News & Insights  |  Media Mentions

Related Professionals

Practice Areas


Patricia O'Connell
Senior Communications Manager

Wiley Rein’s Kirk Nahra Discusses Strategies for New HIPAA Rules

Report on Patient Privacy
January 8, 2013

Kirk J. Nahra, the chair of the firm’s Privacy Practice, was quoted extensively in an article in the Report on Patient Privacy’s January 2013 issue about the importance of planning ahead before new privacy and security regulations related to the Health Insurance Portability and Accountability Act (HIPAA) are implemented.

The U.S. Department of Health and Human Services (HHS) is expected to announce this year new regulations based on the Health Information Technology for Economic and Clinical Health Act (HITECH Act) legislation that passed in 2009 but has yet to take effect. The new rules will modify and expand existing privacy and security requirements throughout the health care industry.

The article identifies 13 different tasks contractors and service providers should be focusing on now to be a step ahead of the new rules. They range from a general security risk analysis to testing for weaknesses in specific technologies, including mobile phones and cloud-based services.

Mr. Nahra stressed the importance of updating and re-evaluating security assessments.  "Focus on new business or new ways of doing old business," advised Mr. Nahra. Another important step, Mr. Nahra noted, is having a contingency scenario should a privacy or security breach occur. "Make sure that your people know where to go quickly if there is any kind of potential incident," he said.  "So many 'potential' risks can be mitigated effectively by quick action," he said in the article.

A key area of focus now involves "business associates," service providers to the healthcare industry who will face new obligations under the final rules.  Business associates need to "address all appropriate activities and deal with some of the areas of risk," Nahra said.  Covered entities also need to make sure that business associate activities are reviewed, as "their decisions may not be the same as yours" in risky areas like the use of cloud-based services.