Pierce & Mandell, P.C.

11 Beacon Street, Suite 800
Boston, Massachusetts 02108-3002

Phone: (617) 720-2444
Fax: (617) 720-3693

Facebook Twitter

Health and Dental Law

RSS Grab Health and Dental Law RSS Feed


Monday, July 01, 2013

The federal HHS Office of Civil Rights recently adopted final HIPAA regulations covering a broad range of topics, to strengthen privacy and security protections for individual health information.  This blog is another in a series examining these new regulatory requirements.   

By Dean P. Nicastro, Esq.

The new HIPAA Final Rule for Privacy, Security, Enforcement and Breach Notification (adopted in January 2013) creates new obligations for Business Associate Agreements (“BAA”) between physicians, hospitals and other health care providers (“Covered Entities”), and those contractors who perform services for them involving the use or disclosure of Protected Health Information (“PHI”).

As was mentioned in a previous blog, HIPAA now defines “Business Associate” (“BA”) to include a BA’s subcontractors who create, receive, maintain or transmit PHI on the BA’ behalf.  The new Final Rule goes on to require that a BAA between a Covered Entity and its BA must require the BA to ensure that the BA’s subcontractors comply with HIPAA privacy and security requirements.  Effectively, and as a mandate, this means that the Covered Entity’s BA must have in place a separate BAA with the BA’s subcontractor.

HIPAA makes clear that the Covered Entity need not have a BAA in place directly with the BA’s subcontractor. However, the Final Rule puts the burden on the Covered Entity to arrange for subcontractor compliance, by requiring the BA to obtain compliance assurance from its subcontractor.  Thus, HIPAA BAA’s between health care providers and their servicing vendors need to be revised and updated to include these “downstream” subcontractor compliance obligations.

Care should be exercised when drafting the updating revisions: for example, the main BAA should require that the downstream BAA mirror the BA’s privacy and security obligations; additionally, it may be advisable to expressly disavow any relationship of agency between the Covered Entity and the subcontractor.

Finally, when updating a BAA template, it would be helpful to include language of compliance with Massachusetts law and regulations that protect the security and disposal of data that contains personal information, like names and social security or financial account numbers.  Massachusetts consumer regulations require that a service provider contract be in place with vendors who access such data, so it is a good idea to have the HIPAA BAA serve as such a contract as well.  

In general, the HIPAA Final Rule must be complied with by September 23, 2013.  The federal HHS Office of Civil Rights has posted some helpful sample language for BAAs on its website.

Please contact the health law professionals at Pierce & Mandell for additional information on this subject.

New HIPAA Limitations and Changes

Monday, April 01, 2013


(I)The United States Department of Health and Human Services Office of Civil Rights final modified HIPAA regulations under the HITECH Act are now in effect and health care providers must achieve compliance with all of the new requirements by September 23, 2013. This is one in a continuing series of blogs from Pierce & Mandell, P.C. describing some of the major changes health and dental practices, hospitals and other health care facilities must be following by that date.   

By Kate Auerbach, Esq., Rebecca Merrill, Esq.  and William Mandell, Esq.


The modified HIPAA Privacy Rule redefines ‘marketing’ and increases the limits on the use and disclosure of protected health information (“PHI”), including patient contact information, by health care providers to do marketing.

Previously, marketing was defined as communication about a product or service to encourage individuals to purchase or use the product or service. While providers previously had to obtain a patient’s written authorization before using or disclosing their contact information for marketing purposes, the HIPAA Privacy Rules has allowed for several broad exceptions to securing patient authorization, including any communication about products or services offered by the provider itself or that recommended alternative treatments.  

Under the modified Privacy Rule, starting on September 23, 2013, providers will now have to secure their patients’ written authorization in order to use their contact information for marketing about health-related products or services if the provider or its business associates receive any financial remuneration in exchange for making the marketing communication from or on behalf of the third party whose product or service is being described. The modified rule does include an exception for refill reminders or communications about a medication being prescribed as long as the only remuneration received is reasonably related to costs of making the communication (labor, supplies, & postage). For example, if a medical practice sent a mailing without advance patient authorization about a new medication on the market and received compensation the practice could violate HIPAA (such remuneration, however, could raise fraud and abuse compliance issues). However, if the practice sent information about refilling a prescription and was reimbursed for the cost of the mailing it would not need to secure written authorization from the recipient/patients.

