View Page As PDF
Share Button
Tweet Button

The Office for Civil Rights of the Department of Health and Human Services (OCR) issued an omnibus final rule (Final Rule) on January 17, 2013, implementing various provisions of the Health Information Technology for Economic and Clinical Health Act (HITECH Act or HITECH). The Final Rule revises the Privacy, Security and Enforcement Rules that were previously issued under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the interim final Breach Notification Rule that was previously issued in accordance with the HITECH Act. The Final Rule was published in the Federal Register on January 25, 2013, and is available here.

Action items

Covered entities and business associates will need to review their policies and procedures prior to the September 23, 2013 compliance date so that they can identify and implement all changes that are needed in order to comply with the Final Rule. Covered entities and business associates should review their business associate agreements and determine whether the agreements qualify for grandfathered status and enter into new business associate agreements by the due date. In addition, Notices of Privacy Practices will need to be revised and appropriate training should be provided to personnel of covered entities and business associates prior to the compliance date.
In light of the expanded definition of "business associate" to include subcontractors, any vendor or other business that performs functions for a covered entity or another business associate involving the use or disclosure of PHI should determine whether it is a "business associate" and, if so, what steps need to be taken in order to comply with the Privacy, Security and Breach Notification Rules by the compliance date.
Your data privacy policies, practices, agreements, Incident Response Plans, and Information Security Programs will need to be reviewed, and most likely revised, from compliance with this Final Rule.


On February 17, 2009, President Obama signed into law the American Recovery and Reinvestment Act of 2009, which included the HITECH Act. The HITECH Act expanded the obligations of covered entities and business associates to protect the confidentiality and security of Protected Health Information (PHI). The HIPAA Privacy and Security Rules allow “covered entities” to disclose PHI to “business associates,” and allow business associates to create and receive PHI on behalf of the covered entity, subject to the terms of a business associate agreement between the parties. For purposes of HIPAA and the HITECH Act, a “covered entity” is a health plan, health care clearinghouse (e.g., a billing service converting paper data into standard claims for submission to a health plan) or health care provider (e.g., a hospital or physician practice) that transmits health information in electronic form. In general, the HIPAA regulations have traditionally defined a “business associate” as a person (other than a member of the covered entity’s workforce) or entity who, on behalf of a covered entity, performs a function or activity involving the use or disclosure of PHI, such as the performance of financial, legal, actuarial, accounting, consulting, data aggregation, management, administrative, or accreditation services to or for a covered entity.

Prior to the HITECH Act, business associates had contractual obligations under their business associate agreements to maintain the privacy and security of PHI, but were not subject to sanctions for failure to comply with the HIPAA rules. However, the HITECH Act expanded the HIPAA obligations and exposure of business associates by:

  1. Applying many of the security and privacy standards to business associates
  2. Requiring business associates to comply with the breach notification requirements of the HITECH Act
  3. Subjecting business associates to civil and criminal penalties for HIPAA violations
Furthermore, the HITECH Act strengthened HIPAA penalties and enforcement mechanisms, and required periodic audits to ensure that covered entities and business associates comply with the Privacy and Security Rules.

OCR issued a proposed rule on July 14, 2010 to implement a number of the privacy, security and enforcement standards under the HITECH Act. Although most of the provisions under the HITECH Act took effect in February 2010, OCR recognized in its 2010 commentary that covered entities and business associates will need some time to comply with the final rule. As such, OCR stated its intention to grant covered entities and business associates 180 days after the effective date of the final rule to become compliant with the new or modified standards that had not yet been incorporated into the HIPAA regulations.

Expansion of business associate obligations

The Final Rule implements the HITECH Act’s expansion of business associates’ HIPAA obligations by applying the Privacy and Security Rules directly to business associates and by subjecting business associates to civil and criminal penalties for HIPAA violations. Furthermore, the Final Rule extends HIPAA obligations and potential penalties to subcontractors of business associates by expanding the definition of “business associate” to include direct or indirect subcontractors if a business associate delegates a function, activity or service to the subcontractor and the subcontractor creates, receives, maintains, or transmits PHI on behalf of the business associate. Each business associate that delegates any function involving the use or disclosure of PHI to a subcontractor will be required to enter into a business associate agreement with the subcontractor.

