HIPAA Alert: Rule Changes and Deadline


On January 17, a final, 563-page Health Insurance Portability and Accountability Act rule was released by the Department of Health and Human Services Office of Civil Rights to strengthen HIPAA’s security and privacy protections. The final rule makes sweeping changes to HIPAA’s data security and breach requirements that will have widespread effects on covered entities, business associates and subcontractors of business associates.

The rule becomes effective March 26, 2013 and compliance is required by September 23, 2013. Covered entities, business associates and subcontractors of business associates should conduct a critical reassessment of their data security and privacy policies as soon as possible.

Some of the major changes to the HIPAA rules include the following:

  • Holds business associates directly liable for compliance with certain HIPAA privacy and security rule requirements
  • Changes the definition of business associate to include subcontractors that create, receive, maintain, or transmit Protected Health Information on behalf of business associates. Subcontractors for business associates have the same compliance obligations, regardless of how far “downstream” the services they provide are from the covered entity
  • Changes the definition of breach to clarify that an impermissible use or disclosure of PHI is presumed to be a breach unless the covered entity or business associate demonstrates that there is a low probability that the PHI was compromised
  • Requires covered entities and business associates to consider four factors when determining whether a breach must be reported: (1) the nature and extent of the PHI involved, including the types of identifiers and the likelihood of reidentification; (2) the unauthorized person who used the PHI or to whom the disclosure was made; (3) whether the PHI was actually acquired or viewed; and (4) the extent to which the risk to the PHI has been mitigated
  • Requires covered entities to protect decedents’ PHI in accordance with the privacy rule for 50 years following the date of death
  • With few exceptions, prohibits the sale of PHI without an individual’s authorization
  • Maintains a tiered system of civil penalty amounts based on increasing levels of culpability. The final rule retains a $1.5 million civil monetary penalty cap

Bernstein Shur’s Health Care Practice Group and Data Security Team are actively engaged in analyzing the final rule and advising clients about the implications. For more information, contact Travis Brennan at 207 228-7146 or Tbrennan@bernsteinshur.com.


DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Bernstein Shur | Attorney Advertising

Written by:


Bernstein Shur on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:

Sign up to create your digest using LinkedIn*

*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.