Under the modified Privacy Rule, marketing authorization forms must disclose to the patients the remuneration received by the provider from the third party and must also state that the patient may revoke the authorization at any time.     

There are exceptions to this authorization requirement.   If a communication is made face-to-face by a practitioner to a patient or if a promotional gift of nominal value is given, then advance patient written authorization is not required.  Additionally, refill reminders, adherence reminders and delivery system instructions are allowed without pre-authorization, as long as the remuneration received is reasonably related to the cost of making the communications, and the provider does not make a profit.  


The original HIPAA Privacy Rule allowed non-profit providers to use, or disclose to a business associate or an institutionally related foundation, specific types of information about patients for fundraising activities without advance authorization, including demographic information and dates of service.   

The modified Privacy Rule creates additional categories of PHI that can be used for targeted fundraising communications.  These categories include: (i) department of service (general department of treatment); (ii) treating physician information; (iii) outcome information, and (iv) health insurance status.  This expanded scope of permissible information flow for fundraising related uses and disclosures is intended to permit non-profit providers to develop more focused fundraising efforts to particular individuals.    

However, HIPAA now requires starting on September 23, 2013 that fundraising communications to patients include a clear and conspicuous opportunity for the patient to “opt out” of receiving further fundraising communications.  The opt-out method can be chosen by the provider but it must not cause an “undue” burden” to patients and they cannot be required to write letters to the provider in order to opt-out of having their PHI used for fundraising purposes. Once a patient elects to opt-out the provider is absolutely prohibited from sending any more fundraising communications.  Non-profit providers are also prohibited from conditioning treatment or payment on a patient’s choice not to receive fundraising communications.

Obviously, these new requirements and limitations imposed on providers that do fundraising will add to their administrative burden and cost as a result of the need to avail patients of an opt-out or opt-in system and to track and ensure properly targeted marketing to patients and their families.   

Sale of PHI.

The modified HIPAA Privacy Rule also prohibits the sale of PHI by a covered entity or business associate. “Sale” is defined as the receipt of remuneration, directly or indirectly, in exchange for PHI, without patient written authorization, unless the sale meets a specified exception.  

There are eight exceptions to this sale of PHI prohibition, which include: (1) for public health activities; (2) for research, where the only remuneration received by the covered entity is a reasonable, cost-based fee to cover the cost to prepare and transmit the PHI for such purpose; (3) for treatment and payment purposes; (4) for the sale, transfer, merger or consolidation of all or part of the covered entity and related due diligence; (5) to or by a business associate, if the only remuneration is provided by the covered entity to the business associate for the performance of its contracted services; (6) providing an individual with access to his or her PHI; (7) for disclosures required by law; and, (8) for any other purpose permitted by and in accordance with the applicable requirements of the Privacy Rule, where the only remuneration received by the covered entity is a reasonable, cost-based fee to cover the cost to prepare and transmit the PHI for such purpose, or a fee otherwise expressly permitted by other laws.

Modification to Notice of Privacy Practices and health Information Policies and Procedures

No later than September 23, 2013 all providers that are covered entities under HIPAA must modify their required HIPAA Notice of Privacy Practices (“NPP”) and Health Information Policies and Procedures to incorporate the above mentioned changes on the patient privacy rights as to the use and disclosure of their health and personal information for marketing, fundraising and sales purposes, as well as the other new rights established under the HIPAA modified Privacy Rule. These include:

  • Right to limit any use or disclosure of PHI for certain sales, marketing and fundraising purposes before granting written authorization
  • Right to restrict disclosure of PHI to a health plan when the patient opts to pay the provider in full directly out of pocket
  • Right to be informed by a provider or other covered entity of any breach of unsecured PHI
  • Right to obtain electronic copies of PHI
  • Any uses and disclosure of PHI for treatment, payment or operations not stated and described in the NPP may only be upon patient written authorization.
  • Any prior written authorization granted may always be revoked.

