Wagner Header

The Wagner Law Group Description 

The Wagner Law Group, A Professional Corporation, is a nationally recognized ERISA & employee benefits, estate planning, employment, labor & human resources practice. 


Established in 1996, The Wagner Law Group has 22 attorneys engaged exclusively in employee benefits, estate planning and employment law. Five of our attorneys are AV rated by Martindale-Hubbell as having very high to preeminent legal abilities and ethical standards. The firm is among the largest ERISA boutiques in the country. Our practice is national in scope, with clients in more than 40 states and several foreign countries.



Contact Info

The Wagner Law Group


  Integrity | Excellence


Massachusetts Office 

Tel: (617) 357-5200 

Fax: (617) 357-5250 

99 Summer Street 

13th Floor

Boston, MA 02110

Florida Office 

Tel: (561) 293-3590
Fax: (561) 293-3591
7121 Fairway Drive
Suite 203
Palm Beach Gardens, FL 33418


San Francisco Office

Tel: (415) 625-0002

Fax: (415) 829-4385

315 Montgomery Street

Suite 902

San Francisco, CA 94104





January 31, 2013 

 State and Federal Law Alert


HHS Issues Final Regulations Implementing Provisions of the HITECH Act 


HHS has released final regulations implementing many provisions of the Health Insurance Technology for Economic and Clinical Health Act ("HITECH"). In particular, the final regulations modify the HIPAA Privacy, Security, Enforcement and Breach Notification Rules under HITECH and create numerous new compliance obligations for covered entities, including health plans and their business associates. This Alert summarizes some of the key changes made by the final regulations that directly impact health plans and their business associates.


New Content and Distribution Requirements for Notice of Privacy Practices. Health plans must currently maintain and distribute a Notice of Privacy Practices. The Notice describes the plan's permitted uses and disclosures, privacy practices, and legal duties regarding protected health information ("PHI"). The final regulations require plans to revise their Notices to include the following:

  • A statement that certain PHI disclosures (i.e., disclosures involving psychotherapy notes, disclosures of PHI for marketing purposes, disclosures that constitute a sale of PHI, and disclosures other than those listed in the Notice) require an individual's prior authorization and that such authorization may be revoked.
  • If the plan intends to contact an individual for fundraising purposes, a statement of such intent and the individual's right to opt out of receiving fundraising communications.
  • If the plan intends to use or disclose PHI for underwriting purposes, a statement that the plan is prohibited from providing genetic information about an individual for such underwriting purposes.
  • A statement informing individuals of their right to be notified following a breach of unsecured PHI.  

The final regulations provide that the inclusion of these required statements creates a material change to the Notice, thereby requiring plans to notify individuals of the changes. The final regulations provide health plans with the following methods for distributing this information:

  • For a health plan that currently posts its Notice on a website, the regulations require the health plan to: (1) prominently post the changes on the website by the effective date of the change; and (2) provide a copy of the revised Notice, or information about the changes and how to request a copy of the revised Notice, in the plan's next annual mailing.
  • For a health plan that does not currently post the Notice on a website, the regulations require the plan to provide a copy of the revised Notice, or information about the changes and how to request a copy of the revised Notice, within 60 days of the changes. 

Definition of Business Associate. HIPAA allows a health plan to disclose PHI to its business associates if both parties meet certain requirements, including the execution of a Business Associate Agreement ("BAA"). The final regulations change the definition of business associate to include subcontractors of business associates. As a result, business associates must now execute BAAs with any subcontractors that create, receive or maintain PHI on behalf of the business associate.


Business Associate Agreements. Health plans and business associates must revise their current BAAs to incorporate certain new requirements specified in the final regulations. For example, BAAs must now provide that:

  • The business associate will not only report any security incidents of which it becomes aware, but also any breaches of unsecured PHI; and
  • If the health plan delegates any of its Privacy Rule obligations, the business associate will comply with the Privacy Rule when performing those obligations. 

Expansion of Individual Rights. The Privacy Rule allows an individual to request that the health plan restrict both the use and disclosure of PHI for treatment, payment and healthcare operations. Previously, plans were generally not required to accommodate an individual's request to restrict PHI disclosures. The final regulations now require plans to agree to an individual's request to restrict PHI disclosure if: (1) the disclosure is for the purpose of payment or health care operations; (2) the disclosure is not required by law; and (3) the PHI relates only to a health care item or service that has already been paid in full by a source other than the plan.  


The Privacy Rule generally permits individuals to request access to their PHI. Within 30 days after receiving such a request, plans must either grant such access or provide a written explanation of why access is being denied. Previously, plans that did not maintain PHI on-site had 60 days to respond to such requests. The final regulations require plans to respond within the 30-day period. In addition, if a plan maintains the PHI in electronic form and an individual requests an electronic copy, the plan must provide the PHI in the form and format requested by the individual if it is readily producible in that form and format. If the PHI is not readily producible in the requested form and format, the plan must provide the PHI in a readable electronic form and format that is acceptable to the individual. Finally, if an individual requests in writing that the plan provide his or her PHI directly to another person, the plan must comply with the request if it is signed by the individual and identifies the designated individual and where to send the PHI.    


Breach Notification. HITECH requires plans to provide notification to affected individuals, HHS and, in some cases, the media following the discovery of a breach of unsecured PHI. The final regulations make the following changes regarding breach notifications:

  • "Breach" is now defined so that an impermissible use or disclosure of PHI is presumed to be a breach, unless the plan or business associate demonstrates that there is a low probability that PHI has actually been compromised.
  • The risk assessment to determine if breach notification is required now focuses on the probability of whether the PHI has been compromised instead of the risk of harm posed by the breach. If the plan or business associate can demonstrate that there is a low probability that PHI has been compromised, breach notification is not required. (Under the proposed regulations, breach notification was not required if a plan or business associate could demonstrate that the breach presented no risk of significant harm to individuals.)
  • Risk assessments must evaluate: (1) the nature and extent of PHI involved; (2) the unauthorized person who used PHI or to whom the disclosure was made; (3) whether PHI was actually acquired or viewed; and (4) the extent to which the risk to PHI has been mitigated.  

Compliance Date. The official effective date of the final regulations is March 26, 2013. However, health plans and their business associates have until September 23, 2013, to comply with applicable provisions. Existing BAAs may remain in effect without revision until either the contract is up for renewal or until September 23, 2014, whichever is earlier.


Actions Steps for Health Plans. In response to the final regulations, health plans should promptly:

  • Review their HIPAA policies and procedures and revise them as necessary to ensure compliance by the applicable date.
  • Review and revise Privacy Notices to ensure that they accurately describe their policies and procedures regarding privacy practices, including any required changes made by the final regulations.
  • Review BAAs to determine the required revision date.
  • Develop strategies to train front-line staff on implementing the required changes.
  • Review HIPAA training and education materials and update as required.


This Newsletter is protected by copyright. Material appearing herein may be reproduced with appropriate credit.


Pursuant to Internal Revenue Service Circular 230, we hereby inform you that any advice set forth herein with respect to US federal tax issues is not intended or written by The Wagner Law Group to be used and cannot be used, by you or any taxpayer, for the purpose of avoiding penalties that may be imposed on you or any other person under the Internal Revenue Code.


This Newsletter is provided for information purposes by The Wagner Law Group to clients and others who may be interested in the subject matter, and may not be relied upon as specific legal advice.  This material is not to be construed as legal advice or legal opinions on specific facts. Under the Rules of the Supreme Judicial Court of Massachusetts, this material may be considered advertising.