Main Menu
HHS Issues Proposed Regulations to Strengthen HIPAA and Implement the HITECH Act

On July 8, 2010, Secretary Sebelius of the U.S. Department of Health and Human Services (HHS) issued a Proposed Rule designed to strengthen the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy, Security and Enforcement Rules, as mandated by the subsequently enacted Health Information Technology for Economic and Clinical Health Act (HITECH Act).  The Secretary also announced a new website program to report its privacy breach enforcements.


Perhaps the most disturbing surprise to organizations who are Covered Entities under HIPAA is the indication in the Proposed Rule that they would be held directly liable for the HIPAA violations of Business Associates who are agents, rather than independent contractors—a troubling distinction that was first made under the HITECH Act breach notification requirements.  Specifically, the Proposed Rule would modify language in the Enforcement Rule so that Covered Entities remain liable for the acts of their Business Associate “agents,” regardless of whether the Covered Entity and agent have a Business Associate agreement in place.  This means that a Covered Entity would remain liable for the failure of a Business Associate that is considered an agent of the Covered Entity for the purpose of performing HIPAA obligations on behalf of the Covered Entity.  HHS explained that this would not impose liability on Covered Entities with respect to Business Associates that are not agents (e.g., independent contractors).


The HITECH Act made Business Associates of Covered Entities directly subject to the Security Rule and certain provisions under the Privacy Rule, and liable for noncompliance.  Under the Proposed Rule, Business Associates would also be directly subject to the Enforcement Rule penalty provisions.  Interestingly, in the Preamble to the Proposed Rule, HHS states that it seeks to clarify that a person is a Business Associate if the person or entity meets the definition of a Business Associate, even if there is no required Business Associate Agreement in place, and direct liability under the regulations would attach regardless of the absence of an agreement.


Subcontractors of Business Associates would also be subject to the same requirements as Business Associates.  Specifically, the Proposed Rule states that “downstream entities that work at the direction of or on behalf of a Business Associate and handle protected health information would also be required to comply with the applicable Privacy and Security Rule provisions in the same manner as the primary Business Associate, and likewise would incur liability for acts of noncompliance.”  Accordingly, a contract between a Business Associate and subcontractor that requires the exchange of protected health information should contain all of the provisions required in a Business Associate Agreement.  In addition, subcontractors of Business Associates would be required to implement and develop the same “reasonable and appropriate” policies and procedures required by HIPAA, and comply with the notice requirements under the HITECH Act. 


Furthermore, the Proposed Rule proposes to add patient safety activities to the list of functions and activities that would give rise to a Business Associate relationship, thereby clarifying that Patient Safety Organizations are Business Associates.  The Proposed Rule explicitly designates Health Information Organizations, E-prescribing Gateways, or other persons that provide data transmission services with respect to protected health information that require routine access to protected health information, and personal health record (PHR) vendors who offer PHRs on behalf of a Covered Entity.  Significantly, HHS reiterates its earlier guidance that entities that act as “mere conduits” for the transport of protected health information, but do not access the information, except randomly or infrequently, are not Business Associates.


The Proposed Rule would expand individuals’ rights to access their protected health information, and restrict certain types of disclosures of the information to health plans.  In addition, the Proposed Rule would set new limits on the use and disclosure of protected health information for marketing and fundraising activities, and prohibit the sale of protected health information without the individual’s written authorization.


In a press conference held on July 8, 2010, the same day the Proposed Rule was issued, the Secretary announced the launching of a new website to provide the public with information about the government’s efforts to protect privacy.  The Secretary also announced that the Office of Civil Rights (OCR) has redesigned its breach notification website required by Section 13402(e)(4) of the HITECH Act for the purpose of posting breaches of unsecured protected health information involving 500 or more individuals.  According to the Secretary, the website was redesigned to provide more transparency.  The breaches reported to the Secretary are now posted in a new, more accessible format that allow users to search and sort the reported breaches.  The new format includes brief summaries of cases that the OCR has investigated and closed, as well as the names of private practice providers who have reported breaches of unsecured protected health information to the Secretary. 


There will be a 60 day comment period commencing on July 14, 2010.  The Proposed Rule states that it will be effective 180 days after the date it becomes final.  However, because the HITECH Act already is effective, the prudent practice would be to follow the Proposed Rule until the final rule is published.


If you have questions regarding the Proposed Rule, please contact any member of Greenebaum’s Health, Health Insurance and Life Sciences Team


To learn more about John R. Cummins and his practice, please visit his profile.


Even though the content of the above Greenebaum Doll & McDonald e-bulletin is primarily informative, state and federal law obligates us to inform you that THIS IS AN ADVERTISEMENT. You have received this advisory because you are a client or friend of the firm.

About Greenebaum Doll & McDonald PLLC
Greenebaum Doll & McDonald PLLC is a widely-respected business law firm with approximately 170 professionals in five offices, serving local, national and international clients in virtually every industry. A forward-thinking business law firm, Greenebaum is committed to the practice of Breakthrough Law®. For more information, visit


Copyright 2010 Greenebaum Doll & McDonald PLLC.  All Rights Reserved.

  • Partner

    John is a partner in the firm's Estate Planning Department. He focuses his practice on estates, trusts, family business and disability planning, and the administration of estates and trusts. John also has an active health law ...



Recent Posts




Back to Page