Health Header
January 14, 2010

JW Health Care Practice Area

JW Health Care Attorneys

JW HealthBrief Newsletter

Contact JW


100 Congress Avenue
Suite 1100
Austin, TX  78701

901 Main Street
Suite 6000
Dallas, TX  75202

301 Commerce Street
Suite 2400
Fort Worth, TX  76102

1401 McKinney Street
Suite 1900
Houston, TX  77010

301 W. Beauregard Avenue
Suite 200
San Angelo, TX  76903

112 E. Pecan Street
Suite 2400
San Antonio, TX  78205 
Countdown to Compliance:
Covered Entities and Business Associates Have Little Time Left to Comply With Certain New HIPAA Requirements

By: Joanna Napp

Last February, Congress included in the American Recovery and Reinvestment Act of 2009 (ARRA) provisions that revise and increase the scope of the Health Insurance Portability and Accountability Act of 1996 (HIPAA).  Specifically, Title XIII of the ARRA, known as the “HITECH Act,” included both new and heightened HIPAA privacy and security requirements.  These requirements impact both “Covered Entities” and their “Business Associates” under HIPAA. Covered Entities and Business Associates must already be in compliance with Data Breach Notification Requirements (September 24, 2009, deadline), and they must be in compliance with many other requirements under the HITECH Act by February 17, 2010.

Here is a brief overview of what must be done before that fast-approaching deadline:

  • Both Business Associates and Covered Entities should immediately develop, adopt, and implement Data Breach Notification Policies and Procedures to comply with the already-effective “Breach Notification for Unsecured Protected Health Information” interim final rule.

  • As of February 17, 2010, Business Associates (i) must comply directly with HIPAA’s Security Rules (45 CFR §§ 164.308, 164.310, 164.312 and 164.316); (ii) must comply directly with the “business associate” provisions of HIPAA’s Privacy Rules (45 CFR 164.504(e)(2)); and (iii) must ensure that their Business Associate agreements with Covered Entities conform to the new mandates of the HITECH Act.  This means, prior to the deadline, each Business Associate should:

    • Adopt and implement HIPAA-compliant Security Policies and Procedures (including adoption and implementation of administrative, physical, and technical safeguards).

    • Adopt and implement guidelines and/or policies and procedures for complying with the Business Associate provisions of the Privacy Rule.

    • Review their current Business Associate agreements and update (amend) them to comply with the HITECH requirements.

    • Appoint a Security Officer and implement a HIPAA compliance review/risk assessment.

    • Train its workforce on compliance with the policies and procedures and the entity’s new obligations under the HITECH Act.

  • As of February 17, 2010, Covered Entities must (i) adhere to certain new marketing restrictions under HIPAA; (ii) provide, upon request, an electronic copy of an individual’s information contained in an electronic health record (EHR); (iii) adhere to the new minimum necessary use and disclosure requirements; (iv) ensure they have reviewed their Business Associate agreements and implemented any changes to bring those into compliance with the HITECH Act; and (v) determine whether any vendors or Health Information exchanges are Business Associates and enter Business Associate agreements with them. For Covered Entities that are providers, they must also permit an individual to prohibit disclosure of protected health information (PHI) from that provider to a health plan, if the PHI pertains solely to healthcare items or services for which the individual pays entirely out-of-pocket. This means, prior to the deadline, each Covered Entity must:

    • Review both its HIPAA Privacy and Security Policies and Procedures and revise them, as applicable, to conform them to the new requirements.  Each should implement any additional safeguards (security or otherwise) that are needed, and, if using EHRs, address the provision of electronic copies of an individual’s PHI contained in such EHRs.

    • Update personnel training to inform staff of the changes and new requirements for Covered Entities and their Business Associates.  This should include training on the Data Breach Notification Requirements.

    • Review and update (amend) all current Business Associate agreements to ensure compliance with the HITECH requirements.  Draft new form agreements for future use.

    • Determine what other entities are considered Business Associates (under HITECH’s expanded definition) and enter Business Associate agreements with those entities.

    • Review its Notice of Privacy Practices and update if needed.

Many organizations have been waiting for additional guidance from DHHS before implementing changes.  However, given the limited time left for many compliance obligations, it is imperative that Covered Entities and Business Associates move quickly to ensure compliance by the February deadline.

There are other new requirements under the HITECH Act that have deadlines occurring after February 17, 2010, and this e-Alert does not address those.  Please contact legal counsel for additional information on those.

Given the new and heightened enforcement penalties for both Covered Entities and Business Associates under the HITECH Act, it is imperative to bring your organization into compliance as soon as possible. 

Please contact Joanna Napp at 512.236.2292 or or Jeff Drummond at 214.953.5781 or if you have any compliance questions or need assistance in bringing your organization into compliance.

If you wish to be added to this e-Alert listing, please SIGN UP HERE. If you wish to follow the JW Health Care group on Twitter, please CLICK HERE.



Fort Worth


San Angelo

San Antonio

Jackson Walker L.L.P.

Health e-Alert is published by the law firm of Jackson Walker L.L.P. to inform readers of relevant information in health care law and related areas. It is not intended nor should it be used as a substitute for legal advice or opinion which can be rendered only when related to specific fact situations. For more information, please call 1.866.922.5559 or visit us at

©2010 Jackson Walker L.L.P.