HIPAA Privacy and Security Mandates and New Breach Notification Guidance

Preparing for Tougher Enforcement and Increased Penalties

HHS issued HIPAA data breach notification guidance on Aug 19

Recording of a 90-minute CLE webinar with Q&A

This program is included with the Strafford CLE Pass. Click for more information.
This program is included with the Strafford All-Access Pass. Click for more information.

Conducted on Wednesday, November 18, 2009

Recorded event now available

or call 1-800-926-7926
Course Materials

This seminar will review the key changes that the American Recovery and Investment Act of 2009 made to HIPAA privacy and security rules, explain the recently issued breach notification guidance, and provide compliance best practices for providers and their business associates.


The American Recovery and Investment Act of 2009 dramatically expanded the scope of the Health Insurance Portability and Accountability Act’s (HIPAA) Privacy and Security Rules. The Act requires operational changes for all healthcare providers, health plans and their business associates.

In August, the Department of Health and Human Services issued an interim final rule that clarifies the breach reporting obligations for covered entities and their business associates. The rule provides more guidance on the meaning of secured and unsecured protected health information.

The HIPAA changes increase penalties for various violations and significantly expand the other remedial actions available for HIPAA noncompliance. To ensure compliance, healthcare providers should update their HIPAA policies, audit their privacy and security practices and train their staff.

Listen as our panel of health law attorneys reviews the new changes to HIPAA privacy and security rules and their implications and provides best practices for compliance.



  1. Key changes made to HIPAA
    1. Business associates now covered
    2. Minimum necessary
    3. Changes to accounting of disclosures
    4. Restrictions on sales of EHRs or PHI
    5. Marketing and fundraising
    6. Business associate contracts
    7. Enforcement (including state attorney general and expanded penalties)
  2. Security breach notification provisions
    1. Definition of Breach
    2. Unsecured v. Secured PHI
    3. Notification to individuals
    4. Notification to the media
    5. Notification to HHS
    6. Notification by Business Associates
  3. Best practices for covered entities and business associates


The panel will review these and other key questions:

  • How does the American Recovery and Reinvestment Act of 2009 expand HIPAA's privacy and security safeguards?
  • How does the breach notification requirement of the new Act compare to most states' breach notification laws?
  • What authority do state attorneys general now have to enforce HIPAA provisions?
  • What rights do individuals now have with respect to protected health information?


Stephen W. Bernstein
Stephen W. Bernstein

McDermott Will & Emery

He chairs the firm's HIPAA Practice Group. He specializes in e-health, deployment of electronic health record...  |  Read More

Gina M. Kastel
Gina M. Kastel

Faegre & Benson

She has a broad range of health law experience, including advising healthcare providers regarding information privacy...  |  Read More

Access Anytime, Anywhere

Strafford will process CLE credit for one person on each recording. All formats include course handouts.

To find out which recorded format will provide the best CLE option, select your state:

CLE On-Demand Audio