June 18, 2019

June 17, 2019

Subscribe to Latest Legal News and Analysis

Tick, Tock: Less than 60 Days to Comply with Updated Health Insurance Portability and Accountability Act (HIPAA)/Health Information Technology for Economic and Clinical Health (HITECH) Rules

There are now less than 60 days left for covered entities and business associates to implement provisions set forth in the final omnibus HIPAA/HITECH rules issued by the U.S. Department of Health and Human Services (HHS) in January 2013.  Preparation will require updating of applicable policies, procedures, and training by September 23, 2013.  Business associate agreements (BAAs) entered into on or after January 25, 2013 must also be updated by September 23, 2013. Given increased enforcement activity and breach risk, many covered entities are updating BAAs executed before January 25, 2013 now, prior to the later deadline of September 22, 2014.  In addition, all of the Security Rule and most of the Privacy Rule will now apply directly to business associates, requiring them to implement appropriate administrative and security safeguards.  Those same requirements must also be applied to subcontractors.  Among the most impactful of the changes was HHS’s decision to lower the standard for breach notification by eliminating the “harm threshold”.  Now, rather than weighing the potential harm to the individual to determine if notification is required, unless one of the three narrow exceptions to the rules apply or the covered entity completes the required risk assessment to demonstrate a “low probability” of risk that the information was actually compromised, there will be a presumption of breach.  The result of this lowered standard will be an increase in breach notifications, so covered entities should scrutinize applicable terms in their BAAs, update their incident response procedures, and consider appropriate insurance to address potential costs.

© 2019 Poyner Spruill LLP. All rights reserved.


About this Author

Tara N. Cho, Poyner Spruill Law Firm, Privacy Attorney

Tara’s practice focuses on privacy and information security.  She advises on privacy issuesand identification of potential risks and the development of associated policies and procedures to maintain compliance.  She is also experienced with privacy compliance auditing, regulatory requirements in clinical research, European data protection requirements and Safe Harbor certifications, data transfer agreements and contract negotiation.

Elizabeth Johnson, Privacy, Information Security Attorney, Poyner Spruill, law

Elizabeth’s practice focuses on privacy, information security, and records management. Her comprehensive, practical approach to privacy law is reflected by the diversity of her clients, which hail from a variety of industries including health care, financial services, insurance, retail, telecom, utility, technology, consumer goods and client services. Elizabeth has also worked with organizations of various size and scope, ranging from Fortune 100 companies with international reach to local charities.  She was listed among the top privacy professionals in Computerworld’s “2008 Best Privacy Advisors” report.