Health care plans, providers, and vendors need to act quickly if they suspect a breach of unsecured Protected Health Information (PHI) within their organization. On February 22, 2010, the Department of Health and Human Services began enforcing sanctions for failure to provide breach notifications.

HITECH (Health Information Technology for Economic and Clinical Health Act) sets forth obligations regarding breach notification for health care plans, health care providers, and vendors that are subject to HIPAA. Previously, they had no such obligations. Now, with any awareness of a potential breach, they must promptly initiate an internal investigation. A single notification violation can carry a fine of from $10,000 to $50,000. To read earlier alerts on this topic, please visit

Internal investigations are burdensome and present particular challenges. They can disrupt a workplace and carry the risk of damaging reputations of innocent personnel as well as the organization itself. Therefore, investigations must be thorough but, because of reporting requirements, done quickly. They also must appear credible to regulators and enforcement officials. That is why many companies solicit independent assistance in conducting them.

Ballard Spahr's interdisciplinary team, led by a former federal health care prosecutor, has already performed several significant internal investigations of potential PHI breaches for clients and advised clients in their responses to governmental inquiries and investigations. Once a breach is suspected, we can assist in determining whether there has been a breach, whether it is subject to HITECH rules, and, if so, the types of notifications required. With increased government scrutiny regarding PHI, health care plans, providers, and vendors cannot delay in implementing policies and procedures that bring about HITECH compliance.