By Kirk Nahra, CIPP
The new Health Insurance Portability and Account-ability Act (HIPAA) privacy and security requirements, imposed by the Health Information Technology for Economic and Clinical Health Act (the HITECH Act), will have a significant impact on the privacy and security of healthcare information, and on the compliance obligations for affected healthcare companies. While the healthcare industry itself struggles to implement these new requirements, the biggest changes may impact HIPAA business associates—the service providers to the healthcare industry. These companies—for the first time—will be covered directly by most of the HIPAA rules. Meeting these new requirements will be a substantial challenge, and business associates need to move quickly to develop an appropriate plan to ensure compliance by the February 2010 HITECH deadline.

HIPAA background

The HIPAA era began with the passage of the Health Insurance Portability and Accountability Act of 1996. While “HIPAA” now means many things to many people, at its foundation, the HIPAA law focused on “portability,” the idea that individuals could “take”their health insurance coverage from one employer to the next, without having pre-existing health conditions acting as an impediment to job transitions.
When Congress passed HIPAA, it also added into the mix a variety of other topics related to the healthcare industry (such as creating large funding for what has now become more than a decade-long fight against healthcare fraud). One of the policy mandates adopted in HIPAA was to move toward standardized electronic transactions for the healthcare industry. The idea was that certain “standard transactions”—like the submission of a health insurance claim and the payment of that claim—could be standardized, and thereby create efficiency savings and more effective results. (Keep this in mind as you consider the current debate about electronic health records and their potential impact on the healthcare system). With these standardized transactions came a concern about healthcare information being put into electronic form, with the resulting requirements for the creation of the HIPAA Privacy Rule and the HIPAA Security Rule.

But this background also led to one key component of these rules: the limits on the applicability of these rules to “covered entities”—the entities (such as doctors, hospitals, and health insurers) who might be participating in these standardized transactions. The law mandated the rules—but restricted their application to those covered entities only.

Accordingly, when the Department of Health and Human Services (HHS) began to develop these rules, it was faced with a significant limitation on its jurisdiction—it could apply the rules only to covered entities. HHS developed a creative solution to respond to a key fact about the healthcare system. While the covered entities are core participants in the industry, they rely on tens of thousands of vendors to provide them services, with many of these services involving patient information. Therefore, the concept of a “business associate” was born—an entity that provides services to the healthcare industry where the performance of those services involves the use or disclosure of patient information.

Because HHS had no direct jurisdiction over these “business associates,” HHS imposed an obligation on the covered entities to implement specific contracts with these vendors that would create contractual privacy and security obligations for these vendors. The failure to execute a contract would mean that the covered entity violated the HIPAA rules. A business associate’s failure to meet a contractual privacy standard would be a breach of that contract, but would not subject the business associate to government enforcement, because the business associate was not regulated under the HIPAA rules. This system has existed since the inception of the HIPAA Privacy Rule in 2003.

The primary changes

Now, in the HITECH Act, Congress has blown this HIPAA structure to bits, by imposing direct legal compliance obligations on business associates. Although this legislation does not turn business associates into covered entities, it does impose—for the first time—direct accountability on these business associates, with potential civil and criminal liability for a failure to meet these requirements.

While there are many changes to the HIPAA rules, three developments stand out from the rest:

   1. More enforcement risk
      It was widely anticipated that the Obama Administration would be more aggressive about HIPAA enforcement than its predecessor. Independent of this inclination, the new legislation creates substantial new opportunities for aggressive enforcement of the HIPAA rules. Over the course of the next few years, we can expect these changes to produce a fundamental shift in the overall enforcement of the HIPAA Privacy and Security Rules.

      First, the provisions increase substantially the penalties that are available for violations of the rules, from the current high of $25,000 to as much as $1.5 million. Fines are mandatory in situations involving “willful neglect."

      Second, state Attorneys General (AGs) now have clear and explicit authority to enforce the provisions of the HIPAA rules. While state AGs have initiated healthcare-related privacy and security actions in the past, relying on their inherent authority to act to protect citizens of a state, this new provision essentially creates a parallel enforcement environment for HIPAA violations. On the one hand, this enforcement is limited in meaningful ways, mainly in terms of amounts that can be sought by the state AGs. On the other hand, however, this approach creates realistic risks of differing standards and inconsistent action across differing states, most likely without the procedural protections of the HIPAA Enforcement Rule.

      Third, correcting what many saw as an oversight in the prior HIPAA provisions, the legislation now permits enforcement actions against individuals employed by healthcare entities. Even though the Department of Justice has creatively pursued a limited number of criminal cases against individual employees (mainly where identity theft, healthcare fraud, or some other serious criminal activity is combined with the HIPAA issue), this new provision creates a broader and more explicit opportunity for enforcement against individuals.

   2. Security-breach notification
      At the same time that enforcement actions are given new strength, the legislation also creates a new federal security-breach notification requirement for the healthcare industry. Most security breaches—including many events that have not historically been thought of as security breaches—now must be disclosed not only to consumers but also to HHS and, in some situations involving larger breaches, even to the media.

