to HIPAA. Healthcare professionals should be aware of these changes and proactively plan to comply with the revised HIPAA regulations.

© 2012 Parsonage Vandenack Williams LLC

For more information, contact

What to Do When You are Asked to Sign a HIPAA Business Associate Agreement

PVW Law has published an updated article regarding what to do when you are asked to sign a HIPAA Business Associate Agreement.  The full text of the articles can be viewed by accessing the following link:

© 2011 Parsonage Vandenack Williams LLC

  For more information, contact

56 Organizations Agree on Priorities for “Meaningful Use” Program

According to recommendations from a large collaboration of organizations, the success of the new federal incentives program for health information technology (“HIT”) largely depends on a specific set of health improvement goals, a prioritized set of metrics, and the widespread participation of health care providers and patients.

Health care leaders from 56 different organizations filed a joint public comment on the program, which is part of the economic stimulus in the American Recovery and Reinvestment Act (“ARRA”). The Markle Foundation, the Center for American Progress, and the Engelberg Center for Health Care Reform at Brookings coordinated the collaborative comments on the Centers for Medicare & Medicaid Services’ Notice of Proposed Rulemaking for the Electronic Health Record Incentive Program.

The joint public comment recommends priorities to the U.S. Department of Health and Human Services (“HHS”), which will manage the new Medicare and Medicaid subsidies to doctors and hospitals for “meaningful use” of HIT starting in 2011. 

The comment requests that HHS make clear a set of health improvement goals such as improving medication management and reducing readmissions to hospitals, so that everyone can contribute to these priorities.

Peter Basch, MD, senior fellow at the Center for American Progress, said: “As a practicing physician who has gone through the process of implementing health IT, I can say that it’s critical to set a bar that is ambitious but also achievable for the many diverse practices and hospitals that might participate in this program. We point out areas in which HHS can lower burdens on physicians without losing focus on the important goals of using health IT in ways that improve the patient’s experience and outcomes.”

Among other things, the collaborative letter stressed that the HIT program should encourage broad participation of providers by prioritizing the requirements necessary to receive payments and should enhance the ability of patients to obtain electronic copies of their health information. 

© 2010 Parsonage Vandenack Williams LLC

  For more information, contact

Data Security Breaches Give State Attorneys General a Chance to Exercise New HIPAA Powers

The Connecticut and Arizona attorneys general are investigating health plans that recently experienced data breaches that the plans failed to disclose for several months.  This is a definite sign that state attorneys general may be using the HIPAA enforcement powers granted by the HITECH Act provisions in the Recovery Act.

Typically, state attorneys general prosecute only violations of state laws, but they now have authority to investigate and levy fines for violations of HIPAA and the HITECH Act, which requires mandatory notifications within two months of knowledge of a breach.

Connecticut Attorney General Richard Blumenthal has come forth as possibly the first attorney general to take on a HIPAA investigation, and Arizona’s attorney general may also be pursuing a similar route. The larger of the two breaches that have come to the attorney generals’ attention was experienced by Health Net, Inc., which lost a portable external hard drive containing seven years of data for 446,000 Connecticut residents. The lost data came from 1.5 million individuals in total, also including individuals from New Jersey and New York.

Health Net reported the loss to the Connecticut attorney general on November 19. On the same day Blumenthal issued a harsh statement demanding answers and promising action. He specifically said he was investigating whether Health Net may have violated “federal laws,” as well as his state’s own data protection laws.

 Blumenthal said he would “seek to establish what happened and why the company kept its customers and the state in the dark for so long.” Blumenthal said he was “outraged and appalled” by Health Net’s actions and stated that failure to provide notice sooner was “unconscionable foot-dragging.”

Health Net’s hard drive, which disappeared from its offices in Shelton, Connecticut, required a special reader to view, but it was not encrypted.

© 2009 Parsonage Vandenack Williams LLC

  For more information, contact

HIPAA Mandates, Coverage Set to Expand in Near Future


As many of you are aware, the American Recovery and Relief Act of 2009, better known as the “Bailout Bill”, did much more than funnel government spending in an effort to boost the economy.  Within the Bailout Bill package, Congress enacted a separate act known as the Health Information Technology for Economic and Clinical Health Act, known as the HITECH Act.  HITECH included several important changes to substantive law, and mandated the Department of Health and Human Services (HHS) to promulgate new regulations under HIPAA.  On August 24, 2009, HHS issued interim final regulations, effective September 23, 2009, implementing several of the changes mandated by HITECH.  Other changes will not take effect until February 2010.  Health Care providers and their Business Associates subject to HIPAA requirements should be aware of several fundamental reforms contained within the law. 

