Health care plans, providers, and vendors need to act quickly if they suspect a breach of unsecured Protected Health Information (PHI) within their organization. On February 22, 2010, the Department of Health and Human Services began enforcing sanctions for failure to provide breach notifications.

HITECH (Health Information Technology for Economic and Clinical Health Act) sets forth obligations regarding breach notification for health care plans, health care providers, and vendors that are subject to HIPAA. Previously, they had no such obligations. Now, with any awareness of a potential breach, they must promptly initiate an internal investigation. A single notification violation can carry a fine of from $10,000 to $50,000. To read earlier alerts on this topic, please visit

Internal investigations are burdensome and present particular challenges. They can disrupt a workplace and carry the risk of damaging reputations of innocent personnel as well as the organization itself. Therefore, investigations must be thorough but, because of reporting requirements, done quickly. They also must appear credible to regulators and enforcement officials. That is why many companies solicit independent assistance in conducting them.

Ballard Spahr's interdisciplinary team, led by a former federal health care prosecutor, has already performed several significant internal investigations of potential PHI breaches for clients and advised clients in their responses to governmental inquiries and investigations. Once a breach is suspected, we can assist in determining whether there has been a breach, whether it is subject to HITECH rules, and, if so, the types of notifications required. With increased government scrutiny regarding PHI, health care plans, providers, and vendors cannot delay in implementing policies and procedures that bring about HITECH compliance. If you need assistance in updating your compliance program or have questions about possible breaches, do not hesitate to contact Jean C. Hemphill at 215.864.8539 or, or Beth Moskow-Schnoll at 302.252.4447 or

Copyright © 2010 by Ballard Spahr LLP.
(No claim to original U.S. government material.)

All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, without prior written permission of the author and publisher.

This alert is a periodic publication of Ballard Spahr LLP and is intended to notify recipients of new developments in the law. It should not be construed as legal advice or legal opinion on any specific facts or circumstances. The contents are intended for general informational purposes only, and you are urged to consult your own attorney concerning your situation and specific legal questions you have.