Breach Notification Rule

The Final Rule will broaden the breach notification obligations of covered entities and business associates by modifying the definition of “breach” and the risk assessment process for determining whether notification will be required. The Final Rule replaces the “harm” standard of the interim Breach Notification Rule with a standard based on the risk that PHI is compromised. The prior standard allowed covered entities and business associates to conduct a “risk of harm” analysis and a “breach” would only result if the impermissible use or disclosure posed significant risk of financial, reputational or other harm. Under this new standard, however, a use or disclosure of unsecured PHI that is not permitted under the Privacy Rule is presumed to be a breach (and therefore requires notification to the individual, OCR and possibly the media) unless either the incident satisfies one of three relatively narrow exceptions1 or the covered entity or business associate demonstrates a low probability that PHI has been compromised. This determination is now based on a risk assessment of at least the following four factors:

  1. The nature and extent of the PHI, including the types of identifiers and the likelihood of re-identification
  2. The unauthorized person who used or accessed the PHI
  3. Whether the PHI was actually acquired or viewed
  4. The extent to which the risk is mitigated (for example, by obtaining reliable assurances by a recipient of PHI that the information will be destroyed or will not be used or disclosed)

In its commentary, OCR expressed concern that the prior “harm to the individual” standard, has been misinterpreted to permit too many breaches to go unreported. OCR characterized the new standard as more objective than the “harm” standard.

Additional provisions of the Final Rule

The Final Rule addresses a laundry list of issues, including provisions or commentary that:

  • Require covered entities to modify their Notices of Privacy Practices
  • Require covered entities to agree to an individual’s request to restrict disclosure of PHI about the individual to a health plan when the individual (or someone other than the health plan) pays for the item or service in full
  • Permit compound authorizations for clinical research studies
  • Revise the definition of PHI to exclude information regarding a person who has been deceased for more than 50 years, so that the Privacy and Security Rules will not apply to such information
  • Prohibit the sale of PHI without authorization from the individual, and add a requirement of authorization in order for a covered entity to receive remuneration for disclosing PHI
  • Restrict marketing
  • Allow individuals to obtain a copy of PHI in an electronic format if the covered entity uses an electronic health record
  • Clarify OCR’s view that covered entities are allowed to send electronic PHI to individuals in unencrypted e-mails only after notifying the individual of the risk
  • Prohibit health plans from using or disclosing genetic information for underwriting, as required by the Genetic Information Nondiscrimination Act of 2008 (GINA)
  • Allow covered entities to disclose relevant PHI of a deceased individual to a family member, close friend or other person designated by the deceased, unless the disclosure is inconsistent with the deceased individual’s known prior expressed preference
  • Allow disclosure of proof of immunization to schools if agreed by the parent, guardian or individual
  • Revise the Enforcement Rule (which was previously revised in 2009 as an interim final rule) to:
    • Require the Secretary of the Department of Health and Human Services (HHS) to investigate any HIPAA complaint if a preliminary investigation indicates a possible violation due to willful neglect, while continuing to allow HHS to investigate any other complaint
    • Permit HHS to disclose PHI to other government agencies (including state attorneys general) for civil or criminal law enforcement
    • Revise standards for determining the levels of civil money penalties

The Final Rule does not address the HITECH Act requirement that a covered entity provide an accounting for disclosures. Commentary from OCR notes this requirement will be addressed in future regulations.

Effective and compliance dates

The Final Rule takes effect on March 26, 2013, with a compliance date of September 23, 2013. Covered entities and business associates, including subcontractors, therefore must comply with the Final Rule by September 23, 2013. The 180-day compliance period, however, does not apply to modifications of the Enforcement Rule, which will apply beginning on the March 26, 2013 effective date. Moreover, breach notification continues to be governed by the interim Breach Notification Rule until the September 23, 2013 compliance date.

If certain conditions are met, the Final Rule allows additional time (in addition to the 180-day compliance period) to revise business associate agreements to bring them into compliance with the HITECH requirements. In particular, transition provisions will allow covered entities and business associates to continue to operate under existing business associate agreements for up to one year beyond the compliance date (until September 22, 2014) if the business associate agreement:

  1. Is in writing
  2. Is in place prior to January 25, 2013 (the publication date of the Final Rule)
  3. Complies with the Privacy and Security Rules as in effect immediately prior to January 25, 2013
  4. Is not modified or renewed

This additional time for grandfathered business associate agreements applies only to the written documentation requirement. Covered entities, business associates and subcontractors will be required to comply with all other HIPAA requirements beginning on the compliance date, even if the business associate agreement qualifies for grandfathered status.

Stay tuned for our upcoming Alerts on the Final Rule, including Alerts focused on the Breach Notification Rule and on implications for business associates, as well as our Business Hour event on the Final Rule.

If you have questions, please contact one of the attorneys listed below.


1The three narrow exceptions, which are unlikely to apply in most cases, relate to (i) unintentional, good faith access, acquisition or use by members of the covered entity's or business associate's workforce, (ii) inadvertent disclosure limited to persons with authorized access and not resulting in further unpermitted use or disclosure, and (iii) good faith belief that the unauthorized recipient would be unable to retain the PHI.