Tick, Tock: Less than 60 Days to Comply with Updated HIPAA/HITECH Rules


There are now less than 60 days left for covered entities and business associates to implement provisions set forth in the final omnibus HIPAA/HITECH rules issued by the U.S. Department of Health and Human Services (HHS) in January 2013.  Preparation will require updating of applicable policies, procedures, and training by September 23, 2013.  Business associate agreements (BAAs) entered into on or after January 25, 2013 must also be updated by September 23, 2013. Given increased enforcement activity and breach risk, many covered entities are updating BAAs executed before January 25, 2013 now, prior to the later deadline of September 22, 2014.  In addition, all of the Security Rule and most of the Privacy Rule will now apply directly to business associates, requiring them to implement appropriate administrative and security safeguards.  Those same requirements must also be applied to subcontractors.  Among the most impactful of the changes was HHS’s decision to lower the standard for breach notification by eliminating the “harm threshold”.  Now, rather than weighing the potential harm to the individual to determine if notification is required, unless one of the three narrow exceptions to the rules apply or the covered entity completes the required risk assessment to demonstrate a “low probability” of risk that the information was actually compromised, there will be a presumption of breach.  The result of this lowered standard will be an increase in breach notifications, so covered entities should scrutinize applicable terms in their BAAs, update their incident response procedures, and consider appropriate insurance to address potential costs.  Additional information on these breach notification updates is provided in our earlier alert


Written by:

Published In:


DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Poyner Spruill LLP | Attorney Advertising

Don't miss a thing! Build a custom news brief:

Read fresh new writing on compliance, cybersecurity, Dodd-Frank, whistleblowers, social media, hiring & firing, patent reform, the NLRB, Obamacare, the SEC…

…or whatever matters the most to you. Follow authors, firms, and topics on JD Supra.

Create your news brief now - it's free and easy »

All the intelligence you need, in one easy email:

Great! Your first step to building an email digest of JD Supra authors and topics. Log in with LinkedIn so we can start sending your digest...

Sign up for your custom alerts now, using LinkedIn ›

* With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name.