In The News

Anne Sumpter Arney Talked about the Latest in HIPAA/HITECH Compliance at the Equal Justice University

Bone McAllester Norton attorney Anne Sumpter Arney participated in the Class of 2013 Equal Justice University on Wednesday, Oct. 9. Her presentation “HIPAA/HITECH Compliance” addressed what healthcare practices need to know about the latest developments in these two areas. She covered the basics of HIPAA and HITECH, how these two acts apply to clients, how they impact practices and new regulations on the horizon, as well as the Privacy and Security Rules. Attendees left with a summary of these changes and the knowledge of what is needed to ensure compliance.

Anne is the leader of the firm’s Healthcare Law attorneys and has a broad range of experience in assisting clients with their regulatory, operational, transactional and litigation matters.


Bone McAllester Norton PLLC is a full-service law firm with 36 attorneys and offices in Nashville and Sumner County, Tennessee. Our attorneys focus on 17 distinct practice areas, providing the wide range of legal services ordinarily required by established and growing businesses and entrepreneurs. Among our practices, we represent clients in business and capital formation, mergers and acquisitions, securities matters, commercial lending and creditors’ rights, commercial real estate and development, governmental regulatory matters, commercial litigation and dispute resolution, intellectual property strategy and enforcement, entertainment and environmental matters. Our client base reflects the firm’s deep understanding and coverage of today’s leading industry and business segments. For more information, visit

September 23 HIPAA Omnibus Final Rule Compliance Date Nears

By Anne Sumpter Arney

Earlier this year, the government published the final regulations (the “Final Rule”) implementing modifications of the rules under the Health Insurance Portability and Accountability Act (HIPAA) and provisions which were enacted in the Health Information Technology for Economic and Clinical Heath Act (HITECH). With the September 23 Final Rule compliance date looming, medical professionals and institutions need to ensure they understand the modifications to their HIPAA obligations and take all necessary steps to review and update their compliance. The following areas are among those that have been modified by the Final Rule: the definition of business associate; the required terms in the business associate agreement; a patient’s right to access his protected health information (PHI); a patient’s right to restrict disclosures of PHI; the rules governing security breach notifications; required information in the notice of privacy practices; the disclosure and use of PHI in marketing, sales or fundraising activities; and enforcement.

The Final Rule expands the definition of business associate. A business associate now also includes personal health record vendors, patient safety organizations and certain subcontractors of a business associate and others who maintain and store PHI. The Final Rule also requires some modification of business associate agreements to include additional obligations.

The Final Rule expands individual rights in several important ways. Patients can now request their medical records in electronic format, which must be produced electronically within 30 days, if the records are readily producible. There are also new rights for a patient to restrict certain disclosures of PHI to a health plan where the individual, a family member or other person pays out of pocket in full for the healthcare service or item. The Final Rule also changes how PHI can be used and disclosed for marketing and fundraising purposes and now explicitly prohibits the sale of PHI without an authorization.

The rules governing breach notification obligations have been amended. Under the Final Rule, any unauthorized access, use or disclosure is now presumed to be a breach unless the covered entity determines there is a low probability the PHI has been compromised. The standard used for risk assessment has been changed from a risk of harm to risk of compromise standard. There are four specific factors that must be considered in making the risk assessment. Further, the limited data set exception has been abolished by the Final Rule.

In the area of enforcement, the Final Rule increases penalties for noncompliance based on a tiered level of negligence for violations occurring after February 18, 2009. The maximum potential penalty is $1.5 million per violation.

The Notice of Privacy Practices must be updated to reflect the changes in the Final Rule, including those related to breach notification, disclosures and marketing of PHI.

Although several of the changes required by September 23 have been briefly summarized here, this is just an overview of the Final Rule and should not be relied upon except as a reminder to review and update your compliance obligations under HIPAA. For assistance in implementing these changes or for additional information on how these changes may affect your practice, please contact one of the attorneys in the Healthcare Practice Group at Bone McAllester Norton.