Full Text

The lull before the storm? After much effort to implement the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") Privacy Rule by April 2003 and the HIPAA Security Rule by April 2005, most covered entities (health care providers, health plans, and health care clearinghouses) have been in HIPAA compliance maintenance mode. Overall, covered entities have experienced limited government enforcement actions and therefore faced minimal risk of fines for violating HIPAA.

However, with the passage of the Health Information Technology for Economic and Clinical Health Act ("HITECH Act") on February 17, 2009 as part of the American Recovery and Reinvestment Act of 2009 ("ARRA"), not only must covered entities give fresh and heightened attention to HIPAA, but now business associates will need to comply with HIPAA security requirements directly and can be held accountable by the federal government for violating the HIPAA Security Rule or a business associate agreement.1 In addition to allocating over $19 billion to support and promote the implementation and use of electronic health records, the HITECH Act also amends the HIPAA Privacy and Security Rules by adding new requirements and new limitations that result in increased risks.

This article focuses on the HITECH Act breach notification requirements, business associate obligations, and enhanced enforcement provisions, as these areas will likely generate the most questions for healthcare attorneys and will also directly affect law firms who are business associates to covered entities. Except as noted in this article, the HIPAA changes discussed in this article are effective February 17, 2010.

Breach Notification Requirements

Under HIPAA, if protected health information ("PHI") is accessed by or disclosed to an unauthorized person, the covered entity must mitigate any harmful effect resulting from this breach of privacy. However, prior to the HITECH Act, a covered entity was not explicitly required by HIPAA to notify the affected person of the incident. Although HIPAA has been silent on this issue, most states have enacted laws requiring businesses to notify consumers if such person's information is subject to a security breach.2 But, beginning on or before September 15, 2009, covered entities will now also be subject to explicit HIPAA breach notification requirements.3

The HITECH Act requires covered entities to notify individuals without unreasonable delay, and in no case later...