Regulatory: Examining the Final Rule modifying HIPAA

Implementing provisions of the Final Rule present both operational and fiscal challenges for business associates

On Jan. 25, 2013, the Department of Health and Human Services (HHS) published the “Final Rule” modifying the regulations under the Health Insurance Portability and Accountability Act (HIPAA). The Final Rule, which took effect on March 26, 2013, modified the standards previously set forth in the Privacy Rule, the Security Rule and the Enforcement Standards, and implemented statutory amendments under the Health Information Technology for Economic and Clinical Health (HITECH) Act by modifying the interim Breach Notification Rule. This article examines the Final Rule’s impact on business associates, such as certain third party administrators, consultants and accountants, and offers practical steps for compliance with the Final Rule by the Sept. 23, 2013, deadline.

The financial and operational impact on business associates will be significant because the Final Rule allows, for the first time, HHS Office for Civil Rights (OCR) to regulate business associates. OCR may now directly impose civil monetary penalties (CMPs) on business associates for non-compliance with HIPAA and its underlying regulations. CMPs can range from $100 to $50,000 per violation, with a cap of $1.5 million per year for multiple violations of identical HIPAA provisions in a calendar year. In addition, the business associate and certain employees, such as directors, employees or officers, may be subject to criminal penalties, including financial penalties and imprisonment. The Final Rule also expands the definition of “business associate” to capture additional individuals and entities that have access to protected health information (PHI). Unlike traditional covered entities, these new business associates are often smaller operations without an existing HIPAA-compliant infrastructure.

Contributing Author

author image

Deborah Gersh

Deborah Gersh is a partner at Ropes & Gray. Deborah represents a wide range of health care industry clients in mergers and acquisitions involving state...

Bio and more articles

Contributing Author

author image

Jennifer Romig

Jennifer Romig is an associate practicing in the health care group at Ropes & Gray. Jennifer provides regulatory, transactional, and compliance advice to a broad...

Bio and more articles

Join the Conversation

Advertisement. Closing in 15 seconds.