Sign Up Created with Sketch. Want to receive our thought leadership?     Sign Up

In This Issue

BRACE FOR IMPACT: Final HITECH Rules Will Require Substantially More Breach Reporting– The U.S. Department of Health and Human Services (HHS) has finally issued its omnibus HITECH Rules. Our firm will issue a comprehensive summary of the rules shortly (sign up here), but of immediate import is the change to the breach reporting harm threshold. The modification will make it much more difficult for covered entities and business associates to justify a decision not to notify when an incident occurs.

HIPAA Risk Analysis – HIPAA relies heavily on risk analysis in multiple contexts. For example, risk analysis has a major role in the Breach Notification Rule under the new regulations issued by the U.S. Department Health and Human Services on January 25, 2013. This alert explains how risk analysis fits into the Security Rule.
In an interesting turn of events, as part of its omnibus final HIPAA/HITECH rule issuance, HHS has provided guidance that permits HIPAA covered entities and business associates to send unencrypted email containing PHI to patients if they first “notify the individual that there may be some level of risk that the information in the email could be read by a third party.” Read more about it on pg. 5,634 of the rule’s preamble (

Obviously, it would be a good idea to document that the warning was given and acknowledged by the patient. In any case, the guidance means our recent article on this topic is now inaccurate. In that article, we advised that the HIPAA Security Rule would require a documented risk assessment to support use of unencrypted email, including email sent to patients. Our analysis stands with respect to email generally, but HHS has now created a “carve out” for emails sent to patients, provided the patient is warned of the risk.
In our defense, this advice from the agency does circumvent a key provision of the HIPAA Security Rule and so is a bit unexpected. Not that we’re complaining! Anytime a federal agency wants to create a common-sense exception to cumbersome regulation, that’s fine with us!

Changes to Your Facility’s Corporate Structure – Required Notices to Government Agencies – Thinking of selling your facility, or of changing your corporate entity from a partnership to a limited liability company, bringing in a new management company, or adding a new partner to your current partnership structure? Each of these changes — and many other types of changes to your facility corporate or ownership structure — requires various types of notices and/or approvals from multiple government regulatory and payor agencies.

Ken’s Quote of the Month
“A fellow can’t keep people from having a bad opinion of him, but he can keep them from being right about it.” ~ Anonymous

◀︎ Back to Thought Leadership