The Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) governs the management of protected health information (“PHI”) by covered entities (e.g., health care providers) and their business associates. However, the Health Information Technology for Economic and Clinical Health Act (“HITECH”), contained within the American Recovery and Reinvestment Act of 2009, drastically alters the scope of HIPAA regulations with regard to business associates, including law firms that routinely handle the PHI governed by HIPAA. Under the HITECH Act, the definition of “business associate” is expanded, and these entities are treated as “covered” for purposes of the HIPAA security regulations; this increased regulatory burden has important implications for the management of PHI at law firms and the practice of health care law as a whole. This article details the development of the HIPAA privacy and security regulations applicable to covered entities and business associates in the wake of the HITECH Act, with a focus on the updated regulatory scheme and its impact on law firms, especially those that deal with substantial amounts of PHI in the ordinary course of business. Beyond the development and content of the current HIPAA regulations that impact law firms, this piece addresses the practice implications of these regulations and proposes recommendations for cost-effective and careful handling of PHI from the perspective of business associates and regulators alike.

Document Type


Publication Date

Spring 2010


Co-authored with Megan Bradshaw.