This post was also written by Elizabeth D. O’Brien.

On January 25, 2013, the HHS Office for Civil Rights published its long-awaited final rule implementing major changes to the HIPAA Privacy, Security, Breach Notification, and Enforcement Rules mandated by the 2009 Health Information Technology for Economic and Clinical Health Act (HITECH Act). Among other things, the HITECH final rule:

  • Makes Business Associates directly liable for compliance with certain requirements of the HIPAA Privacy and Security Rules;
  • Converts subcontractors of Business Associates that create, receive, maintain, or transmit protected health information (PHI) on behalf of the Business Associate into Business Associates themselves;
  • Requires authorizations for all treatment and health care operations communications where the Covered Entity receives financial remuneration for making the communications from a third party whose product/service is being marketed;
  • Replaces the Breach Notification Rule’s “harm” threshold with a presumption that an impermissible use or disclosure of PHI is a Breach unless the Covered Entity or Business Associate demonstrates that there is a low probability that the PHI has been compromised; and
  • Mandates that Covered Entities and Business Associates comply with applicable requirements by September 23, 2013.

Please click here to read our detailed analysis of the HITECH Final Rule. As always, please contact Brad M. Rostolsky (215-851-8195 or, Nancy E. Bonifant (202-414-9353 or, Salvatore G. Rotella, Jr. (215-851-8123 or, or any other member of the Reed Smith Health Care Group with whom you work, if you would like additional information or if you have any questions.