Main Menu
Don't Delay! What your business needs to know about expanded HIPAA requirements
Posted in General

Benjamin Franklin is credited with saying, “An ounce of prevention is worth a pound of cure.” This sage advice has never rung more true than it does in the context of the recent changes to the Health Insurance Portability and Accountability Act.  On Jan. 25, the Office for Civil Rights (OCR) of the Department of Health and Human Services issued the final rule amending the HIPAA privacy, security, enforcement and breach notification requirements, signaling the most expansive change to HIPAA in more than a decade. The final rule notes that compliance with these requirements should be in place by September 2013.

These greatly expanded regulations, coupled with an increase in data breaches being seen across all industries, is calling attention to possible compliance issues with HIPAA. Furthermore, OCR’s increased auditing and enforcement regimen are creating a new “norm” for health care entities and the businesses those entities rely on for certain services involving protected health information.

The time for “prevention” is now - health care providers and their business associates need to review their compliance policies to avoid potential civil and even criminal penalties provided for in the final rule.

Summary of the major changes

When the OCR issued the Proposed Rule on July 14, 2010, a final rule was expected within a few months following. Instead, 2 1/2 years of regulatory uncertainty followed. The publication of the final rule now establishes the OCR’s positions on changes to the privacy, security, enforcement and breach notification requirements.

  • Notice of privacy practices

Several of the changes under the final rule require that health care providers, health plans, and others meeting the definition of “covered entity” under the HIPAA regulations review, revise, and redistribute their Notice of Privacy Practices (NPP). The NPP must reflect certain situations where authorizations to use or disclose personal health information are needed, particularly in the case of psychotherapy notes, marketing and sales of personal health information.

The NPP must also include a notice regarding a patient’s right to opt-out of certain fundraising and a right to prevent certain information from being shared with the patient’s health plan when the patient pays out of pocket. Finally, the NPP must inform patients of the covered entity’s breach notification requirements. Once the NPP has been updated to include this information, a covered entity must then redistribute its NPP and post the revised NPP on its website.

  • Business associates and subcontractors

In what can be described as a large expansion of the application of the HIPAA regulations beyond the health care industry, and what is likely to be viewed as the most challenging to comply with, the final rule confirmed the expansion of HIPAA's regulatory authority to all business associates and their subcontractors.

Under this expanded role, HIPAA’s reach will extend well beyond traditional health care providers and health plans. Any business that works with health care providers, ranging from law firms, to accountants, to data processing businesses, to electronic health record providers, are now directly responsible under HIPAA for the implementation of privacy and security measures to protect personal health information. And, like a snowball gathers snow and enlarges as it rolls downhill, each of these businesses must then require any of its subcontractors to also comply with the various required privacy and security rules applicable to business associates.

The final rule notes that compliance with these requirements, including revised Business Associate Agreements, should be in place by September 2013.

  • Breach notification requirements

The final rule also changes the risk analysis requirements for determining when a breach has occurred. Previously, a risk of harm threshold was considered in determining whether a breach had occurred. The OCR’s changes in the final rule create almost a presumption of a “breach,” which will seemingly make it more likely that a business will be required to notify those individuals whose personal health information has been affected, HHS and possibly the media.

In addition to the changes already noted, the final rule made various changes to the research authorization, marketing, fundraising and sale of personal health information requirements. Expansion of the “minimum necessary” standard to business associates was included in the final rule, and new enforcement efforts and increased civil penalties were also in the final rule.

The final rule signals the largest expansion of the HIPAA privacy, security, enforcement and breach notification efforts in at least a decade. Not only do traditional health care providers need to review and implement a variety of changes, but any entity that works with a health care provider or a business associate of a health care provider must now determine whether these changes will also affect their business relationships. The time to make these determinations and adapt to this regulatory framework is now.

  • Increased enforcement and penalties

With the double whammy of an increase in enforcement of the HIPAA regulations and the statutorily-mandated increases in the civil monetary penalties authorized under the rules, covered entities and their business associates must now take action to make sure they are in compliance with the HIPAA regulations. The past two years have shown evidence of the OCR’s intent to increase auditing and enforcement efforts, not just at large health care entities, but also at very small health care providers – and soon, business associates and their subcontractors.

Thus, we return to the wise words of Benjamin Franklin: “You may delay, but time will not, and lost time is never found again.” Compliance with OCR’s new mandates will take concerted effort across organizations, and with the compliance period so brief, time is of the essence.

DISCLOSURE REQUIRED BY CIRCULAR 230. This Disclosure may be required by Circular 230 issued by the Department of Treasury and the Internal Revenue Service. If this article, including any attachments, contains any federal tax advice, such advice is not intended or written by the practitioner to be used, and it may not be used by any taxpayer, for the purpose of avoiding penalties that may be imposed on the taxpayer. Furthermore, any federal tax advice herein (including any attachment hereto) may not be used or referred to in promoting, marketing or recommending a transaction or arrangement to another party. Further information concerning this disclosure, and the reasons for such disclosure, may be obtained upon request from the author of this article. Thank you.

  • Partner

    Alan is a published commentator and attorney who concentrates his practice in health care, estate planning, employee benefits and real estate law. He regularly provides advice regarding business, corporate and regulatory ...

  • Partner

    With national, broad-based experience in a variety of industries, Dan focuses his practice on complex business and financial transactions including middle-market mergers and acquisitions, capital formation, debt financing ...



Recent Posts




Back to Page