The HIPAA/HITECH Final Rule has arrived!

By: Sands Anderson. This was posted Monday, April 8th, 2013

Rate how helpful this article is:
Not HelpfulSomewhat HelpfulPretty HelpfulVery HelpfulExtremely Helpful

(No Ratings Yet)

If you are a health care provider or someone who routinely performs work involving patient health information on behalf of a health care provider, you need to know about the HIPAA/HITECH Final Rule.

Since the passage of the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH), the Department of Health and Human Services (HHS) has been working on amendments to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) to significantly expand entities subject to rules governing access to and disclosure of protected patient health information (PHI).  One of the most notable expansions of HIPAA, under HITECH, is the expanded applicability of certain provisions of HIPAA directly to business associates and subcontractors who have access to PHI as part of the activities they perform for health care providers and other covered entities.

HHS recently published the Final Rule modifying HIPAA to implement the requirements of HITECH.  The new requirements became effective March 26, 2013, but covered entities (think health care providers), their business associates and subcontractors have until September 23, 2013, to comply.  Under HITECH, significant monetary penalties apply to non-compliant entities subject to HIPAA; so you’ll want to pay attention to the new requirements and get started right away to ensure that you are in compliance by the September 23, 2013, deadline.

How do I know if HIPAA applies to me

  • HIPAA applies to covered entities.  HIPAA applies to health care providers, health plans, and health care clearinghouses, also known as “covered entities”.  Most health care providers have long been aware that HIPAA privacy and security requirements apply to them.
  • HIPAA also applies to business associates.  With the passage of HITECH, HIPAA now applies to entities that perform activities on behalf of health care providers if the entity uses or discloses PHI to perform its activities.  It’s not just a contract issue anymore; HHS can directly enforce HIPAA against a business associate!
  • And to subcontractors.  Many business associates already were aware that HIPAA applied to them.  However, the Final Rule also makes clear that subcontractors of business associates are subject to the same HIPAA provisions that apply to business associates.  This means that if you are a business associate you need to ensure that your subcontractors are complying with privacy and security provisions that apply to you under HIPAA.

Who is a “business associate”?

  • A business associate is generally defined as a person or entity (not an employee) that performs functions, activities or services on behalf of or for a health care provider that involve the use or disclosure of PHI.  Business associates include entities that provide legal, actuarial, accounting, data processing, claims processing, benefit analysis, quality assurance, and other activities on behalf of health care providers that necessarily involve the use or disclosure of PHI.
  • HHS has a link  on its website that discusses “business associates” and include examples.  One such example is a software company that hosts a health care provider’s patient information software.  Whether the patient information is on the software company’s own server or accessed when the software company troubleshoots the software, the software company is a business associate of the healthcare provider and subject to HIPAA.

What happens if I am found to be non-compliant

  • HITECH establishes four tiers for violations with corresponding penalties based on the level of culpability attributed to the entity that violated HIPAA privacy and/or security requirements.  Penalties range from $100 per violation to $50,000 per violation.

If you need assistance making sure you are compliant with HIPAA/HITECH issues, the health care lawyers at Sands Anderson PC ( are available to help.

Read more here.

This information is provided for informational purposes, and includes both legal requirements and generally-recommended best practices. It is not intended to be legal advice. An attorney should be consulted when developing policies and procedures for your organization.

Leave a Reply