Search ))
Minneapolis Law Firm




The economic stimulus act (“American Recovery and Reinvestment Act of 2009”) includes a section entitled “Health Information Technology for Economic and Clinical Health Act” or “HITECH Act,” which imposes new and enhanced HIPAA Privacy and Security requirements. The current HIPAA Privacy and Security Rules remain in effect to the extent they are not inconsistent with HITECH and will be amended to comply with HITECH. State laws also remain effective unless they are inconsistent with HITECH.


New HITECH Provisions Effective Date

Enforcement of HIPAA Privacy and Security


  • HHS can now bring criminal actions for violations (in addition to DOJ)
  • HHS must develop a HIPAA Privacy and Security Audit Program (compliance reviews will not be solely complaint driven)
  • Criminal action can be brought against anyone who wrongfully discloses PHI held by a Covered Entity, not just against Covered Entity
  • Civil penalties are significantly increased
  • State Attorneys General can bring civil actions on behalf of residents injured by violations and attorneys fees may be recovered
  • Individuals may share in civil recoveries (penalties or settlements)
  • Civil and criminal actions and penalties can be brought against Business Associates (effective February 17, 2010)

Increased penalties and AG enforcement effective for violations occurring after February 17, 2009








Individuals may share in recovery once regulations are issued (no later than February 17, 2012)

Business Associate compliance obligations 


  • Business Associates will have a direct (rather than just contractual) obligation to comply with all HIPAA Security Requirements, including maintaining policies and procedures
  • Business Associates have a direct (rather than just contractual) obligation to comply with the Business Associate provisions of the Privacy Rule (Privacy Rule section 164.504(e)(2))
  • Business Associate Agreements must now include the new HITECH Privacy and Security provisions


February 17, 2010










Expanded definition of Business Associate


  • Organization providing data transmission of PHI that requires access to the PHI on a routine basis must enter into HIPAA compliant Business Associate Agreement
  • Vendors of Personal Health Records may become Business Associates. Vendors of Personal Health Records are organizations that offer or maintain an electronic record of an individual’s health information that is managed, shared and controlled by or primarily for the individual



February 17, 2010




By February 17, 2010 HHS and FTC will report on security and privacy requirements that should apply to PHR vendors

Privacy and Security Breach Notification Requirements


  • In the event of a privacy or security breach with respect to “unsecured” PHI, Business Associate must notify the Covered Entity, and the Covered Entity must notify the subject individual (PHI is unsecured unless rendered unusable, unreadable or indecipherable by a technology approved by HHS)
  • Covered Entity must notify HHS immediately of all breaches involving 500 or more individuals (HHS will post these on its website)
  • Covered Entity must notify the prominent media outlets servicing a state or jurisdiction if over 500 individuals in that state or jurisdiction are affected
  • Covered Entity must notify HHS annually of all breaches involving less than 500 individuals
  • Vendors of Personal Health Records (as well as other entities providing service related to personal health records) are subject to the breach notification requirements; failure to notify is an “unfair and deceptive trade practice” and FTC can enforce compliance and impose penalties for violations

HHS and FTC must issue regulations by August 17, 2009, with compliance required 30 days later
















Expanded Accounting of Disclosures  


Covered Entities must track and provide accounting for disclosures of electronic health records (EHRs) for Treatment, Payment and Health Care Operations

 For EHRs held on January 1, 2009, effective date is January 1, 2014; for EHRs acquired after January 1, 2009, effective date is the later of January 1, 2011 or the date of acquisition of the EHR (HHS may extend these dates)

Additional “marketing” restrictions  


Covered Entity or Business Associate may not exchange PHI for direct or indirect payment without the individual’s Authorization, including as part of health care operations (there are a few exceptions noted in HITECH)

Some marketing restrictions effective February 17, 2010


HHS must issue regulations by August 17, 2010, to be effective 6 months later, on the sale or exchange of EHRs

Individual has right to request electronic access to and transmission of his or her electronic health record February 17, 2010
Individual has right to prohibit disclosure of PHI by Provider to Health Plan for any purpose when individual pays entire cost of care out of pocket February 17, 2010

Minimum Necessary Use and Disclosure 


  • Covered Entities will satisfy the “minimum necessary” standard of disclosure only if PHI is limited “to the extent practicable” to the limited data set (subject to all current exceptions to minimum necessary standard). “Limited data set” means that all individually identifiable information about an individual or his or her family members have been removed except age, address (only city, state and zip code are permitted) and dates (if they are reasonably necessary for the purpose of the disclosure) may be retained.
  • HHS is required to issue guidance defining the “minimum necessary”

Effective February 17, 2010, but only until guidance on minimum necessary is issued





HHS must issue guidance by August 17, 2010


Covered Entity General Task List

Due to increased penalties and enforcement and the new HIPAA Privacy and Security Requirements, Covered Entities, including employer-sponsored group health plans, should:


  • Review and update HIPAA Privacy and Security Policies and Procedures and confirm that they are being followed
  • Develop and implement detailed Breach Notification Policy
  • Implement additional HIPAA Security safeguards as needed
  • Provide training on the HIPAA Privacy and Security Policies and Procedures
  • Confirm that BA Agreements are in place with all Business Associates and update to comply with the new requirements
  • Enter into a BA Agreement with any Personal Health Records Vendor
  • Update Notice of Privacy Practices as necessary

Business Associate General Task List


Organizations that are Business Associates or that have entered into Business Associate Agreements should:


  • Enter into Business Associate Agreements only when necessary
  • Update Business Associate Agreements to include expanded requirements
  • Conduct a HIPAA Privacy and Security compliance review
  • Appoint a HIPAA Security official responsible for HIPAA Security compliance
  • Develop and implement HIPAA Security Policies and Procedures to comply before February 17, 2010
  • Develop and implement a Breach Notification Policy
  • Develop and implement written guidelines for complying with HIPAA Privacy Business Associate requirements


Contact Us

The Employee Benefits Group at Oppenheimer Wolff & Donnelly LLP would be pleased to assist you, should you have any questions regarding the content of this alert.

This alert is a copyrighted publication produced by Oppenheimer Wolff & Donnelly LLP. The information contained in this alert is of a general nature and is subject to change. Readers should not act without further inquiry and/or consultation with legal counsel.