References for: "Practical Suggestions for Law Firm Compliance with HIPAA" by Dayna C. Nicholson, Senior Associate, Pepper Hamilton LLP
From CMCP's eNewsletter - December Issue - 2013

i. Pub.L. 104-191.
ii. 42 U.S.C. § 1320d-6.
iii. 42 U.S.C. § 1320d-5.
iv. 45 C.F.R. § 160.402(c).
v. 45 C.F.R. § 160.103.
vi. 45 CFR §§ 160-164.
vii. Due to the Health Information Technology for Economic and Clinical Health Act, enacted under Title XIII of the American Recovery and Reinvestment Act of 2009 (Pub.L. 111–5).
viii.45 C.F.R. § 160.402(c).
ix. Except for certain pre-existing Business Associate Agreements, which must be brought into compliance by September 23, 2014.  78 FR 5565, et seq., 45 C.F.R. §§ 160.150, 164.532(e).
x. 45 C.F.R. §§ 164.308(a)(ii)(2), 164.530(a)(1).
xi. 45 C.F.R. § 164.308(a)(1)(ii)(A).
xii. A discussion of what constitutes a “breach” under HIPAA is beyond the scope of this article.  The Privacy & Security Officer should be well-versed in this definition.
xiii. 45 C.F.R. § 164.410.
xiv. 45 C.F.R. §§ 164.308(a)(5)(i) and 164.530(b).