Breach Notification 

HITECH requires any Covered Entity (such as a health plan, health care clearinghouse, or health care provider) holding or using “unsecured” protected health information to notify the affected individuals in the even there is a breach of that individual’s protected health information (“Breach Notification”).  Any breach must also be reported to HHS and, under some circumstances, to the local media as well.  Essentially, covered entities and business associates are now required to act as their own whistleblowers.  This Breach Notification requirement was promulgated in an interim final rule on August 24, 2009 and takes effect September 23, 2009.

The Breach Notification rule requires that Covered Entities must notify affected individuals “without unreasonable delay” and in no case more than 60 days after the breach is “discovered”.  A breach is treated as discovered when it is known to the entity, employee, or agent of the entity.  An unknown breach will be treated as discovered if it would have been known had the entity exercised “reasonable diligence”.   This highlights the importance of having internal policies in place to ensure that any breach will be promptly discovered, reported, and dealt with.

As mentioned above, Covered Entities are also required to provide notice to the Secretary of HHS and, in some cases, local media outlets.  If the breach affects more than 500 residents of a state or jurisdiction, the entity must notify “prominent media outlets” “without unreasonable delay” and in no case more than 60 days after discovery of the breach.  In the case of such a large breach, the entity must notify HHS contemporaneously with the sending of individual notices, according to the procedure on the department’s website.   If the breach affects less than 500 residents, there is no requirement to notify the local media.  There is also no immediate requirement to notify HHS.  Instead, the entity is required to maintain a log of all breaches and notify HHS within 60 days of the end of the calendar year of all breaches during the prior year according to the procedure outlined on HHS’s website. 

The new regulations list specific guidance regarding the content of the required notice.  The notice must be in writing and sent via first-class mail, unless the individual has otherwise agreed to electronic notification.  Five topics are required to be addressed within the contents, all written in “plain language”.

Business Associates of Covered Entities (anyone handling protected health information on behalf of a Covered Entity) are required to notify the covered entity for which they are providing services of any breach discovered by the Business Associate.  Again, this notice must be given without unreasonable delay and in no case more than 60 days after the discovery of the breach.  Rules similar to those imposed on covered entities for the determination of when a breach is “discovered” also apply to Business Associates.    

Only those covered entities or business associates dealing in “unsecured” protected health information are subject to the Breach Notification requirements.  To avoid being deemed to be operating “unsecured”, the Covered Entity or Business Associate may conform to the guidance for technologies and methodologies issued by HHS on April 27 in order to qualify for a safe harbor from the definition of using “unsecured” protected health information.  To the extent feasible, Covered Entities and Business Associates should comply with this guidance to avoid being subject to the embarrassing requirements of the Breach Notification rule.

Expansion of HIPAA Coverage

In addition to the Breach Notification rule, HITECH imposes both the HIPAA Security Rule and the HIPAA Privacy Rule directly on Business Associates of Covered Entities.  Prior to this change, Business Associates were not directly subject to the security and privacy requirements of HIPAA.  Instead, Covered Entities were required to obtain “satisfactory assurance” that their Business Associates would safeguard protected health information.  These assurances are typically exchanged through a written Business Associate Agreement.  Only Covered Entities were subject to the civil and criminal penalties of HIPAA should there be a violation of the security or privacy rules, even if such breach was committed by the Business Associate.  The Covered Entity’s recourse against the Business Associate was limited to initiating a lawsuit based on a breach of the Business Associate Agreement.  HITECH changes all this.

Under HITECH, the security and privacy rules of HIPAA are made directly applicable to Business Associates effective February 17, 2010.  Business Associates will thereafter be subject to direct HIPAA enforcement, including the imposition of civil and criminal penalties, for a breach of either rule.  HITECH still contemplates the use of Business Associate Agreements and requires that they be updated to reflect the Breach Notification rule outlined above.


Several significant changes to HIPAA and its implementing regulations were made by the Bailout Bill.  Health care providers which are Covered Entities under HIPAA and their Business Associates should be prepared to meet the new legal and administrative requirements of such changes.  If you would like to discuss the matters discussed in this article, or any other matter regarding your health care practice, feel free to contact Parsonage Vandenack Williams LLC at your convenience.

© 2009 Parsonage Vandenack Williams LLC

  For more information, contact