      This provision creates a new notification standard for the healthcare industry—whether the breach has anything to do with an electronic health record or not. While clearly there are open questions about details of the legislation, this provision is broader than most relevant state notification laws because it (1) applies to breaches involving any kind of personal information held by healthcare companies (not merely the specific categories—such as Social Security numbers—that are the subject of state laws), and (2) does not include any “risk of harm” threshold. Therefore, this provision will require reporting of a wide range of security breaches, regardless of the sensitivity of the information involved or the realistic risk of any harm from the breach.

      For the healthcare industry at large, this breach-notification requirement may be the single most significant provision of this legislation—and the one that is likely to affect a large number of companies most quickly and publicly. Because the notice requirement applies only to “unsecured” information, this legislation also may accelerate the movement toward encryption of a wider range of healthcare data.

   3. Extension of HIPAA requirements to business associates
      The other change that will generate enormous work for the healthcare industry and its business partners will be a series of provisions that essentially extend full compliance responsibility for the HIPAA Privacy and Security Rules to the business associate category—all of the companies that provide services to the healthcare industry. Today, these vendors must sign a contract with their healthcare client that extends certain HIPAA provisions by contract to the business associate. The new provisions will obligate these business associates by law to follow most HIPAA provisions, rather than just the handful that have been required to be included within the business associate contracts. Again, this provision seems to have nothing to do (specifically) with electronic health records. It clearly extends HIPAA coverage to all business associates, whether they deal with electronic health records or not.

      For the healthcare industry, these rules also create an apparent large-scale obligation: the need to revise all existing business associate contracts to incorporate these new requirements. Healthcare companies—with full memory of the difficulties of compliance with the initial HIPAA business associate contracting requirements in 2003—should promptly begin to develop model language and an approach to overall modification of thousands of business associate contracts.

Areas of impact for business Associates

Between the extension of the HIPAA rules to business associates, the new enforcement environment, and the significant concern and confusion about security breaches, the overall risks from the healthcare privacy structure are now magnified significantly for business associates. Business associates will need to review these provisions promptly, and identify where their current compliance policies are insufficient for this new environment.

What are the major areas that will deserve attention?

The HIPAA Privacy Rule

The HITECH provisions are somewhat confusing on how the Privacy Rule will be applied to business associates. It is clear that not all portions of the Rule will be applied to business associates. For example, there is no obligation for business associates to prepare and distribute a privacy notice to individual patients. This makes sense, since many business associates will be unknown to the patient community.

As a general matter, HITECH indicates that business associates must, by law, follow the provisions of the business associate contract that are mandated by the Privacy Rule. For business associates—who presumably have been following these contractual provisions for the past several years—there should be no significant new obligations; but the risks from a failure to meet these obligations have grown. All business associates should take this opportunity to re-evaluate their policies and procedures for meeting these requirements.

The HIPAA Security Rule

The HIPAA Security Rule presents significantly more challenges. Today, under a business-associate contract, a business associate has only limited obligations under the Security Rule. For example, the business associate must “[i]mplement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic protected health information that it creates, receives, maintains, or transmits on behalf of the covered entity.” This translates—for most business associates—into an obligation to maintain reasonable and appropriate security practices. However, now that business associates must comply with the overall HIPAA Security Rule, a substantially different compliance approach will be required. In particular, while the HIPAA Security Rule is very “process-oriented,” the detailed process is quite different from what most companies go through for reasonable security. In particular, there is an extensive list of particular topic areas for review, and the requirement to develop policies and procedures to document the choices that have been made. Accordingly, moving from “reasonable and appropriate” security standards to “HIPAA compliant” security standards may require a very substantial effort for many business associates. This effort will need to begin quickly.

Breach notification
As with many of the state laws, the obligation of a “business associate” under the HITECH breach-reporting provisions is to report a breach to the covered entity—much like the current reporting structure for “security incidents” under the Security Rule. For business associates, it will be critical to implement a program to identify these breaches, investigate them promptly and report them to customers. In addition, this provision creates some challenges for the business associate contracting process. Because the notice provision will be applicable to breaches that occur 30 days after the implementing regulation is issued—which is required to be issued within 180 days of passage of the law—this provision will take effect before most of the other provisions of the law. Business associates should anticipate pressure from customers to execute these agreements on a quicker timetable than otherwise would be required.

The planning process
With these new requirements and risks for business associates, how does a business associate work its way through these challenges?

The biggest challenge will be to manage the business associate contracting process. This will involve both timing and substantive issues. Companies that are business associates will want to promptly identify a strategy for this process, to assess the volume of contracts affected and the substance of what these documents should say. Moreover, companies should anticipate a wide range of new demands from healthcare customers related to these rules (and perhaps other topics as well). Companies should pay close attention to the “required” elements of a business associate contract, which will change somewhat, but not too dramatically, but also should carefully consider any proposed extension of these requirements to new or greater obligations than are required by the law.

