Skip to Main Content
 

HIPAA Compliance Deadline for 2013 Final Rules

July 24, 2013

The Health Information Technology for Economic and Clinical Health Act of 2009 ("HITECH") expanded the protections provided under the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") for the privacy and security of certain protected health information ("PHI").  In 2009 and 2010, the Department of Health and Human Services ("HHS") issued proposed and interim final rules (the "Interim Guidance") addressing provisions of HITECH that affect both "Covered Entities" such as certain employer-sponsored group health plans and their service providers with access to PHI ("Business Associates"). 

HHS finalized the Interim Guidance in early 2013 (the "2013 Final Rules") with a general compliance date of September 23, 2013.  The 2013 Final Rules adopt some provisions of the Interim Guidance with minor or no changes, while significantly revising others.  Therefore, even Covered Entities and Business Associates who have sought to comply with the Interim Guidance may want to review their practices in light of the 2013 Final Rules.  A more thorough review may be appropriate for Covered Entities and Business Associates who are less certain regarding the status of their existing compliance efforts.

In this client alert, we provide a summary of key provisions of the 2013 Final Rules.

Vendors and Subcontractors

In general terms, a Business Associate is a person (including an entity) who performs functions or activities on behalf of, or certain services for, a Covered Entity that involve the use or disclosure of PHI.  Pursuant to HITECH, the 2013 Final Rules now specifically include as Business Associates vendors such as providers of certain data transmission or storage services who require routine or more than random access to PHI.  The 2013 Final Rules also specifically include as Business Associates subcontractors of a Business Associate who create, receive, maintain or transmit PHI on behalf of the Business Associate.  Both Covered Entities and Business Associates may wish to review their service provider relationships in light of the 2013 Final Rules in order to have HIPAA-compliant contracts ("Business Associate Agreements") in place with their Business Associates by the compliance date.

Direct Liability and Business Associates

 HIPAA requires Covered Entities and Business Associates to protect the privacy and the security of PHI (the "Privacy Rule" and the "Security Rule," respectively).  Prior to HITECH, a Business Associate that failed to provide the required protections had contractual liability through the Covered Entity's enforcement of the terms of the Business Associate Agreement.  As a result of HITECH and the 2013 Final Rules, HHS may now also take direct action against the Business Associate for many Privacy Rule and Security Rule violations.  Together with a new penalty structure, this direct liability significantly increases the potential exposure of Business Associates.  It also requires memorialization in Business Associate Agreements which may need to be revised to include the specific provisions listed in the 2013 Final Rules.  (Certain existing Business Associate Agreements may qualify for an extended compliance deadline of September 23, 2014.)

Breach Notification

Covered Entities and Business Associates must notify certain parties if PHI is acquired, used, accessed, or disclosed in a manner not permitted under the Privacy Rule which compromises the security or privacy of the PHI (a "breach").  Under the 2013 Final Rules, a breach is generally presumed to occur unless a risk assessment by the Covered Entity or Business Associate demonstrates that there is a low probability that the PHI has been compromised.  In this regard, the 2013 Final Rules depart from the Interim Guidance which did not provide for a presumption of breach but instead required determination of whether there was a significant risk of financial, reputational or other harm to the individual as a result of the impermissible use or disclosure.  All Covered Entities and Business Associates may therefore need to familiarize themselves with this new standard for determining breach.

Notice of Privacy Practices

The 2013 Final Rules include new content requirements for the Notice of Privacy Practices ("NPP") which the Privacy Rule requires most Covered Entities to distribute.  Some of the new requirements apply to all NPPs, such as a statement that the Covered Entity is required by law to notify affected individuals following a breach of unsecured PHI.  Others depend on whether the Covered Entity intends to engage in certain activities such as using or disclosing PHI for underwriting purposes.  Because these are considered material changes to the NPP, most Covered Entities must both post a revised NPP on their website and provide a revised NPP in their next annual mailing to participants.  Covered Entities should review their NPPs in light of the 2013 Final Rules in order to determine what revisions are required in advance of the September 23, 2013 compliance date.

The 2013 Final Rules represent a major revision to the regulatory regime under HIPAA.  For more information about the 2013 Final Rules or other issues concerning your employee benefit plans, please contact Joanne C. Youn at jyoun@capdale.com or at 202.862.7855.




For more than 45 years, Caplin & Drysdale has been a leading provider of a full range of tax, tax controversy, and related legal services to companies, organizations, and individuals throughout the United States and around the world. With offices in New York City and Washington, D.C., the firm also provides counseling on matters relating to bankruptcy, creditors' rights, exempt organizations, employee benefits, private client services, corporate law, white collar defense, complex litigation, and political activity.

Washington, D.C. Office:
One Thomas Circle, NW
Suite 1100
Washington, D.C. 20005
202.862.5000

New York, NY Office:
600 Lexington Avenue
21st Floor
New York, NY 10022
212.379.6000

Disclaimer
This communication does not provide legal advice, nor does it create an attorney-client relationship with you or any other reader. If you require legal guidance in any specific situation, you should engage a qualified lawyer for that purpose. Prior results do not guarantee a similar outcome.

Attorney Advertising
It is possible that under the laws, rules, or regulations of certain jurisdictions, this may be construed as an advertisement or solicitation

© 2013 Caplin & Drysdale, Chartered
All Rights Reserved.



 

________________________________________________

About Caplin & Drysdale
Having celebrated our 50th Anniversary in 2014, Caplin & Drysdale continues to be a leading provider of legal services to corporations, individuals, and nonprofits throughout the United States and around the world. We are also privileged to serve as legal advisors to accounting firms, financial institutions, law firms, and other professional services organizations.

The firm's reputation over the years has earned us the trust and respect of clients, industry peers, and government agencies. Moreover, clients rely on our broad knowledge of the law and our keen insights into their business concerns and personal interests. Our lawyers' strong tactical and problem-solving skills -- combined with substantial experience handling a variety of complex, high stakes, matters in a boutique environment -- make us one the nation's most distinctive law firms.

With offices in New York City and Washington, D.C., Caplin & Drysdale's core practice areas include:
For more information, please visit us at www.caplindrysdale.com.
Washington, DC Office:
One Thomas Circle NW
Suite 1100
Washington, DC 20005
202.862.5000
New York, NY Office:
600 Lexington Avenue
21st Floor
New York, NY 10022
212.379.6000

___________________________

Disclaimer
This communication does not provide legal advice, nor does it create an attorney-client relationship with you or any other reader. If you require legal guidance in any specific situation, you should engage a qualified lawyer for that purpose. Prior results do not guarantee a similar outcome.

Attorney Advertising
It is possible that under the laws, rules, or regulations of certain jurisdictions, this may be construed as an advertisement or solicitation.
© 2020 Caplin & Drysdale, Chartered
All Rights Reserved.

Related Practice Area(s)