South Florida Hospital News
Friday February 26, 2021

test 2

June 2013 - Volume 9 - Issue 12


Part I
On January 25, 2013, the Department of Health and Human Services published the final rule implementing and incorporating the provisions of the Health Information Technology for Economic and Clinical Health Act (“HITECH”) into HIPAA. In addition to the final rule itself, HHS devoted 119 pages to a preamble discussion that was intended to “clarify” the HIPAA-HITECH Rule (the “Rule”). Since that time, there has been a steady stream of articles analyzing various aspects of the Rule. Rather than repeat what others have done, the purpose of this two-part article is to provide a BRIEF summary of six of the most likely trends, both intended and unintended, that will be consequences of the Rule. The first three are outlined here in Part I. Next month’s column will feature three additional trends.
Trend #1. Expanded responsibilities and liabilities of Business Associates.
The Rule has established that Business Associates now are responsible for satisfying most of the Privacy and Security duties previously imposed upon Covered Entities. No longer a matter established by a contract between the parties (the “Business Associate Agreement”), every Business Associate now has an independent obligation to satisfy the administrative, physical and technical safeguards, ensure that they disclose only the “minimum necessary” PHI to authorized parties.
Before the Rule, Business Associates that breached the terms of their Business Associate Agreements faced the risk of being sued for breach of contract by their contracting Covered Entities. The adoption of the Rule substantially increases the potential exposure of a Business Associate. Now, in addition to a breach of contract action, Business Associates face both civil and criminal liability if they fail to comply with their HIPAA-HITECH obligations.
Trend #2. Expanding number of Business Associates.
Both the breadth and depth of the pool of Business Associates has been substantially expanded in the Rule. The pool has been widened by making clear that virtually any party that has the potential ability to have access to PHI is a Covered Entity’s Business Associate. For example, record storage companies, whether actual or virtual, software vendors with which a Covered Entity contracts to provide updates and maintenance services, as well as attorneys and accountants who are provided PHI now clearly fall within this category. As such, a Covered Entity must ensure that it has a Business Associate Agreement with a wider range of vendors than many had previously thought necessary.
Downstream vendors, those who subcontract with a Business Associate, now also are deemed to be Business Associates if they have access to PHI. The Rule does not establish any de minimus standard for the relationship between a Covered Entity and a Business Associate, so that any party what has obtained PHI from a Business Associate is also deemed to fit within that category. For example, if a software vendor subcontracts with a third party to provide software maintenance services for a Covered Entity’s electronic health record, that subcontractor is a Business Associate and, if that subcontractor contracts with a programmer who actually provides those maintenance services, he/she also is a Business Associate. All of these Business Associates not only must comply with their own obligations, but they also must have a Business Associate Agreement with their subcontractors who fall within this classification.
Trend #3. Expanded number of breaches requiring notification.
Prior to the Rule, Covered Entities used a “harm standard” to determine what, if any notification was needed in the event of an unauthorized disclosure of PHI (a “breach”). Now, there is a presumption that notification must be given unless the Covered Entity or Business Associate can demonstrate that there is a low probability that the PHI was compromised, based on a 4-prong risk assessment: (i) The nature and extent of the PHI involved. (ii) The identity of the unauthorized person who used the PHI or to whom it was disclosed. (iii) Whether the PHI was actually acquired or disclosed. (iv) The extent to which the risk of disclosure has been mitigated.
Stephen H. Siegel is Of Counsel with the Miami office of Broad and Cassel and a member of the statewide firm’s Health Law Practice Group. He can be reached at (305) 373-9400 or
Share |