Security planning
Companies need to begin their security rule compliance efforts now. For some companies, this effort will mainly involve documentation—understanding the requirements of the HIPAA Security Rule and converting current security policies and procedures into HIPAA-compliant documents. For other companies, particularly those without well-developed information-security programs, the required efforts may be much more substantial. It will be critical to involve personnel beyond the information technology (IT) department in these efforts—the Security Rule requires a variety of steps beyond the usual expertise of IT departments (involving personnel policies, training, and other areas). Moreover, when HIPAA-covered entities went through the Security Rule compliance process, they found that the biggest challenge often was to “translate” security practices into meaningful policies and procedures that can be understood by the workforce and presented (if necessary) to customers and regulators.

Breach planning and education
In addition to an overall security process, business associates will need to develop security-breach notification plans. These will require not only a thorough process for investigating breach reports and mitigating potential damage, but also an internal education and training plan along with a communications strategy for reporting these breaches to customers. This is an area where the risks are quite high because any security breach notification situation involves a security failure of some kind. Moreover, these breach-reporting provisions may be the most complicated part of the business associate contracting process—because covered entities will be pushing for quick reporting with detailed investigative information about the breaches, along with provisions dictating financial responsibility for the results of breaches.

Overall compliance review
In addition, companies must conduct an overall compliance review to ensure that appropriate practices are in place. While there clearly are new requirements imposed by HITECH, business associates also must review their existing contractual obligations and practices. While many business associates have been diligent about their overall HIPAA compliance, others have taken a more “hands off” attitude based on a “low-risk” evaluation. Given the wide-ranging set of new obligations and the increased enforcement risks, this may no longer be an appropriate risk management approach.

Segregation of activities
Another challenge may be more subtle, but may be very important for some companies. If your company provides services only to the healthcare industry, you may not need or want to segregate your “HIPAA” component from your other activities. For other companies—where the healthcare industry is one of many industries serviced by your company—you may wish to evaluate whether there are reasonable means of separating the healthcare practices from those other areas so that the needs for HIPAA compliance do not bleed over into areas where meeting such rigorous requirements is not necessary. This may be easier to do on the privacy side than in connection with security. In fact, an inability to complete this segregation may mean that security compliance efforts are even more significant. This issue requires a careful evaluation of the HIPAA obligations in the context of your overall business activities.

For HIPAA business associates, there are broad new compliance obligations, coupled with significantly enhanced enforcement risks. While these challenges clearly are manageable, they require careful analysis and a thoughtful plan to respond to the many likely issues.

Kirk J. Nahra is a partner with Wiley Rein LLP in Washington, DC. He will present “Making Sense of the New Healthcare Privacy and Security Rules” on Friday, September 18 at the Privacy Academy 2009 in Boston.


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

The Privacy Core™ Library Has Evolved

Privacy Core™ e-learning essentials just expanded to include seven new units for marketers. Keep your data safe and your staff in the know!

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

Upcoming Web Conferences

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Team

Get your team up to speed on privacy by bringing IAPP training to your organization.

Let’s Get You DPO Ready

There’s no better time to train than right now! We have all the resources you need to meet the challenges of the GDPR.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.


The IAPP’S CIPP/E and CIPM are the ANSI/ISO-accredited, industry-recognized combination for DPO readiness. Learn more today.

Learn more about IAPP certification »

Are You Ready for the GDPR?

Check out the IAPP's EU Data Protection Reform page for all the tools and resources you need.

IAPP-OneTrust PIA Platform

New U.S. Government Agency privacy impact assessments - free to IAPP members!

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

Privacy Vendor List

Find a privacy vendor to meet your needs with our filterable list of global service providers.

More Resources »

Europe Data Protection Intensive 2017

The Intensive is sold out! But cancellations do happen—so hurry and get on the wait list in case more seats become available.

Global Privacy Summit 2017

The world’s premier privacy conference returns with the sharpest minds, unparalleled programs and preeminent networking opportunities.

Canada Privacy Symposium 2017

The Symposium returns to Toronto this spring and registration has opened! Take advantage of Early Bird rates and join your fellow privacy pros for another stellar program.

The Privacy Bar Section Forum 2017

The Privacy Bar Section Forum returns to Washington, DC April 21, delivering renowned keynote speakers and a distinguished panel of legal and privacy experts.

Asia Privacy Forum 2017

The Forum returns to Singapore for exclusive networking and intensive education on data protection trends and challenges in the Asia Pacific region. Call for Speakers open!

Privacy. Security. Risk. 2017

This year, we're bringing P.S.R. to San Diego. The Call for Speakers is now open. Submit today and be a part of something big! Submission deadline: February 26.

Europe Data Protection Congress 2017

European policy debate, multi-level strategic thinking and thought-provoking discussion. The Call for Speakers is open until March 19.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»