Compliance Law Journal

26 Journal of Regulatory Compliance Vol. I entities). 19

HHS responded. On November 3, 1999, 20 and December 28, 2000, 21 HHS issued a proposed and final privacy rule (Privacy Rule) regulating covered entities’ uses and disclosures of PHI. On March 27, 2002, 22 and August 14, 2002, 23 HHS issued proposed and final modifications to the Privacy Rule. With the exception of technical corrections and conforming amendments, 24 these rules as reconciled remained largely unchanged between 2002 and 2009.

The nature and scope of the legal duties of confidentiality that applied to covered entities and their business associates (BAs) 25 changed significantly more than seven years ago. On February 17, 2009, President Obama signed ARRA into law.26 Division A, Title XIII of ARRA, better known as HITECH, contained certain provisions requiring HHS to modify some of the information use and disclosure requirements and definitions set forth in the Privacy Rule, adopt new breach notification rules, and amend the civil penalty amounts that may be imposed on covered entities and BAs who

19. Id. § 262(a) (“Any standard adopted under this part shall apply, in whole or in part, to the following persons: ‘( 1) A health plan. ( 2) A health care clearinghouse. ( 3) A health care provider who transmits any health information in electronic form in connection with a transaction referred to in section 1173(a)( 1).’”). See generally Standards for Privacy of Individually Identifiable Health Information; Proposed Rule, 64 Fed. Reg. 59,918, 59,924 (Nov. 3, 1999) [hereinafter 1999 Proposed Rule] (explaining that HHS did not directly regulate any entity that was not a covered entity because it did not have the statutory authority to do so).

20. Id. at 59,918.

21. Standards for Privacy of Individually Identifiable Health Information; Final Rule, 65 Fed. Reg. 82,462 (Dec. 28, 2000) [hereinafter 2000 Final Rule].

22. Standards for Privacy of Individually Identifiable Health Information; Proposed Rule, 67 Fed. Reg. 14,776 (Mar. 27, 2002).

23. Standards for Privacy of Individually Identifiable Health Information; Final Rule, 67 Fed. Reg. 53,182 (Aug. 14, 2002).

24. See, e.g., Standards for Privacy of Individually Identifiable Health Information, Final Rule; Correction of Effective and Compliance Dates, 66 Fed. Reg. 12,434 (Feb. 26, 2001); Technical Corrections to the Standards for Privacy of Individually Identifiable Health Information Published December 28, 2000, 65 Fed. Reg. 82,944 (Dec. 29, 2000) [hereinafter Technical Corrections I].

25. Business associates (BAs) are defined to include individual and institutions who ( 1) on behalf of a covered entity, but other than in the capacity of a member of the workforce of a covered entity, create, receive, maintain, or transmit PHI for a function or activity regulated by the HIPAA Privacy Rule; and ( 2) provide, other than in the capacity of a member of the workforce of such covered entity, legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services to or for the covered entity. See Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules, 78 Fed. Reg. 5,566, 5,688 (Jan. 25, 2013) [hereinafter Final Regulations] (adopting 45 C.F.R. § 160.103 and providing a new definition of business associate).