New Duties to Protect Health Care Privacy Take Effect February 17, 2010

This is a guest post which was prepared by health care attorney Jennifer A. Stiller.  Thank you, Jenny, for taking the time to provide this information.  We are fortunate in that Jenny has agreed to provide another post, which will appear in another day or two.


Attorneys who represent doctors, hospitals, health insurance companies, and the like face new statutory obligations to take affirmative steps to ensure the privacy of their clients’ patient information when it is transmitted or stored electronically.  The new requirements, enacted as the “HITECH Act” portion of last year’s economic stimulus legislation, go into effect February 17, 2010.


Technically, many attorneys have already had such obligations under a “business associate” agreement with their healthcare industry clients, most of whom are “covered entities” under the HIPAA patient privacy regulations and as such, are required to enter into such an agreement with any non-employee who “provides … legal … services to or for such covered entity where the provision of the services involves disclosure of individually identifiable health information…” 45 C.F.R. § 160.103. 


But come February 17, there’s a new twist.  Whereas previously, if the law firm did not live up to its contractual obligations concerning how patient information was to be handled, the worst thing it would face would be being fired by its client and possibly a suit for breach of contract.  As of February 17, however, the law firm is directly liable to the federal government for having inadequate safeguards in place (regardless of whether private information is in fact compromised) – and the penalties for non-compliance can be stiff.




To return to the main page of the blog, click here.  To return to the blog  Index, click here.

WordPress Themes