When Congress passed HIPAA, it presented the health care industry with an enormous task: compliance with stringent new standards governing patient privacy, security, transactions, and code sets. HIPAA means rethinking and restructuring your enterprise from multiple perspectives—legal, regulatory, process, security, and technology—while you educate your employees to work and think differently.
On February 17, 2009, President Obama signed P.L. 111-05, the American Recovery and Reinvestment Act (ARRA) into law, which includes HITECH. HITECH extends HIPAA privacy and security requirements directly to traditional business associates, and includes health information exchange organizations, regional health information organizations, e-prescribing gateways, and personal health record (PHR) vendors that provide PHRs to covered entities as business associates. This extension subjects all business associates directly to civil and criminal penalties. We understand the responsibilities and burdens that state law, HIPAA, and HITECH impose upon our clients, and have assisted them in their compliance efforts.
The depth of our health care experience enables us to efficiently provide a full spectrum of HIPAA and HITECH-compliance services. Nixon Peabody has experience assisting a wide variety of health care clients with HIPAA, HITECH, and related engagements, including gap analysis, compliance plans, general privacy and security assessment, remediation efforts, and breach notification compliance. We help clients develop cost-sensitive implementation plans that meet their organizations’ needs and the regulatory timetables.
Specific HIPAA and HITECH services include:
- Executive briefings and training seminars on HIPAA and HITECH’s requirements and compliance issues
- Counseling concerning the interpretation, application, and implementation of HIPAA and HITECH within client organizations
- Development of privacy and security and HIPAA compliant policies and procedures
- Development of HIPAA and HITECH compliance documents
- Reviewing existing business arrangements with third parties to determine need for and revision of Business Associate Agreements
- Litigation avoidance planning, including drafting appropriate policies for HIPAA and HITECH’s criminal and civil penalties and self-reporting obligations
- Litigation strategies under HIPAA, HITECH, state privacy laws, and state tort and contract law, including assisting clients to work out practical resolutions of privacy-related disputes
Our in-depth understanding of the regulatory framework for HIPAA and HITECH enables us to strategically structure transactions and modify operations to minimize the risk of regulatory challenges.