This post was also written by Elizabeth D. O’Brien and Zachary A. Portin.

On January 25, 2013, the Office for Civil Rights of the United States Department of Health and Human Services published the long-awaited final regulation implementing much of the amendments and additions to the HIPAA Privacy, Security, Breach Notification, and Enforcement Rules directed by the 2009 Health Information Technology for Economic and Clinical Health Act (“HITECH Act”).

Noteworthy provisions of the HITECH Final Rule include:

  • Making Business Associates directly liable for compliance with certain requirements of the HIPAA Privacy and Security Rules;
  • Converting subcontractors of Business Associates that create, receive, maintain, or transmit PHI on behalf of the Business Associate into Business Associates themselves;
  • Requiring authorizations for all treatment and health care operations communications where the Covered Entity receives financial remuneration for making the communications from a third party whose product or service is being marketed;
  • Replacing the Breach Notification Rule’s “harm” threshold with a presumption that an impermissible use or disclosure of PHI is a Breach unless the Covered Entity or Business Associate demonstrates that there is a low probability that the PHI has been compromised; and
  • Mandating compliance by Covered Entities and Business Associates with applicable requirements by September 23, 2013.

Please click here to read our detailed analysis of the HITECH Final Rule. As always, please contact Brad M. Rostolsky (215-851-8195 or, Nancy E. Bonifant (202-414-9353 or, Salvatore G. Rotella, Jr. (215-851-8123 or, or any other member of the Reed Smith Health Care Group with whom you work, if you would like additional information or if you have any questions.