Providers should be moving forward now to update their NPPs and Policies to reflect the new requirements in the modified HIPAA Privacy Rule. Care should be taken in the drafting of the modified NPP as it will now dictate if written authorization is needed for certain uses an disclosures even beyond those otherwise required under more stringent applicable state privacy laws. The new form of the NPP does not have to be shared with existing patients. It only needs to be posted on the provider’s website and in prominent place in its office or facility and given to all new patients during their first encounter or admission starting no later than September 23, 2013.

Please feel free to contact the health law attorneys at Pierce & Mandell if you desire additional information on this subject.

New HIPAA Regulations Impact Health Care Providers and Business Associates - Boston, MA

Monday, March 18, 2013
The federal HHS Office of Civil Rights recently adopted final HIPAA regulations covering a broad range of topics, to strengthen privacy and security protections for individual health information.  This blog is Part 1 in a series.   

By Dean P. Nicastro, Esq.

Business Associates.

The new HIPAA regulatory amendments make business associates directly liable for various requirements in the HIPAA Privacy and Security Rules.  In particular, the amendment to the general applicability provision at 45 C.F.R. §160.102(b) states: “Where provided, the standards, requirements, and implementation specifications [of HIPAA privacy and security] apply to a business associate.”  Similar language has been added for both the Security Rule and the Privacy Rule (including particularly with respect to the protected health information (PHI) of a covered entity) at 45 C.F.R. §164.104(b) and 45 C.F.R. §164.500(c).  In effect, this means that business associates must implement administrative, physical and technical safeguards, and implement and document reasonable and appropriate policies and procedures, to protect PHI and electronic PHI under both the Security Rule and the Privacy Rule.

The amendments go on to expand the definition of a “business associate.”  The term now includes Health Information Organizations, E-prescribing Gateways, personal health record providers, and, most significantly, subcontractors of a business associate that create, receive, maintain or transmit PHI on behalf of the latter.  A definition of “subcontractor” has also been inserted: "a person to whom a business associate delegates a function, activity or service.”  HIPAA obligations thus now reach downstream entities that access or handle PHI of the main covered entity.

Additionally, the amendments add business associates to the HIPAA Enforcement Rule, in order to implement the imposition of liability for civil money penalties (CMPs) upon business associates for various HIPAA violations.

The new rules for business associate compliance become effective on March 26, 2013, and must be complied with by September 23, 2013.  Existing business associate agreements that were compliant with pre-existing regulations are deemed compliant with the new rules until the earlier of September 22, 2014 or the date the agreement is renewed or modified on/after September 23, 2013.

HIPAA Enforcement Rule.

The HIPAA regulatory amendments also strengthen HIPAA enforcement:

  • Private Complaints - HHS will investigate complaints about non-compliance filed by private persons when preliminary review of facts indicates possible violation due to willful neglect
  • Compliance Reviews - HHS will conduct a compliance review when preliminary review of facts indicates possible violation due to willful neglect
  • resolution of such investigations or compliance reviews can result in the imposition of CMPs or a determination of no violation
  • HHS may, for criminal or civil law enforcement activities, share PHI obtained in an investigation or compliance review with other legally-permitted governmental agencies (including state attorneys general)
  • Covered entities liable for violations by their business associates, and vice versa
  • governed by federal common law of agency
  • Increased tiered CMP penalty structure for violations, that takes into account whether the covered entity or business associate would have known of the violation, whether the violation was due to willful neglect or reasonable cause, and was corrected within 30 days
  • HHS will determine CMP amounts, considering mitigating or aggravating factors
    • nature and extent of violation (number of affected individuals, time period)
  • nature and extent of harm (physical, financial, reputation, patient’s ability to obtain health care)
  • prior compliance/violations
  • financial condition
  • other matters as justice may require

Covered entities and their business associates should be moving forward now that these final rules have been issued to review and update their business associate agreement templates and compliance policies accordingly.

Please contact the health law attorneys at Pierce & Mandell for additional information on this subject.

Enter your e-mail address below to receive updates on new blog posts!

Recent Posts