26 Journal of Regulatory Compliance Vol. I
entities). 19
HHS responded. On November 3, 1999, 20 and December 28, 2000, 21 HHS
issued a proposed and final privacy rule (Privacy Rule) regulating covered
entities’ uses and disclosures of PHI. On March 27, 2002, 22 and August 14,
2002, 23 HHS issued proposed and final modifications to the Privacy Rule.
With the exception of technical corrections and conforming amendments, 24
these rules as reconciled remained largely unchanged between 2002 and
2009.
The nature and scope of the legal duties of confidentiality that applied to
covered entities and their business associates (BAs) 25 changed significantly
more than seven years ago. On February 17, 2009, President Obama signed
ARRA into law.26 Division A, Title XIII of ARRA, better known as
HITECH, contained certain provisions requiring HHS to modify some of the
information use and disclosure requirements and definitions set forth in the
Privacy Rule, adopt new breach notification rules, and amend the civil
penalty amounts that may be imposed on covered entities and BAs who
19. Id. § 262(a) (“Any standard adopted under this part shall apply, in whole or in part,
to the following persons: ‘( 1) A health plan. ( 2) A health care clearinghouse. ( 3) A health care
provider who transmits any health information in electronic form in connection with a
transaction referred to in section 1173(a)( 1).’”). See generally Standards for Privacy of
Individually Identifiable Health Information; Proposed Rule, 64 Fed. Reg. 59,918, 59,924
(Nov. 3, 1999) [hereinafter 1999 Proposed Rule] (explaining that HHS did not directly regulate
any entity that was not a covered entity because it did not have the statutory authority to do
so).
20. Id. at 59,918.
21. Standards for Privacy of Individually Identifiable Health Information; Final Rule, 65
Fed. Reg. 82,462 (Dec. 28, 2000) [hereinafter 2000 Final Rule].
22. Standards for Privacy of Individually Identifiable Health Information; Proposed Rule,
67 Fed. Reg. 14,776 (Mar. 27, 2002).
23. Standards for Privacy of Individually Identifiable Health Information; Final Rule, 67
Fed. Reg. 53,182 (Aug. 14, 2002).
24. See, e.g., Standards for Privacy of Individually Identifiable Health Information, Final
Rule; Correction of Effective and Compliance Dates, 66 Fed. Reg. 12,434 (Feb. 26, 2001);
Technical Corrections to the Standards for Privacy of Individually Identifiable Health
Information Published December 28, 2000, 65 Fed. Reg. 82,944 (Dec. 29, 2000) [hereinafter
Technical Corrections I].
25. Business associates (BAs) are defined to include individual and institutions who ( 1)
on behalf of a covered entity, but other than in the capacity of a member of the workforce of
a covered entity, create, receive, maintain, or transmit PHI for a function or activity regulated
by the HIPAA Privacy Rule; and ( 2) provide, other than in the capacity of a member of the
workforce of such covered entity, legal, actuarial, accounting, consulting, data aggregation,
management, administrative, accreditation, or financial services to or for the covered entity.
See Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification
Rules under the Health Information Technology for Economic and Clinical Health Act and the
Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules, 78
Fed. Reg. 5,566, 5,688 (Jan. 25, 2013) [hereinafter Final Regulations] (adopting 45 C.F.R. §
160.103 and providing a new definition of business associate).
26. ARRA, supra note 4.