Skip to main content


Posted by attorney John Peick

Who knew? All the hubbub over the stimulus package signed by President Obama on February 17, 2009 and what do we discover but amendments to HIPAA. Rather sweeping changes to HIPAA arise from this stimulus package and have been labeled as HITECH amendments.

Some of the highlights of the amendments are as follows:

  1. Business associates (BA) of covered entities (CE) are now directly bound by the same privacy and security provisions of HIPAA & HITECH.

  2. CEs and BAs must notify victims (patients) of any breach of information security within 60 days of the breach. If the breach of security affects more than 500 patients, then the Secretary of Health must be notified.

  3. There is an increased, tiered penalty structure, with fines ranging from $25,000 to $1.5 million; and fines are mandatory for willful neglect. Failing to have a security compliance plan will be deemed "willful neglect".

  4. CEs and BAs must limit the use and disclosure of PHI to the "minimum set necessary to accomplish the intended purpose.

When a breach occurs the notification requirements are specific in terms of content, timing and obligations to ensure contact with the individuals affected by the breach. It is the burden of the HIPAA covered entity or business associate to affirmatively demonstrate compliance with the notification rules.

According to the International Association of Privacy Professionals (IAPP) the major challenges for any healthcare organization are as follows:

  1. Re-evaluation of existing practices. Covered entities and business associates will need to reassess where and how information is stored, and how to de-identify to meet minimum data set requirements while balancing the professional obligation to maintain accurate patient information for several years.

  2. Designing and implementing a business associate relationship. The covered entity must still ensure its business associates are handling the information appropriately.

  3. Dealing with breach notification rules. Small scale data breaches will still need to be disclosed and resolved with increased expense.

Three immediate steps will provide a solid foundation for compliance with the new requirements:

A. Conduct a thorough, risk based assessment of current practice related to your PHI assets and lifecycle.

B. Encrypt all your computers.

C. Create and implement a comprehensive plan for data breach notification and follow-up.

Security and informational breaches can not only be expensive from a penalty standpoint, but can devastate your organization's credibility. Security of PHI is a critical part of your organization's well-being. The HITECH Act creates additional requirements which affect every aspect of your operation, including business practice, healthcare processes, IT and data security, retention and monitoring, contracts and business relationships.

We recommend getting your forms, training and compliance readiness from a third party vendor:

Additional resources provided by the author

Author of this guide:

Was this guide helpful?